A mobile application needs to access Amazon DynamoDB directly to read user-specific data. The application uses a third-party identity provider (IdP) like Google or Facebook for user authentication. What is the MOST secure way to grant the mobile app access to DynamoDB?

Use Amazon Cognito User Pools to authenticate users and attach an IAM policy directly to the User Pool.

Use Amazon Cognito Identity Pools to exchange the third-party token for temporary AWS credentials mapped to an IAM role.

Embed an IAM user's access keys in the mobile application code.

Configure DynamoDB to allow public read access and filter results within the mobile application.