For a serverless web application that needs user registration and authentication with minimal configuration, the standard AWS solution is Amazon Cognito User Pools. User Pools provide managed user directories, sign-up/sign-in flows, MFA options, password reset, and token-based authentication (OAuth2/OIDC/JWT). This integrates naturally with API Gateway (Cognito authorizers) and Lambda.

Option A is best because it uses Cognito User Pools plus an app client and the Hosted UI, which provides ready-made sign-up/sign-in pages. Hosted UI minimizes custom UI and backend authentication code while still allowing branding customization and secure token issuance. The SPA can authenticate via Cognito, receive JWT tokens, and call API Gateway endpoints securely.

Option B (identity pool) is primarily for granting temporary AWS credentials to access AWS services directly (federation). It does not replace User Pools for user registration/login flows; typically identity pools are used in addition to user pools, not instead, and require more configuration.

Option C adds unnecessary infrastructure (EC2) and defeats the “minimize configuration” goal.

Option D is not appropriate for end-user authentication. IAM users/groups are for workforce/admin access, not for customer-facing apps.

Therefore, Cognito User Pool + Hosted UI is the minimal-configuration secure solution.