Hi Julian! Those are great questions.
Regarding API access control - once you have your Authorizer configured, you can specify authorization scopes that are required to access the route:
This configures the Authorizer to inspect the scope claim inside the JWT. More information on that is available in the JWT Authorizer docs. If you’re using Cognito as your identity provider, custom scopes can be added to your access tokens by adding a Resource server to your User Pool.
As far as Cognito Groups/Roles go, JWT Authorizers don’t treat access tokens from Cognito any differently than those originating from other identity providers, so there’s no configuration options for leveraging Cognito groups/roles in the Authorizer configuration (unlike API Gateway Rest APIs, which can be configured to use Cognito User Pools as an Authorizer.)
That said: access tokens from Cognito do include Groups as a custom claim in the token payload in the cognito:groups property, which could be accessed within your Lambda from the context object. I haven’t tested this yet, but I believe you could get the groups using context.authorizer.claims['cogito:groups']. Using this, you could manually check the access token’s associated groups inside your Lambda implementation.
To your question about logging: HTTP APIs can write access logs to CloudWatch. If there are specific JWT claims you want to add to the logs, they’re available as logging variables. That should provide visibility into the access layer of your HTTP API.
Hope that answered your questions - glad you enjoyed the article!