I'm currently using a Cognito User Pool as an authorizer for an API Gateway endpoint, through to a Lambda function.

Can I pass the Integrated Request on to Lambda and SECURELY allow or deny from inside Lambda based on a custom attribute?

Mapping: "administrator" : "$context.authorizer.claims['custom:administrator']",

Lambda handler:

boolean isAdmin =   Boolean.parseBoolean(request.getContext().get("administrator"));

if(isAdmin) etc...

To be clear, a user that is NOT an administrator should not have access to the same API endpoints that and Administrator does..

Do I need to do anything else before/after this point?

I am sending the initial request to the API Gateway with Javascript after the user has logged into Cognito, by including the Authorization: JWToken header.

Do I need to verify the signature of the token in the Lambda function? I presume that API Gateway has already done that.

Is there a better way to manage this in terms of security?

Ideally I would like to be able to limit access to the API Endpoint based on GROUPS within the User Pool, however I don't think this is possible.

The Groups documentation talks about limiting access/permissions via AWS Identity and Access Management. If I go down this path, how do I make a request to the API Gateway? Do I still use the JWToken Authorization header, and use Cognito as the Authorizer in API Gateway?

The custom attribute/claim support included with Cognito user pools is secure and can be used for use cases such as this when used correctly. There are a couple of caveats.

First, ensure that users aren't able to modify the custom attribute themselves. When adding the customer attribute, do not mark the attribute as mutable. Also, custom attributes can be can be marked as readable or writable for each application. For this use case, you'll want to set the attribute as readable for the application the users have access to. Details about custom attributes can be found here.

The other caveat is to ensure that your request body can never by-pass your mapping template which could allow an attacker a way to directly set the administrator attribute being passed to your Lambda function. To do this, edit your integration request and set "Request body passthrough" to "Never".

There are other alternatives you could use for this use case. The cleanest approach is to provide a completely separate API for your administrators. Then you can use a separate Cognito user pool for your administrators, or you could use IAM users or groups.