Lambda NET 6 & Cognito

Given that Cognito is your chosen service for authentication, your users will be authenticated before they interact with the API Gateway. This means that you do not need to process authentication in your Lambda function. The bearer token, provided by Cognito, will be forwarded through API Gateway to your Lambda function in the event that you need it. I would recommend you read this AWS documentation section to learn more: Control access to a REST API using Amazon Cognito user pools as authorizer

However, if your Lambda function requires knowledge of the authenticated user, the bearer token can be parsed to extract the user's information, which is typically stored in the token's payload.

For authorizing what actions a user or admin can perform, this is usually managed at the level of Cognito User Pools with User Groups and IAM Policies. A user can belong to a group such as 'User' or 'Admin', each having different IAM policies associated with them, dictating what AWS service APIs they can call.

Remember that the actual task of authorization – that is, determining what an authenticated entity can and cannot do – should be handled through a combination of Cognito User Pools, User Groups, and IAM Policies. Cognito can be utilized for Role-Based Access Control (RBAC), where each role has a set of permissions associated with it.

In conclusion, while Lambda does not handle authentication, it can process user information provided in the form of a bearer token if needed. Authorization and permission management is generally handled by Cognito and IAM, though specific permissions should be properly configured for each role.