I found out: I had to check the "Lambda proxy integration" checkbox in the Integration request of the method.
Then the Lambda can fetch the user info from the event object of the lambda handler (e.g. in Python):
(or: 'cognito:username', etc.)
Then I could query different databases according to which group the user belongs to.
Additional info: it is also possible to assume the user role from within the Lambda function, to make sure to access only what's the user is allowed to (by default only the Lambda function's role is assumed to execute actions); this is very well explained at https://www.youtube.com/watch?v=GDkkDUnICrs
Cognito User Pool Groups and retrieving IAM from LambdaAccepted Answerasked 5 years ago
Cognito groups- allow admin group to remove a user from a Cognito groupasked 3 months ago
Custom User Authentication through SOAP Call from Cognitoasked 4 months ago
REST API for authentication with Cognito User Poolasked 3 months ago
RBAC for API Gateway endpoints using Cognito user groupsAccepted Answerasked 10 months ago
How can I get MAU's for a Cognito user pool?asked 2 months ago
Cognito User pool with JWT tokenAccepted Answerasked 6 months ago
How to pass Cognito user info to a Lambda functionasked 2 years ago
Move Cognito user pool to another account?asked 5 months ago
API Gateway: Using a Cognito User Pool authorizer to inject userid and email into requestAccepted Answerasked 2 months ago