Yes, that's the best way to identify the source IP address in this case.
Can the source IP address be spoofed? Yes - a malicious actor might be coming from a proxy server (or multiple proxy servers). Could someone fake their IP address to look like someone else's (i.e. appear to come from an IP that is legitimately allowed to access your application)? That would be much harder. Not necessarily impossible but certainly harder - unless the source network is compromised or there is some way to "bounce" traffic through that network.
I'm generally not in favour of using source IP as a security measure. Instead, use strong (two-factor) authentication to determine the user identity. Restricting to IP addresses can also have undesired consequences in the event of a disaster - your customer may want to access the service but cannot because they are temporarily coming from a different IP range.
API Gateway: Using a Cognito User Pool authorizer to inject userid and email into requestAccepted Answerasked 4 months ago
Find best method to determine the source IP address in Lambdaasked 18 days ago
AppSync Cognito Group and Secret Accessasked 6 months ago
Can I fully authenticate to AWS iOT through API Gateway HTTP using only header authentication methods?asked 10 months ago
AWS API Gateway with Amazon Cognito User Pools as authorizerAccepted Answerasked 2 years ago
What is the best way to have multiple authorizer on a single endpoint?asked 21 days ago
Access the S3 folder specific to particular user authenticated using CognitoAccepted Answerasked 5 months ago
RBAC for API Gateway endpoints using Cognito user groupsAccepted Answerasked a year ago
API Gateway User Authentication Best Practicesasked a year ago
Client certificate authentication with API Gateway and Cognitoasked 4 months ago