You can let Cognito/IAM handle the identity validation part, and you can assume that if a user is able to trigger a Lambda function successfully, that will mean he is allowed to do that. In this case, you can manage per-user validation, take a look at whitelisting.