AWS has an API Gateway, that makes it pretty easy to set up, manage and monitor your API. However, the security authorization settings that you can set for resource methods is limited to AWS-IAM (which to my understanding is an internal vpn role?).
It seems that my research on this subject has been pointing me to setting up an AWS Cognito pool, but when I go to configure one in my aws console, the options for providers are: Amazon, Facebook, Google+, Twitter, OpenID, and Custom. I guess, in that case, I would use Custom? Then setup my own EC2 instance as an OAuth2 Authentication Provider Server.
Given that Oauth2 is so popular these days it surprises me that there isn't an AWS service for this; it seems they've gone the whole OpenId or SAML route instead. It also surprises me that there is a lack of guides on how to quickly setup an Oauth2 Provider in the cloud.
Any help would be appreciated.