AWS Cognito - IAM - Deny all access to public/unauth users - Federated

I have a web app, connecting to backend using cognito, all in aws services. I also have a public API method (Lambda) that does the call to cognito to do the auth and give back the session token, etc. all from backend.

The problem is that any person (who knows user pool ID and client ID) can anyway access cognito API from web directly (connecting to AWS API directly).

I don't want that. How can I define a policy so no public access to cognito is granted to users?

There's probably a few ways to go with this. Here's three ideas that come to mind.

• Cognito federated identities links two roles to your identity pool, one for unauthneticated users and one for authenticated. You could give no permissions to the unauth role and only let people access it once they've signed in with some provider (e.g. Facebook).
• You could put the Lambda behind API Gateway, then secure access to that with federated identities (using the above strategy).
• Finally, you could also authenticate API Gateway using Cognito user pools. API Gateway has a tight integration with user pools, so all you have to do is sign in and provide one of the returned login tokens to authenticate.