Small suggestion for Cognito/Auth struct: The ability to define groups, domains, and setup ses for emails. For example currently I have to do this if I want to add groups/domains/ses for emails:

const Cognito = new Auth(this, 'AuthResourceId', {
	cognito: true
})

// Enable SES for emails:
const cfnUserPool = Cognito.cognitoUserPool!.node.defaultChild as CfnUserPool
cfnUserPool.emailConfiguration = {
	emailSendingAccount: 'DEVELOPER',
	replyToEmailAddress: '<mailto:email@example.com|email@example.com>',
	from: '<mailto:email@example.com|email@example.com>',
	sourceArn: 'arn:something'
}

// Create domain for UserPool:
new CfnUserPoolDomain(this, 'DomainResourceId', {
	userPoolId: Cognito.cognitoUserPool!.userPoolId,
	domain: 'some-domain'
})

// Add a group:
new CfnUserPoolGroup(this, 'GroupResourceId', {
	userPoolId: Cognito.cognitoUserPool!.userPoolId,
	groupName: 'GroupName',
	precedence: 0
})

Would be really nice if I could just do something similar to this:

const Cognito = new Auth(this, 'AuthResourceId', {
	cognito: {
		userPool: {
			domain: 'some-domain',
            groups: [{ id: 'ResourceId', groupName: 'GroupName', precedence: 0 }],
            emailConfiguration: {
                emailSendingAccount: 'DEVELOPER',
                replyToEmailAddress: '<mailto:email@example.com|email@example.com>',
                ...
            }
		}
	}
})

@Garret Harp, I like that!

I actually use the lambda authorizer. I wanted to limit routes based on cognito groups which the JWT/UserPool authorizer did not allow. The groups do allow roleArns so I could probably do it with that if I wanted to but just setting the authorizer to the lambda seemed a bit easier to manage.