And that same user is already trusted to have admin access to the entire organizational AWS credentials - I did say it was an internal management site.

The lambda itself only has limited permissions to the backend. The user can’t do anything if the lambda only has permission to one database and certain rights to those tables, one S3 bucket, etc.

Heck with Postgres on AWS you can even restrict a Cognito user to only have access to rows based on the logged in user.

And the database user it’s using only has the minimum access to just do certain permissions.