Thanks for the compliment and question Jeff!

Authentication - as you noted , Cognito does have a free tier. If you're restricted to using AWS services, I don't see why not. If you're not restricted and you have a more specific usecase than any authentication, there are alternative popular auth providers with free tiers such as firebase!

If you don't have fine-grained authentication or social features, consider putting the api behind an API key that the Lambda has in disk/env. This reduces reduces security and potentially UX, but it reduces latency and can simplify design.

Session - Lambda and in-server-memory session info don't mix. That said, you have a lot of remaining conventional options such as a distributed cache (expensive), dynamoDB (free), or a third party API (can be free). If you're worried about increasing latency and are comfortable trying something unconventional, you might toy around with putting session information in EFS. If security isn't an important factor, you might also consider keeping it in the browser.