There are four authorization modes you can use with AWS AppSync. You probably want to use
IAM with an Identity Pool for "fullest security".
COGNITO_USER_POOL is a solid option for less complex applications as well.
When you have a less complex use case and aren't using Identity Pools to lock down user access to resources using per-user IAM roles. (Your lambdas still need access to your resources).
You have per-user IAM roles and want to use those instead of lambda-wide IAM roles. You can use the user's IAM role instead of the lambda's to see if a user can access DynamoDB (for example).
Good for testing and prototyping. You only get 50 API keys per AppSync API, so it's better to go to production with a different option
If you're using a third party provider such as Auth0, you may want to use this option to integrate with Auth0.