This is what the AWS Cognito service was designed to address. It allows clients (i.e. mobile devices) to exchange login details for short-lived AWS tokens (via the STS service) so that they can access AWS resources directly.
You can use this with the IAM Authorizer to force your users to have valid credentials, or you could use it with the Cognito User Pool Authorizer directly.
Note that Cognito has the idea of a default user, so that even unauthenticated users (i.e. pre-login) can access certain resources.