aws-amplify is worth a second look now. They have fixed many of the problems I initially encountered. It still has loads of issues, but the core log in/out feature is working.
Note that your app has to be served from a https domain or amplify is not going to work. I have been exploring how to proxy S3 behind API gateway to achieve this.
Also note that amplify implements federated logins in a manner that is compatible with apps generated from Mobile Hub. If instead you use the Userpool hosted ui, the logins are not done in a compatible manner.
Is S3 + Cloudfront anything different than an edge optimized API Gateway S3 Proxy with the caching check turned on?
Aws-amplify will refuse login submissions from forms not hosted on https.
Advantages - I have a single domain without CORS. Under than domain there are three edge optimized proxies. First, an unprotected S3 caching proxy holding my web app. Second, another S3 proxy protected by AWS using Cognito to access it. This exposes user specific data. Third, the edge optimized Lambda proxy from serverless which also uses Cognito to control access the API.
All of this is in a single API in APi Gateway. It is not that complex, there are four methods. The two S3 proxies, the lambda proxy, and a root proxy that only returns index.html. No need for custom authentication.
To achieve this with serverless you need this plugin: serverless-plugin-bind-deployment-id which lets you alter the API deployment. I need to alter the deployment to make it depend on my two S3 proxies. Pathmapping also works with the plugin since you can now make it depend on deployment.