Best practice to secure API gateway + graphql access?

Hi current I use Apollo server to create handler for lambda and test the requester obj to see if it is authorized or not to ensure mutations can only be made by signed-in users. But I am wondering if there is any better approach?
e.g. create 2 functions, one is GET for query, accessible to unauthorized iam role, and the other is POST for mutations which is only accessible to authorized role?

// serverless.yml
    handler: lib/handler.main
      - http:
          path: graphql
          method: post
          cors: true
          authorizer: aws_iam
// handler.ts
const server = new ApolloServer({
  introspection: true,
  context: ({ event, context }) => ({
    requester: authenticated(event) ? getRequesterSub(event) : null

export const main = server.createHandler({
  cors: {
    origin: '*',
    credentials: true