Like Rowan I've never seen a Lambda executed twice for a single event except where it is well documented this will happen (i.e. SNS retrying failures).
With mutations you'll find a lot of the time they are idempotent, can easily be made idempotent or it doesn't really matter. For example: Instead of returning an error if someone tries to delete something that's already been deleted try returning a success.
Mutations that create resources are a little trickier. If you absolutely 100% cannot have a duplicate (i.e. you're processing financial transactions) then you should design your API appropriately. If you don't care that much but you're still a little concerned then you can probably use the request ID from the API gateway to de-duplicate.
In my case, anything I can make idempotent easily is made idempotent and everything else I just ignore.