Identify Google signed in user in AWS Lambda invoked by API Gateway

Question

When any internet user enters a certain URL, I serve up an html dashboard that is generated from an AWS Lambda written in Python. This requires a bit of setup from API gateway, but I've gotten this to work, no problem. But now anyone can see it.

The intended audience of this utility are employees of my company that uses GSuite, so their browsers are conveniently already signed in with Google.

What is the minimum I can add to my solution to determine from inside the Lambda function the email address of the Google account that is signed in (in a way that cannot be faked)? In other words, Google account authentication (don't worry about authorization, I'll handle that in the Lambda).

It looks like I need to use AWS Cognito, but I want to be sure this is the best way.

I imagine that there would be a step that requires them to either "Login with Google" on my page or "Share your Google loging detail". I'm not sure what aspect of my page I need to set up on the Google side for them to know who the "me" is that users will be opting to trust (the URL maybe?).

Any resources to such solutions would be greatly appreciated!

Edit: I followed the instructions in the URL provided by hephalump.

I almost got everything to work. As expected, I get a screen saying "To continue, Google will share your name, email address, language preference, and profile picture with amazoncognito.com." Once I set up my own domain, that will appear in the message.

But then I have the callback URL set up to point to API Gateway, which calls my Lambda function. Where can I get the user information from inside the Lambda? It does not seem to appear in the event dict.