When using aws signed cookies, the authorization flow is dealed by Cloudfront, i.e. : you do not have to implement lambda function. So I suggest to deal with denied access responses by redirecting on the client side. It's actually easier ^^ and complies with the signed cookies no-lambda philosophy.