You can if the RBAC roles can be converted to scopes. For ex: In some identity products, you can restrict the OAuth 2 scopes on a per user basis depending on the users group membership. I don’t think Cognito supports that model. You can refer this blog https://medium.com/@awskarthik82/map-forgerock-openam-roles-to-aws-cognito-role-based-access-control-rbac-to-control-access-to-aws-970406a53a21. It doesn’t exactly match your use case, but it is somewhat similar.