Considering there are a bunch of mobile devices (Android and iOS) that need to be sending data to AWS-IoT via MQTT custom authorizer to check for valid token based on business logic is to be implemented.
Referring to IoT Apps with AWS IoT and Websockets, slide 56/60 shows the registration process where a lambda is used to create and attach a policy.
Does this indicate that the lambda will create a new AWS-IoT device and attach the policy to that device? Which results in creating a new AWS-IoT device everytime a new user signs up?
Referring to How to Use Your Own Identity and Access Management Systems to Control Access to AWS IoT Resources , you can create your custom-authorizer. Once that's done, you can use aws/aws-iot-device-sdk-js to test out the authorizer by using this piece of code.
Using custom authorizer doesn't require you to create or have any things registered in your account.
You are billed for your connections, messages etc as per AWS's IoT pricing.
However this is a mqtt over wss implementation and not a mqtt only implementation. As of now, the mqtt only implementation still seems to require certificates during connection to the AWS-IoT broker.