There are 2 things that I am really struggling with:
Isn’t Amplify basically a replacement for Serverless (albeit, only for AWS)?
How do you do business logic in GraphQL? Do you install both graphql and lambda, but then how do you secure graphql on the client?
P.S. This tutorial is freaking amazing and super helpful. Being new to these technologies I’m having trouble figuring out responsibilities go to which technologies.
I think that I am finally making some progress.
The Amplify docs are pretty disjointed, but further trudging through Google has lead me back to the correct point in the docs:
https://aws-amplify.github.io/docs/cli/graphql#usage-1
Basically, with the @auth attribute on the GraphQL schema, you can define the user field and use that control access to records.
Still open to input and insights from the more experienced here 
Oh, an to give credit where due, this tutorial was the one that lead me to figure out my permissions questions:
Thanks for reporting back. I’m not too well versed with GraphQL implementation. But Amplify does a lot of different things. One aspect of it is that it helps you configure your serverless backend through their CLI.