Maybe combining Lambda integration with CloudFront (CF)?
You could intercept every HTTP request before it reaches CF, check auth data and decide to let it through or respond with 401 already. The CF auth password could be kept as an internal secret. You rotate temporary passwords on Lambda environment variables (bit insecure) or using AWS Secrets Manager (very safe).
Requests successfully authenticated on Lambda level gets rewritten with the master CF password to make them succeed there.
It's a lot more trouble than simply setting up basic auth, but you setup only once and theoretically it works.
You could intercept every HTTP request before it reaches CF, check auth data and decide to let it through or respond with 401 already. The CF auth password could be kept as an internal secret. You rotate temporary passwords on Lambda environment variables (bit insecure) or using AWS Secrets Manager (very safe).
Requests successfully authenticated on Lambda level gets rewritten with the master CF password to make them succeed there.
It's a lot more trouble than simply setting up basic auth, but you setup only once and theoretically it works.