Can Kong inspect request data and conditionally return a 403?

The use case I’m being asked to handle is to inspect the request message (things like headers and JSON body), and return a 403 in certain conditions. I’m wondering if this requires a completely custom plugin, or is there an existing plugin that allows me to supply a Lua script?

For example, the official API Transformer allows us to “transform requests and responses depending on your own business requirements” by writing control logic in Lua. My problem is that it’s lightly documented and I can’t find any examples. So for example I don’t know if this plugin would allow me to read the JSON message body, execute arbitrary Lua, and return a 403.