Does anyone know if you can put a Cloudfront in front of Cognito yourself to raise the minimum tls to 1.2 ? AWS Support says to use an ALB but that doesn't really go with me.. Thoughts ?

If you want to make it available via custom domain you can migrate to fips endpoint which by the end of the month will support only tls1.2+ (https://aws.amazon.com/security/security-bulletins/AWS-2020-001/). Bear in mind that the standard endpoint will still be available as you can’t disable it and it will expose tls/1.0 and tls/1.1 on the cognito domain. AFAIR you can put your own cloudfront distribution (with no caching) in front of cognito. The default custom domain setup is actually a cloudfront distribution but it’s not exposing tls configuration.

FIPS is only for US + Canada