Setting up CloudFront service

Clients will negotiate the highest level they can support.
https://aws.amazon.com/about-aws/whats-new/2022/05/amazon-cloudfront-tls-version-cipher-suite-viewer-header/ can let your application make decisions based on client TLS level. Alternatively, you can set a security policy on CloudFront https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html that denies the lower level of TLS, however there's no mechanism to redirect clients at that point -- they'll get kicked out before they are able to issue a request or receive a response.

So, you can either allow the lower TLS level and have your application make a decision to redirect based on the header, or deny the lower TLS version and disallow clients that don't support it.

To set up a CloudFront service to redirect traffic from a TLS 1.0 application to TLS 1.2, you create a new CloudFront distribution in the AWS Management Console and specify your origin server as the endpoint for the TLS 1.0 application. Configure the CloudFront distribution to use a custom SSL certificate that supports TLS 1.2. This certificate should be issued by a trusted CA. In the CloudFront distribution settings, enable the Minimum SSL Protocol Version option and set it to TLSv1.2 to ensure that only TLS 1.2 connections are allowed.

After creating a new CloudFront distribution in the AWS Management Console, assigning the origin server as the TLS application's endpoint, and obtaining a trusted certificate from the CA. Make sure that only TLS connections are allowed in your CloudFront distribution settings.