Yup, that's exactly what I did in the end, and it works rather nicely,. Got a lambda/cognito authentication working in front of a static site.
Luckily I've done a little Nodejs before building a Google home task, but forgotten most of it. I had fun working out why a https post call's results weren't being used and it would reach the end of the script before the result came back. Promise/await fixed that one