Set up OAC between CloudFront and your bucket with aws:SourceArn.
cloudfront
A collection of 3 posts
Secure your CloudFront Distributions
UPDATE: AWS announced over the weekend [https://aws.amazon.com/blogs/security/enhanced-domain-protections-for-amazon-cloudfront-requests/] that they're enhancing protections against this kind of scenario. A few weeks ago a security researcher shared [https://disloops.com/cloudfront-hijacking/] it was possible to
Updating Security Groups with Lambda
> Paying for idle is so 2015 I had some Lambda Functions that scraped data from the Internet, and stored them in a database. Locking-down the RDS Security Group to only Lambda Functions turned out to be more complicated than