To restrict access to content that you provide from Amazon S3 buckets access, you can create a signature CloudFront URL or signature Cookie restrict access to the Amazon S3 bucket file, then you can create an identity called source access (OAI) of special CloudFront user and associate it with your distribution. Next, you configure the permissions so OAI CloudFront can be used to access and provide documentation to your users, but users can not use the direct URL S3 bucket to point to access the files. Take the following steps to help you maintain secure access to documents provided by the CloudFront.
Generally speaking, if you are using Amazon S3 bucket as a source CloudFront distribution, you can allow everyone to have access to these files, or you can restrict access. For example, if you restrict access by using CloudFront signature URL or signature Cookie, you do not want to will be able to simply use the direct URL of the file you can view the file. Instead, you want them only by using CloudFront URL to access files in order to be useful for your protection. About using URL signature and signature Cookie details, please refer to the use URL signature and signed Cookie provides private content