Configuring CloudFront to use an S3 bucket as the origin can be made safer by configuring authenticated requests using origin access identity (OAI). For more information on restricting access using origin access identity, see the AWS CloudFront documentation.
References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
In AWS Console -
In Terraform -
References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution