Amazon CloudFront vs. S3 --> restrict access by domain?

Question

On Amazon S3, you can restrict access to buckets by domain.

But as far as I understand from a helpful StackOverflow user, you cannot do this on CloudFront. But why? If I am correct, CloudFront only allows time-based restrictions or IP restrictions (--> so I need to know the IP's of random visitors..?) Or am I missing something?

Here is a quote from S3 documentation that suggests that per-domain restriction is possible:

---> " To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages. "

--> Is there a way to make this method work on CloudFront as well? Or why something like this is not available on CloudFront?

--> Is there a similar service where this is possible, easier to setup?

Answer 1

Using CloudFront along with WAF (Web Application Firewall), you can restrict requests based on IP address, referrers, or domains.

Here is a AWS blog tutorial on restricting "hotlinking".

https://blogs.aws.amazon.com/security/post/Tx2CSKIBS7EP1I5/How-to-Prevent-Hotlinking-by-Using-AWS-WAF-Amazon-CloudFront-and-Referer-Checkin

In this example, it prohibits requests where the Referrer: header does not match a specific domain.