Protecting your origin by allowing access to CloudFront only
Controlling access to your origin is necessary, along with controlling viewer access, to have secure delivery via CloudFront. Your origin should allow requests only from CloudFront, and shut down attempts from any others.