A customer using CloudFront to protect origin, wants to ensure traffic can only arrive from their CloudFront distribution. They have configured a security group IP allow list based on ip-ranges.json, along with custom headers to validate requests.
Customer has raised the concern that a bad actor can easily discover the origin-secret UUID and duplicate the configuration. They are seeking a method to further secure the shared secret, and protect it from attackers.