An attacker may make calls to Cloudfront and modify, add, delete content if careful usage of Verbs and S3 permissions are not set. Any usage of "AllowedMethods" beyond GET HEAD and OPTIONS present increased risk of loss, dependent on the toxic combination of the S3 Bucket policy permitting action: - "*" or anything more than GetObject.

Possibly mitigated by Cloudfront domain validation

Cloudfront / S3

AWS

Houston Hopkins