So you badly want to leverage CloudFront for your CDN. But you need to protect the content behind auth. You do a search, and most of the solutions involve Lamdba@Edge.
Lambda@Edge is cool and all, but it directly adds to your request lateny, and you incur the compute costs of that Lambda for each request.
So I developed a solution called CloudFront Auth, which is an extensible AWS API Gateway, using a Golang Lambda that proxies auth requests from CloudFront to authentication handlers.
The primary authentication handlder I wrote to use behind CFA was a CFA-SAML solution to integrate with the corporate-wide SAML login solution.
Works like a champ! SAML auth compute latency and charges only happen when the user’s access cookies are timed our or invalid. They click on the login button you give them in this case, and a few seconds later they have authenticated themselves for access to CloudFront.