CloudFront

Viewer to Edge Location : Viewer Access
Edge Location to Origin : Origin Access

Origin Access Identity (OAI)

Enable it at Distribution level of Cloud Front which enables S3 to access only via CloudFront. In addition to this you need to have bucket policy to restrict S3 bucket access from any other source than Origin Access Identity.
Steps:

Create a special CloudFront user called an origin access identity (OAI).
Give the origin access identity permission to read the objects in your bucket.
Remove anyone else's permission to use Amazon S3 URLs to read the objects.

Signed URLs and Cookies: At behaviour level and not at distribution level. You can restrict individual behaviors by signed URLs and cookies. These are used only via API. Signed Cookies NOT supported with RTMP distributions.

HTTPS on CloudFront

HTTPS on CloudFront with alternate domain names, choose either:

Use dedicated IP address in each edge location or
Use Server Name Indication (SNI)

Lambda@Edge

Lambda functions defined at Cloud Front per behavior.
Applicable per behavior

CloudFront Events

Viewer Request
Viewer Response
Origin Request
Origin Response.

Geo-Restriction

Built-in to CloudFront, is only based on the IP address of the client.
For other restrictions you need to use a 3rd party service/application which uses compute service along with signed urls.

Field-level encryption

In addition to the default end-to-end encryption from viewer to edge location to origin, you can add additional encryption from Edge location to Origin by having a public key on Edge location and private key at the origin. This is called Field-level encryption.

Placement Groups

Route53