This is what I expected the article to be about. I would wager a lot of shops don't to the whitelisting. If they wanted to be really intense they could do authenticated origin pulls.
AWS CloudFront with S3 recommends that you just set your S3 to require a specific 'Referer' header variable and you set CloudFront to send that custom 'Referer' with each origin request.
Seems to work great when you use something like a GUID, and no need for IP whitelisting.
Seems to work great when you use something like a GUID, and no need for IP whitelisting.