How do I allow access to an Amazon S3 bucket only from a CloudFront distribution?

Step 1: Frist login into your account and create a bucket in s3 like cloud.example.com
Step 2 : Go to CloudFront Service

Amazon CloudFront Getting Started

Either your search returned no results, or you do not have any distributions. Click the button below to create a new CloudFront distribution. A distribution allows you to distribute content using a worldwide network of edge locations that provide low latency and high data transfer speeds (learn more)

Now click on Create Distribution and you have to choose Web Distribution from Below

Select a delivery method for your content.

Web

Create a web distribution if you want to: Speed up distribution of static and dynamic content, for example, .html, .css, .php, and graphics files. Distribute media files using HTTP or HTTPS. Add, update, or delete objects, and submit data from web forms. Use live streaming to stream an event in real time. You store your files in an origin - either an Amazon S3 bucket or a web server. After you create the distribution, you can add more origins to the distribution.

RTMP

Create an RTMP distribution to speed up distribution of your streaming media files using Adobe Flash Media Server's RTMP protocol. An RTMP distribution allows an end user to begin playing a media file before the file has finished downloading from a CloudFront edge location. Note the following: To create an RTMP distribution, you must store the media files in an Amazon S3 bucket. To use CloudFront live streaming, create a web distribution.

Note: While creating distribution don't put cname field like we want to access our CloudFront with custom domain name like : cloud.example.com because it will give an error. First create distribution once its get created then we have to copy the Endpoint of cloudfront and create a new record in Route 53 with the cname and value as CloudFront endpoint. then we have to edit this distribution.
Same thing to be done in SSL. First, we have to create a certificate then we have to apply that certificate to cloud front distribution.


Step 3 Click on Create distribution.

Step 4 : Once distribution get created then we have to copy domain name from
Domain Name : d10i4suyxpsdrgsph.cloudfront.net

Now go to Route 53 and create a Cname record. with 

cloud.exmaple.com and choose cname type and past above domain Name value in it and save it.

Step 5 : Now go to Again CloudFront Distribution and choose "Origins and Origin Groups" and choose your as showin in image and click on Edit. 

Once you click on Edit now you can edit details as showin in picture.

Once you done these changes then click on Yes, Edit. Button.

Step 6 : If you bucket have public access then you can remove public access because we want only to be accessed through CloudFront url only.

It can be done as follow just click on your bucket (means select your bucket) and click on
(Edit Public Access Settings)  and uncheck from Block all public access

Click on Save Button.


Step 7: Once your distribution get deployed now we have to change SSL and cname setting of CloudFront. Because unless and untill its get deployed if we try to change SSL certificate it will not give an option to change it.








Reference Site :
https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3/