You should configure a Web Application Firewall in front of your CloudFront distribution. This will mitigate many types of attacks on your web application.
Complex web application attacks can more easily be performed without a WAF
Enable WAF for the CloudFront distribution
The following example will fail the aws-cloudfront-enable-waf check.
The following example will pass the aws-cloudfront-enable-waf check.