You can use a Lambda function to update the security group’s rules dynamically whenever AWS publishes new internal service IP ranges for CloudFront.