This article makes no sense. If an attacker can inject code into the services you use, that's already game over. It isn't novel to inject it into CloudFront specifically.

As an attacker if you control your target's CloudFront or lambda functions then you can directly exfiltrate all the data to whereever you want.

Edit: Now, it might seem that this is a harsh comment, but let me assure you it is not. I’ve left this here so that others that come and read the article aren’t also confused about this as well. See, when I read the article I expected something novel, and was confused as if I was missing something. But the conclusion as confirmed by others that have responded, that indeed this isn’t novel.

So if you feel like you must be missing something after reading this article, don’t worry at all. You likely aren’t missing anything. In case this article has been useful to you, then great, otherwise don’t worry about it.