I want to use CloudFront's signed URLs rather than plain unsigned URLs.

django-storages gives the option of AWS_S3_CUSTOM_DOMAIN but then it generates unsigned URLs from CloudFront's subdomain. By default AWS_QUERYSTRING_AUTH is True and it does generate signed URLs for S3. Any way to generate signed URLs for CloudFront.

This is the setting I am looking to turn on, but due to unsigned URLs I disabled it.
Settings I am looking to turn on for My distribution

Okay, so the signed URLs are supported now in django-storages development version since this commit (see thread for more info)

The version is not yet published on pip, so you can add it to your requirements like this:

-e git+git://github.com/jschneier/django-storages.git@b116e3a235323144cda6d3cc5a5cb27baf076ee2#egg=django-storages-dev

Then you have to update your options:

AWS_S3_CUSTOM_DOMAIN = "Your cloudfront domain" # something like xxxxx.cloudfront.net
AWS_CLOUDFRONT_KEY_ID = "YOUR_CLOUDFRONT_KEY_ID"
with open(os.path.join(BASE_DIR, "cert.pem")) as aws_cert:
    AWS_CLOUDFRONT_KEY = aws_cert.read().encode('ascii')

And that's it. The default expiration timeout is 24 hours, not sure how to change it.

Note that CloudFront key is not the same one as you use for other AWS services. You have to generate it using your root AWS account (not an IAM user). See documentation