Our AWS account stores thousands of video and audio files inside several S3 buckets, each bucket containing multiple folder paths. All of these assets already sit behind a single CloudFront distribution ID; what’s missing is a clean, repeatable way to produce signed URLs so that every file can be reached privately and only for a fixed window of time. Here is the outcome I need: • A lightweight script, CLI tool, or Lambda function (Python or Node.js preferred, but language is flexible) that walks through every folder in the designated buckets and returns a signed CloudFront URL for each media object. • The links must be private — no one should reach the files unless they have the signed URL — and every link should expire after the same preset interval (we can agree on the exact duration during hand-off). • The solution should accept an input list of bucket-folder pairs or, if simpler, discover them automatically from a tag or naming pattern. • Clear README or inline documentation covering required IAM permissions, how to rotate key pairs, and how to modify the default expiration time. Acceptance will be based on: 1. Running the tool in my AWS account generates working links for a sample set of files. 2. Attempting access after the expiration window responds with Access Denied. 3. All code, CloudFormation/Terraform (if used), and instructions are delivered in a clean repo or zip. If you normally use AWS SDK v3, boto3, or a signed-cookie approach, feel free to suggest the best fit; the only strict requirement is that we stay on one CloudFront distribution.