Go to My Security Credentials in AWS Management Console


At the prompt click Continue to Security Credentials


Click on Users and then Add Users


Give a meaningful name to the user and allow only Programmatic access


Click Attach existing policies directly & filter CloudFront. Assign CloudFrontFullAccess policy


Ignore the tags option & click Review


Review the new user creation & click Create User


Copy the Access key ID & Secret access key, by clicking the download .csv button or manually copying them & then click close.


Note

If you wish to use a custom domain name on your cloudfront distribution, you may need to add the AWSCertificateManagerFullAccess permission too

AWS ACM