diff --git a/index.js b/index.js
index 13eb72f..c43f455 100644
--- a/index.js
+++ b/index.js
@@ -333,6 +333,7 @@ class ServerlessFullstackPlugin {
         this.prepareCertificate(distributionConfig);
         this.prepareWaf(distributionConfig);
         this.prepareSinglePageApp(resources.Resources);
+        this.prepareRestrictedPaths(distributionConfig);
         this.prepareS3(resources.Resources);
         this.prepareMinimumProtocolVersion(distributionConfig);
         this.prepareCompressWebContent(distributionConfig);
@@ -483,6 +484,28 @@ class ServerlessFullstackPlugin {
         }
     }
 
+    prepareRestrictedPaths(distributionConfig) {
+        const restrictedPaths = this.getConfig('restrictedPaths', null);
+
+        const behaviorTemplate = _.find(distributionConfig.CacheBehaviors, (cacheBehavior => {
+            return cacheBehavior.TargetOriginId === 'RestrictedPathTemplate';
+        }));
+
+        //Remove template
+        distributionConfig.CacheBehaviors = _.filter(distributionConfig.CacheBehaviors, (cacheBehavior => {
+            return cacheBehavior.TargetOriginId !== 'RestrictedPathTemplate';
+        }));
+
+        if (restrictedPaths !== null) {
+            this.serverless.cli.log(`Configuring distribution for restricted paths...`);
+            distributionConfig.CacheBehaviors = distributionConfig.CacheBehaviors
+                .concat(_.map(restrictedPaths, (restrictedPath) => {
+                    return { ...behaviorTemplate, ...restrictedPath, TargetOriginId: 'WebApp',
+                        TrustedSigners: [].concat(restrictedPath.TrustedSigners) };
+                }));
+        }
+    }
+
     prepareS3(resources) {
         const bucketName = this.getConfig('bucketName', null);
 
diff --git a/lib/resources/resources.yml b/lib/resources/resources.yml
index 13e6d3b..23524f7 100644
--- a/lib/resources/resources.yml
+++ b/lib/resources/resources.yml
@@ -136,6 +136,21 @@ Resources:
             TargetOriginId: ApiGateway
             ViewerProtocolPolicy: https-only
             PathPattern: api/*
+          - AllowedMethods:
+            - GET
+            - HEAD
+            - OPTIONS
+            ## Compress web content: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html
+            Compress: true
+            ## The origin id defined above
+            TargetOriginId: RestrictedPathTemplate
+            ## Defining if and how the QueryString and Cookies are forwarded to the origin which in this case is S3
+            ForwardedValues:
+              QueryString: 'false'
+              Cookies:
+                Forward: none
+            ## The protocol that users can use to access the files in the origin. To allow HTTP use `allow-all`
+            ViewerProtocolPolicy: redirect-to-https
         ViewerCertificate:
           AcmCertificateArn: arn
           SslSupportMethod: sni-only