I have a single s3 bucket with two folders, login and portal. In cloudfront, portal/index.html is set as the default root object and the default behavior has self set as trusted signer. There is a second behavior defined with the pattern login/* with no trusted signer set.
Assuming that alternate domain name is set to mydomain.com what I want to happen is for cloudfront to redirect any request going to mydomain.com that does not contain signed cookies to mydomain.com/login. Can cloudfront do that?
Yes it can. You can use Lambda@Edge functions to look at the cookies on any incoming request and change your path based on that.
Take a look at this example for AB testing. It looks at the cookie and changes the target path based on that: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html#lambda-examples-a-b-testing
And this blog post from AWS on the subject (going for cognito on their case, but you can change that to do what you want): https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-using-cookies-protect-your-amazon-cloudfront-content-from-being-downloaded-by-unauthenticated-users/