Why is it not a 1 then? You said it was a 2
Because passwords in plaintext is worse, this is akin to passwords base64-ed
I don’t understand what you are saying. Are you saying that the security benefits of CloudFront (https://aws.amazon.com/cloudfront/features/?whats-new-cloudfront.sort-by=item.additionalFields.postDateTime&whats-new-cloudfront.sort-order=desc) are worthless because it’s trivial to circumvent?
I’m saying that it offers zero security benefits if you are trying to protect a different resource that is already exposed
If you have an exposed EC2 machine, CF can’t help you there
Yes. The above does assume that you have properly firewalled your endpoint first.
I must be missing something here - I would think there is a benefit of implementing an IP whitelist on your origin to only permit CFN, as it will reduce the attack surface. Just a quick look and I don’t see any response headers that reveal information about the origin, so you would be attacking the CFN correct? No information was provided about the security about the CFN or the EC2, just a question on isolating network access. If an ALB was possible, then adding it into the mix makes it far easier to verify the source since we can then filter out requests based on CFN trusted keys etc.
If you can stop a bad request even reaching your instance, that is good.
No clue what security they have configured on the CFN, or the EC2, or the application that is running on it. This could simply be ensuring the CFN cache has been checked first, or forcing old clients to upgrade that previously pointed directly at the origin, or 100 other reasons 
The ec2 origin would have application level authentication
Cloudfront has a georestriction
