Static IP for cloudfront

"Your" Cloudfront distribution is not a single thing at a single place. It's a virtual entity on a global distributed network, and the more places from which it is being accessed, the more potential IP addresses you may see, because the requests are routed to the requester's nearest endpoint, using DNS. If I access your distribution, that's going to potentially involve a different IP address than if you access it, if we are in different places.

So, no, that isn't possible.

The list of possible addresses is, however, published...

However, if you are referring to firewall rules allowing Cloudfront to access your origin server for security reasons, you have another flaw in your assumptions. There's no reason why multiple distributions couldn't use a common set of IP addresses... and, indeed they do... so it's conceivable that if you are trying to achieve some kind of security of your content using these restrictions, that a malicious user could provision their own distribution referencing your origin and access it via Cloudfront, if they knew how to access your origin server.

There's a section in the Amazon CloudFront Developer Guide -- Using Custom Headers to Restrict Access to Your Content on a Custom Origin -- that describes one possible workaround: use a custom origin header with a secret value known only to CloudFront and your origin server. CloudFront injects these into the request, invisible to the browser. If this header and its secret value are not present in a request, then the request did not come to you through the CloudFront distribution, and can either be denied or perhaps redirected, by your origin server. This is also useful for ensuring proper parsing semantics for X-Forwarded-For since its value for requests coming through CloudFront may require a different interpretation, particularly at an origin server behind a load balancer.