S3 static website still accessible outside of AWS Cognito. Where am I going wrong here?

I have 3 simple HTML files in S3, nothing too complicated: index.html, logged_in.html, and logged_out.html. Index.html just has a simple URL that says "register or login", the logged in file says log out in a h2 tag, and the logged out file says log in again in a h2 tag. So it's a really simply setip. This is currently delivered using CloudFront service with a policy restriction applied on the S3 bucket layer. However, I can't for the life of mine seem to figure out how to get Cognito SSO to work with this setup. I have the logged in and out URLS set up as call back and sign out URLs in my user pools app client integration. If I try and access index.html, I get redirected to the Cognito page fine, which redirects to logged_in.html. However, if I log out, the logged_in.html page is still accessible! I tried incognito mode and all my HTML pages were still accessible outside of Cognito! Any idea what's going wrong here?