There are two issues here, one is hotlinking of images or other protected content (ie course pdf's) and the other is video protection.
s3flowshield is designed for video protection, not really for images. I don't know if it will work for that purpose. It works by generating long url's that are too complicated to share. I don't know about "expiring urls" except that it does NOT support the type of expiring url's that Cloudfront private distributions use (more on this below). It works fine for generating expiring url's to videos stored on S3, via it's own internal mechanism, but it won't work with RTMP or private distribution .
Backie and Frederick are correct you can use S3 bucket policy to prevent hotlinking by only allowing certain referrers:
but I don't think this will work on Cloudfront (Cloudfront files are sourced by S3, but it's a different security mechanism)
Now about video protection
Neither S3Flowshield nor Easy Video Player (as of today) implement Cloudfront private distributions for RTMP streaming. This is a mechanism whereby the request to Cloudfront is digitally signed (with a key pair). These signed requests can carry an expiry date, can limit to only one IP address, etc. These (signed) url's must be dynamically generated for each user request or page load (and made to expire in, say 15 minutes -- if user doesn't start the video or refresh the page in 15 minutes, the video won't play).
I am writing a plugin called "Cloudfront private distribution extension for JWPlayer" that will generate these expiring urls. It's not that complicated, and there is complete sample code here
I have a video that teaches how to setup a Cloudfront streaming distribution with JWPlayer here, if interested (not private distribution):
If you have any question please post them there