aws-cdk-lib 2.154.1__py3-none-any.whl → 2.156.0__py3-none-any.whl

aws_cdk/aws_cloudfront/__init__.py

@@ -8,7 +8,7 @@ possible performance.
 
 ## Distribution API
 
-The `Distribution` API is currently being built to replace the existing `CloudFrontWebDistribution` API. The `Distribution` API is optimized for the
+The `Distribution` API replaces the `CloudFrontWebDistribution` API which is now deprecated. The `Distribution` API is optimized for the
 most common use cases of CloudFront distributions (e.g., single origin and behavior, few customizations) while still providing the ability for more
 advanced use cases. The API focuses on simplicity for the common use cases, and convenience methods for creating the behaviors and origins necessary
 for more complex use cases.
@@ -25,22 +25,19 @@ among other settings.
 
 #### From an S3 Bucket
 
-An S3 bucket can be added as an origin. If the bucket is configured as a website endpoint, the distribution can use S3 redirects and S3 custom error
-documents.
+An S3 bucket can be added as an origin. An S3 bucket origin can either be configured as a standard bucket or as a website endpoint (see AWS docs for [Using an S3 Bucket](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.html#using-s3-as-origin)).
 
 ```python
-# Creates a distribution from an S3 bucket.
+# Creates a distribution from an S3 bucket with origin access control
 my_bucket = s3.Bucket(self, "myBucket")
 cloudfront.Distribution(self, "myDist",
-    default_behavior=cloudfront.BehaviorOptions(origin=origins.S3Origin(my_bucket))
+    default_behavior=cloudfront.BehaviorOptions(
+        origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket)
+    )
 )
 ```
 
-The above will treat the bucket differently based on if `IBucket.isWebsite` is set or not. If the bucket is configured as a website, the bucket is
-treated as an HTTP origin, and the built-in S3 redirects and error pages can be used. Otherwise, the bucket is handled as a bucket origin and
-CloudFront's redirect and error handling will be used. In the latter case, the Origin will create an origin access identity and grant it access to the
-underlying bucket. This can be used in conjunction with a bucket that is not public to require that your users access your content using CloudFront
-URLs and not S3 URLs directly.
+See the README of the [`aws-cdk-lib/aws-cloudfront-origins`](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-cloudfront-origins/README.md) module for more information on setting up S3 origins and origin access control (OAC).
 
 #### ELBv2 Load Balancer
 
@@ -234,7 +231,7 @@ You can use a cache policy to improve your cache hit ratio by controlling the va
 that are included in the cache key, and/or adjusting how long items remain in the cache via the time-to-live (TTL) settings.
 CloudFront provides some predefined cache policies, known as managed policies, for common use cases. You can use these managed policies,
 or you can create your own cache policy that’s specific to your needs.
-See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html for more details.
+See [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html) for more details.
 
 ```python
 # Using an existing cache policy for a Distribution
@@ -279,7 +276,7 @@ Other information from the viewer request, such as URL query strings, HTTP heade
 You can use an origin request policy to control the information that’s included in an origin request.
 CloudFront provides some predefined origin request policies, known as managed policies, for common use cases. You can use these managed policies,
 or you can create your own origin request policy that’s specific to your needs.
-See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html for more details.
+See [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html) for more details.
 
 ```python
 # Using an existing origin request policy for a Distribution
@@ -317,7 +314,10 @@ cloudfront.Distribution(self, "myDistCustomPolicy",
 
 You can configure CloudFront to add one or more HTTP headers to the responses that it sends to viewers (web browsers or other clients), without making any changes to the origin or writing any code.
 To specify the headers that CloudFront adds to HTTP responses, you use a response headers policy. CloudFront adds the headers regardless of whether it serves the object from the cache or has to retrieve the object from the origin. If the origin response includes one or more of the headers that’s in a response headers policy, the policy can specify whether CloudFront uses the header it received from the origin or overwrites it with the one in the policy.
-See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html
+See [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html)
+
+> [!NOTE]
+> If xssProtection `reportUri` is specified, then `modeBlock` cannot be set to `true`.
 
 ```python
 # Using an existing managed response headers policy
@@ -353,7 +353,7 @@ my_response_headers_policy = cloudfront.ResponseHeadersPolicy(self, "ResponseHea
         frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
         referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
         strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-        xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+        xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
     ),
     remove_headers=["Server"],
     server_timing_sampling_rate=50
@@ -435,7 +435,7 @@ cloudfront.Distribution(self, "myDist",
 > The `EdgeFunction` construct will automatically request a function in `us-east-1`, regardless of the region of the current stack.
 > `EdgeFunction` has the same interface as `Function` and can be created and used interchangeably.
 > Please note that using `EdgeFunction` requires that the `us-east-1` region has been bootstrapped.
-> See https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html for more about bootstrapping regions.
+> See [https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html](https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html) for more about bootstrapping regions.
 
 If the stack is in `us-east-1`, a "normal" `lambda.Function` can be used instead of an `EdgeFunction`.
 
@@ -966,7 +966,7 @@ If no changes are desired during migration, you will at the least be able to use
 
 ## CloudFrontWebDistribution API
 
-> The `CloudFrontWebDistribution` construct is the original construct written for working with CloudFront distributions.
+> The `CloudFrontWebDistribution` construct is the original construct written for working with CloudFront distributions and has been marked as deprecated.
 > Users are encouraged to use the newer `Distribution` instead, as it has a simpler interface and receives new features faster.
 
 Example usage:
@@ -1226,8 +1226,8 @@ cloudfront.KeyGroup(self, "MyKeyGroup",
 
 See:
 
-* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
-* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html
+* [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html)
+* [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html)
 '''
 from pkgutil import extend_path
 __path__ = extend_path(__path__, __name__)
@@ -1281,6 +1281,28 @@ from ..aws_s3 import IBucket as _IBucket_42e086fd
 from ..aws_s3_assets import AssetOptions as _AssetOptions_2aa69621
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_cloudfront.AccessLevel")
+class AccessLevel(enum.Enum):
+    '''The level of permissions granted to the CloudFront Distribution when configuring OAC.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        my_bucket = s3.Bucket(self, "myBucket")
+        s3_origin = origins.S3BucketOrigin.with_origin_access_control(my_bucket,
+            origin_access_levels=[cloudfront.AccessLevel.READ, cloudfront.AccessLevel.WRITE, cloudfront.AccessLevel.DELETE]
+        )
+    '''
+
+    READ = "READ"
+    '''Grants read permissions to CloudFront Distribution.'''
+    WRITE = "WRITE"
+    '''Grants write permission to CloudFront Distribution.'''
+    DELETE = "DELETE"
+    '''Grants delete permission to CloudFront Distribution.'''
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_cloudfront.AddBehaviorOptions",
     jsii_struct_bases=[],
@@ -2321,7 +2343,7 @@ class CachePolicyProps:
         '''Properties for creating a Cache Policy.
 
         :param cache_policy_name: A unique name to identify the cache policy. The name must only include '-', '_', or alphanumeric characters. Default: - generated from the ``id``
-        :param comment: A comment to describe the cache policy. Default: - no comment
+        :param comment: A comment to describe the cache policy. The comment cannot be longer than 128 characters. Default: - no comment
         :param cookie_behavior: Determines whether any cookies in viewer requests are included in the cache key and automatically included in requests that CloudFront sends to the origin. Default: CacheCookieBehavior.none()
         :param default_ttl: The default amount of time for objects to stay in the CloudFront cache. Only used when the origin does not send Cache-Control or Expires headers with the object. Default: - The greater of 1 day and ``minTtl``
         :param enable_accept_encoding_brotli: Whether to normalize and include the ``Accept-Encoding`` header in the cache key when the ``Accept-Encoding`` header is 'br'. Default: false
@@ -2406,6 +2428,8 @@ class CachePolicyProps:
     def comment(self) -> typing.Optional[builtins.str]:
         '''A comment to describe the cache policy.
 
+        The comment cannot be longer than 128 characters.
+
         :default: - no comment
         '''
         result = self._values.get("comment")
@@ -16935,7 +16959,7 @@ class HeadersFrameOption(enum.Enum):
                 frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
                 referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
                 strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-                xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+                xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
             ),
             remove_headers=["Server"],
             server_timing_sampling_rate=50
@@ -16995,7 +17019,7 @@ class HeadersReferrerPolicy(enum.Enum):
                 frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
                 referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
                 strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-                xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+                xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
             ),
             remove_headers=["Server"],
             server_timing_sampling_rate=50
@@ -17359,11 +17383,13 @@ class IOrigin(typing_extensions.Protocol):
         scope: _constructs_77d1e7e8.Construct,
         *,
         origin_id: builtins.str,
+        distribution_id: typing.Optional[builtins.str] = None,
     ) -> "OriginBindConfig":
         '''The method called when a given Origin is added (for the first time) to a Distribution.
 
         :param scope: -
         :param origin_id: The identifier of this Origin, as assigned by the Distribution this Origin has been used added to.
+        :param distribution_id: The identifier of the Distribution this Origin is used for. This is used to grant origin access permissions to the distribution for origin access control. Default: - no distribution id
         '''
         ...
 
@@ -17382,16 +17408,20 @@ class _IOriginProxy:
         scope: _constructs_77d1e7e8.Construct,
         *,
         origin_id: builtins.str,
+        distribution_id: typing.Optional[builtins.str] = None,
     ) -> "OriginBindConfig":
         '''The method called when a given Origin is added (for the first time) to a Distribution.
 
         :param scope: -
         :param origin_id: The identifier of this Origin, as assigned by the Distribution this Origin has been used added to.
+        :param distribution_id: The identifier of the Distribution this Origin is used for. This is used to grant origin access permissions to the distribution for origin access control. Default: - no distribution id
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__88031486a507fddae1a9cd6ed970521f2a57d7953a1e564c2c5d97b8591065f2)
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
-        options = OriginBindOptions(origin_id=origin_id)
+        options = OriginBindOptions(
+            origin_id=origin_id, distribution_id=distribution_id
+        )
 
         return typing.cast("OriginBindConfig", jsii.invoke(self, "bind", [scope, options]))
 
@@ -17399,6 +17429,40 @@ class _IOriginProxy:
 typing.cast(typing.Any, IOrigin).__jsii_proxy_class__ = lambda : _IOriginProxy
 
 
+@jsii.interface(jsii_type="aws-cdk-lib.aws_cloudfront.IOriginAccessControl")
+class IOriginAccessControl(_IResource_c80c4260, typing_extensions.Protocol):
+    '''Represents a CloudFront Origin Access Control.'''
+
+    @builtins.property
+    @jsii.member(jsii_name="originAccessControlId")
+    def origin_access_control_id(self) -> builtins.str:
+        '''The unique identifier of the origin access control.
+
+        :attribute: true
+        '''
+        ...
+
+
+class _IOriginAccessControlProxy(
+    jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+):
+    '''Represents a CloudFront Origin Access Control.'''
+
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_cloudfront.IOriginAccessControl"
+
+    @builtins.property
+    @jsii.member(jsii_name="originAccessControlId")
+    def origin_access_control_id(self) -> builtins.str:
+        '''The unique identifier of the origin access control.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "originAccessControlId"))
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
+typing.cast(typing.Any, IOriginAccessControl).__jsii_proxy_class__ = lambda : _IOriginAccessControlProxy
+
+
 @jsii.interface(jsii_type="aws-cdk-lib.aws_cloudfront.IOriginAccessIdentity")
 class IOriginAccessIdentity(
     _IResource_c80c4260,
@@ -18392,6 +18456,113 @@ class LoggingConfiguration:
         )
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cloudfront.OriginAccessControlBaseProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "description": "description",
+        "origin_access_control_name": "originAccessControlName",
+        "signing": "signing",
+    },
+)
+class OriginAccessControlBaseProps:
+    def __init__(
+        self,
+        *,
+        description: typing.Optional[builtins.str] = None,
+        origin_access_control_name: typing.Optional[builtins.str] = None,
+        signing: typing.Optional["Signing"] = None,
+    ) -> None:
+        '''Common properties for creating a Origin Access Control resource.
+
+        :param description: A description of the origin access control. Default: - no description
+        :param origin_access_control_name: A name to identify the origin access control, with a maximum length of 64 characters. Default: - a generated name
+        :param signing: Specifies which requests CloudFront signs and the signing protocol. Default: SIGV4_ALWAYS
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_cloudfront as cloudfront
+            
+            # signing: cloudfront.Signing
+            
+            origin_access_control_base_props = cloudfront.OriginAccessControlBaseProps(
+                description="description",
+                origin_access_control_name="originAccessControlName",
+                signing=signing
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a8b924ff1ec7417df56da9ecb0d84f08365a3b3c38c90dae9c47f3745f55d369)
+            check_type(argname="argument description", value=description, expected_type=type_hints["description"])
+            check_type(argname="argument origin_access_control_name", value=origin_access_control_name, expected_type=type_hints["origin_access_control_name"])
+            check_type(argname="argument signing", value=signing, expected_type=type_hints["signing"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if description is not None:
+            self._values["description"] = description
+        if origin_access_control_name is not None:
+            self._values["origin_access_control_name"] = origin_access_control_name
+        if signing is not None:
+            self._values["signing"] = signing
+
+    @builtins.property
+    def description(self) -> typing.Optional[builtins.str]:
+        '''A description of the origin access control.
+
+        :default: - no description
+        '''
+        result = self._values.get("description")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_access_control_name(self) -> typing.Optional[builtins.str]:
+        '''A name to identify the origin access control, with a maximum length of 64 characters.
+
+        :default: - a generated name
+        '''
+        result = self._values.get("origin_access_control_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def signing(self) -> typing.Optional["Signing"]:
+        '''Specifies which requests CloudFront signs and the signing protocol.
+
+        :default: SIGV4_ALWAYS
+
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-originaccesscontrol-originaccesscontrolconfig.html#cfn-cloudfront-originaccesscontrol-originaccesscontrolconfig-signingbehavior
+        '''
+        result = self._values.get("signing")
+        return typing.cast(typing.Optional["Signing"], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "OriginAccessControlBaseProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_cloudfront.OriginAccessControlOriginType")
+class OriginAccessControlOriginType(enum.Enum):
+    '''Origin types supported by Origin Access Control.'''
+
+    S3 = "S3"
+    '''Uses an Amazon S3 bucket origin.'''
+    LAMBDA = "LAMBDA"
+    '''Uses a Lambda function URL origin.'''
+    MEDIASTORE = "MEDIASTORE"
+    '''Uses an AWS Elemental MediaStore origin.'''
+    MEDIAPACKAGEV2 = "MEDIAPACKAGEV2"
+    '''Uses an AWS Elemental MediaPackage v2 origin.'''
+
+
 @jsii.implements(IOriginAccessIdentity)
 class OriginAccessIdentity(
     _Resource_45bc6135,
@@ -18401,16 +18572,21 @@ class OriginAccessIdentity(
     '''An origin access identity is a special CloudFront user that you can associate with Amazon S3 origins, so that you can secure all or just some of your Amazon S3 content.
 
     :resource: AWS::CloudFront::CloudFrontOriginAccessIdentity
-    :exampleMetadata: fixture=_generated
+    :exampleMetadata: infused
 
     Example::
 
-        # The code below shows an example of how to instantiate this type.
-        # The values are placeholders you should change.
-        from aws_cdk import aws_cloudfront as cloudfront
-        
-        origin_access_identity = cloudfront.OriginAccessIdentity(self, "MyOriginAccessIdentity",
-            comment="comment"
+        my_bucket = s3.Bucket(self, "myBucket")
+        my_oai = cloudfront.OriginAccessIdentity(self, "myOAI",
+            comment="My custom OAI"
+        )
+        s3_origin = origins.S3BucketOrigin.with_origin_access_identity(my_bucket,
+            origin_access_identity=my_oai
+        )
+        cloudfront.Distribution(self, "myDist",
+            default_behavior=cloudfront.BehaviorOptions(
+                origin=s3_origin
+            )
         )
     '''
 
@@ -18535,16 +18711,21 @@ class OriginAccessIdentityProps:
 
         :param comment: Any comments you want to include about the origin access identity. Default: "Allows CloudFront to reach the bucket"
 
-        :exampleMetadata: fixture=_generated
+        :exampleMetadata: infused
 
         Example::
 
-            # The code below shows an example of how to instantiate this type.
-            # The values are placeholders you should change.
-            from aws_cdk import aws_cloudfront as cloudfront
-            
-            origin_access_identity_props = cloudfront.OriginAccessIdentityProps(
-                comment="comment"
+            my_bucket = s3.Bucket(self, "myBucket")
+            my_oai = cloudfront.OriginAccessIdentity(self, "myOAI",
+                comment="My custom OAI"
+            )
+            s3_origin = origins.S3BucketOrigin.with_origin_access_identity(my_bucket,
+                origin_access_identity=my_oai
+            )
+            cloudfront.Distribution(self, "myDist",
+                default_behavior=cloudfront.BehaviorOptions(
+                    origin=s3_origin
+                )
             )
         '''
         if __debug__:
@@ -18590,6 +18771,7 @@ class OriginBase(
         connection_attempts: typing.Optional[jsii.Number] = None,
         connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
         custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
         origin_id: typing.Optional[builtins.str] = None,
         origin_shield_enabled: typing.Optional[builtins.bool] = None,
         origin_shield_region: typing.Optional[builtins.str] = None,
@@ -18600,6 +18782,7 @@ class OriginBase(
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
         :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
         :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
         :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
         :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
@@ -18612,6 +18795,7 @@ class OriginBase(
             connection_attempts=connection_attempts,
             connection_timeout=connection_timeout,
             custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
             origin_id=origin_id,
             origin_shield_enabled=origin_shield_enabled,
             origin_shield_region=origin_shield_region,
@@ -18625,6 +18809,7 @@ class OriginBase(
         _scope: _constructs_77d1e7e8.Construct,
         *,
         origin_id: builtins.str,
+        distribution_id: typing.Optional[builtins.str] = None,
     ) -> "OriginBindConfig":
         '''Binds the origin to the associated Distribution.
 
@@ -18632,11 +18817,14 @@ class OriginBase(
 
         :param _scope: -
         :param origin_id: The identifier of this Origin, as assigned by the Distribution this Origin has been used added to.
+        :param distribution_id: The identifier of the Distribution this Origin is used for. This is used to grant origin access permissions to the distribution for origin access control. Default: - no distribution id
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__8428dfc90e69bdd5363e69afd9c590a4ed2f1363b22242197295117dc5221878)
             check_type(argname="argument _scope", value=_scope, expected_type=type_hints["_scope"])
-        options = OriginBindOptions(origin_id=origin_id)
+        options = OriginBindOptions(
+            origin_id=origin_id, distribution_id=distribution_id
+        )
 
         return typing.cast("OriginBindConfig", jsii.invoke(self, "bind", [_scope, options]))
 
@@ -18777,13 +18965,19 @@ class OriginBindConfig:
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_cloudfront.OriginBindOptions",
     jsii_struct_bases=[],
-    name_mapping={"origin_id": "originId"},
+    name_mapping={"origin_id": "originId", "distribution_id": "distributionId"},
 )
 class OriginBindOptions:
-    def __init__(self, *, origin_id: builtins.str) -> None:
+    def __init__(
+        self,
+        *,
+        origin_id: builtins.str,
+        distribution_id: typing.Optional[builtins.str] = None,
+    ) -> None:
         '''Options passed to Origin.bind().
 
         :param origin_id: The identifier of this Origin, as assigned by the Distribution this Origin has been used added to.
+        :param distribution_id: The identifier of the Distribution this Origin is used for. This is used to grant origin access permissions to the distribution for origin access control. Default: - no distribution id
 
         :exampleMetadata: fixture=_generated
 
@@ -18794,15 +18988,21 @@ class OriginBindOptions:
             from aws_cdk import aws_cloudfront as cloudfront
             
             origin_bind_options = cloudfront.OriginBindOptions(
-                origin_id="originId"
+                origin_id="originId",
+            
+                # the properties below are optional
+                distribution_id="distributionId"
             )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__0dbe700920dc77d0410da01e091c5caab2d3bb29313320e6057ed87275ccc649)
             check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
+            check_type(argname="argument distribution_id", value=distribution_id, expected_type=type_hints["distribution_id"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "origin_id": origin_id,
         }
+        if distribution_id is not None:
+            self._values["distribution_id"] = distribution_id
 
     @builtins.property
     def origin_id(self) -> builtins.str:
@@ -18811,6 +19011,17 @@ class OriginBindOptions:
         assert result is not None, "Required property 'origin_id' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def distribution_id(self) -> typing.Optional[builtins.str]:
+        '''The identifier of the Distribution this Origin is used for.
+
+        This is used to grant origin access permissions to the distribution for origin access control.
+
+        :default: - no distribution id
+        '''
+        result = self._values.get("distribution_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -18902,6 +19113,7 @@ class OriginFailoverConfig:
         "connection_attempts": "connectionAttempts",
         "connection_timeout": "connectionTimeout",
         "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
         "origin_id": "originId",
         "origin_shield_enabled": "originShieldEnabled",
         "origin_shield_region": "originShieldRegion",
@@ -18914,6 +19126,7 @@ class OriginOptions:
         connection_attempts: typing.Optional[jsii.Number] = None,
         connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
         custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
         origin_id: typing.Optional[builtins.str] = None,
         origin_shield_enabled: typing.Optional[builtins.bool] = None,
         origin_shield_region: typing.Optional[builtins.str] = None,
@@ -18923,6 +19136,7 @@ class OriginOptions:
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
         :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
         :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
         :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
         :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
@@ -18942,6 +19156,7 @@ class OriginOptions:
                 custom_headers={
                     "custom_headers_key": "customHeaders"
                 },
+                origin_access_control_id="originAccessControlId",
                 origin_id="originId",
                 origin_shield_enabled=False,
                 origin_shield_region="originShieldRegion"
@@ -18952,6 +19167,7 @@ class OriginOptions:
             check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
             check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
             check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
             check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
             check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
             check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
@@ -18962,6 +19178,8 @@ class OriginOptions:
             self._values["connection_timeout"] = connection_timeout
         if custom_headers is not None:
             self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
         if origin_id is not None:
             self._values["origin_id"] = origin_id
         if origin_shield_enabled is not None:
@@ -19002,6 +19220,15 @@ class OriginOptions:
         result = self._values.get("custom_headers")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def origin_id(self) -> typing.Optional[builtins.str]:
         '''A unique identifier for the origin.
@@ -19052,6 +19279,7 @@ class OriginOptions:
         "connection_attempts": "connectionAttempts",
         "connection_timeout": "connectionTimeout",
         "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
         "origin_id": "originId",
         "origin_shield_enabled": "originShieldEnabled",
         "origin_shield_region": "originShieldRegion",
@@ -19065,6 +19293,7 @@ class OriginProps(OriginOptions):
         connection_attempts: typing.Optional[jsii.Number] = None,
         connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
         custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
         origin_id: typing.Optional[builtins.str] = None,
         origin_shield_enabled: typing.Optional[builtins.bool] = None,
         origin_shield_region: typing.Optional[builtins.str] = None,
@@ -19075,6 +19304,7 @@ class OriginProps(OriginOptions):
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
         :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
         :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
         :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
         :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
@@ -19095,6 +19325,7 @@ class OriginProps(OriginOptions):
                 custom_headers={
                     "custom_headers_key": "customHeaders"
                 },
+                origin_access_control_id="originAccessControlId",
                 origin_id="originId",
                 origin_path="originPath",
                 origin_shield_enabled=False,
@@ -19106,6 +19337,7 @@ class OriginProps(OriginOptions):
             check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
             check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
             check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
             check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
             check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
             check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
@@ -19117,6 +19349,8 @@ class OriginProps(OriginOptions):
             self._values["connection_timeout"] = connection_timeout
         if custom_headers is not None:
             self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
         if origin_id is not None:
             self._values["origin_id"] = origin_id
         if origin_shield_enabled is not None:
@@ -19159,6 +19393,15 @@ class OriginProps(OriginOptions):
         result = self._values.get("custom_headers")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def origin_id(self) -> typing.Optional[builtins.str]:
         '''A unique identifier for the origin.
@@ -20306,7 +20549,7 @@ class ResponseCustomHeadersBehavior:
                     frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
                     referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
                     strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
                 ),
                 remove_headers=["Server"],
                 server_timing_sampling_rate=50
@@ -20401,7 +20644,7 @@ class ResponseHeadersContentSecurityPolicy:
                     frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
                     referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
                     strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
                 ),
                 remove_headers=["Server"],
                 server_timing_sampling_rate=50
@@ -20496,7 +20739,7 @@ class ResponseHeadersContentTypeOptions:
                     frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
                     referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
                     strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
                 ),
                 remove_headers=["Server"],
                 server_timing_sampling_rate=50
@@ -20609,7 +20852,7 @@ class ResponseHeadersCorsBehavior:
                     frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
                     referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
                     strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
                 ),
                 remove_headers=["Server"],
                 server_timing_sampling_rate=50
@@ -20771,7 +21014,7 @@ class ResponseHeadersFrameOptions:
                     frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
                     referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
                     strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
                 ),
                 remove_headers=["Server"],
                 server_timing_sampling_rate=50
@@ -20864,7 +21107,7 @@ class ResponseHeadersPolicy(
                 frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
                 referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
                 strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-                xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+                xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
             ),
             remove_headers=["Server"],
             server_timing_sampling_rate=50
@@ -21049,7 +21292,7 @@ class ResponseHeadersPolicyProps:
                     frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
                     referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
                     strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
                 ),
                 remove_headers=["Server"],
                 server_timing_sampling_rate=50
@@ -21223,7 +21466,7 @@ class ResponseHeadersReferrerPolicy:
                     frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
                     referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
                     strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
                 ),
                 remove_headers=["Server"],
                 server_timing_sampling_rate=50
@@ -21333,7 +21576,7 @@ class ResponseHeadersStrictTransportSecurity:
                     frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
                     referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
                     strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
                 ),
                 remove_headers=["Server"],
                 server_timing_sampling_rate=50
@@ -21467,7 +21710,7 @@ class ResponseHeadersXSSProtection:
                     frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
                     referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
                     strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
                 ),
                 remove_headers=["Server"],
                 server_timing_sampling_rate=50
@@ -21616,7 +21859,7 @@ class ResponseSecurityHeadersBehavior:
                     frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
                     referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
                     strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
-                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=True, report_uri="https://example.com/csp-report", override=True)
+                    xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
                 ),
                 remove_headers=["Server"],
                 server_timing_sampling_rate=50
@@ -21816,6 +22059,187 @@ class S3ImportSource(
         return typing.cast(builtins.str, jsii.get(self, "key"))
 
 
+@jsii.implements(IOriginAccessControl)
+class S3OriginAccessControl(
+    _Resource_45bc6135,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_cloudfront.S3OriginAccessControl",
+):
+    '''An Origin Access Control for Amazon S3 origins.
+
+    :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-originaccesscontrol.html
+    :resource: AWS::CloudFront::OriginAccessControl
+    :exampleMetadata: infused
+
+    Example::
+
+        my_bucket = s3.Bucket(self, "myBucket")
+        oac = cloudfront.S3OriginAccessControl(self, "MyOAC",
+            signing=cloudfront.Signing.SIGV4_NO_OVERRIDE
+        )
+        s3_origin = origins.S3BucketOrigin.with_origin_access_control(my_bucket,
+            origin_access_control=oac
+        )
+        cloudfront.Distribution(self, "myDist",
+            default_behavior=cloudfront.BehaviorOptions(
+                origin=s3_origin
+            )
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        description: typing.Optional[builtins.str] = None,
+        origin_access_control_name: typing.Optional[builtins.str] = None,
+        signing: typing.Optional["Signing"] = None,
+    ) -> None:
+        '''
+        :param scope: -
+        :param id: -
+        :param description: A description of the origin access control. Default: - no description
+        :param origin_access_control_name: A name to identify the origin access control, with a maximum length of 64 characters. Default: - a generated name
+        :param signing: Specifies which requests CloudFront signs and the signing protocol. Default: SIGV4_ALWAYS
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__7b2a85cd0fa604a08b24dc8c92dc0ab531d0bddfb7ae38aea9da131ae6d978b9)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = S3OriginAccessControlProps(
+            description=description,
+            origin_access_control_name=origin_access_control_name,
+            signing=signing,
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="fromOriginAccessControlId")
+    @builtins.classmethod
+    def from_origin_access_control_id(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        origin_access_control_id: builtins.str,
+    ) -> IOriginAccessControl:
+        '''Imports an S3 origin access control from its id.
+
+        :param scope: -
+        :param id: -
+        :param origin_access_control_id: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b29164c2163d9cc22b4d251b78a9ef345abc13ec4b3000f567a67ab55c65e345)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
+        return typing.cast(IOriginAccessControl, jsii.sinvoke(cls, "fromOriginAccessControlId", [scope, id, origin_access_control_id]))
+
+    @builtins.property
+    @jsii.member(jsii_name="originAccessControlId")
+    def origin_access_control_id(self) -> builtins.str:
+        '''The unique identifier of this Origin Access Control.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "originAccessControlId"))
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cloudfront.S3OriginAccessControlProps",
+    jsii_struct_bases=[OriginAccessControlBaseProps],
+    name_mapping={
+        "description": "description",
+        "origin_access_control_name": "originAccessControlName",
+        "signing": "signing",
+    },
+)
+class S3OriginAccessControlProps(OriginAccessControlBaseProps):
+    def __init__(
+        self,
+        *,
+        description: typing.Optional[builtins.str] = None,
+        origin_access_control_name: typing.Optional[builtins.str] = None,
+        signing: typing.Optional["Signing"] = None,
+    ) -> None:
+        '''Properties for creating a S3 Origin Access Control resource.
+
+        :param description: A description of the origin access control. Default: - no description
+        :param origin_access_control_name: A name to identify the origin access control, with a maximum length of 64 characters. Default: - a generated name
+        :param signing: Specifies which requests CloudFront signs and the signing protocol. Default: SIGV4_ALWAYS
+
+        :exampleMetadata: infused
+
+        Example::
+
+            my_bucket = s3.Bucket(self, "myBucket")
+            oac = cloudfront.S3OriginAccessControl(self, "MyOAC",
+                signing=cloudfront.Signing.SIGV4_NO_OVERRIDE
+            )
+            s3_origin = origins.S3BucketOrigin.with_origin_access_control(my_bucket,
+                origin_access_control=oac
+            )
+            cloudfront.Distribution(self, "myDist",
+                default_behavior=cloudfront.BehaviorOptions(
+                    origin=s3_origin
+                )
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__8f6d25b92869f9d23abd5a05839feb0af6686aa049fbbe51cca648f46cad1567)
+            check_type(argname="argument description", value=description, expected_type=type_hints["description"])
+            check_type(argname="argument origin_access_control_name", value=origin_access_control_name, expected_type=type_hints["origin_access_control_name"])
+            check_type(argname="argument signing", value=signing, expected_type=type_hints["signing"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if description is not None:
+            self._values["description"] = description
+        if origin_access_control_name is not None:
+            self._values["origin_access_control_name"] = origin_access_control_name
+        if signing is not None:
+            self._values["signing"] = signing
+
+    @builtins.property
+    def description(self) -> typing.Optional[builtins.str]:
+        '''A description of the origin access control.
+
+        :default: - no description
+        '''
+        result = self._values.get("description")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_access_control_name(self) -> typing.Optional[builtins.str]:
+        '''A name to identify the origin access control, with a maximum length of 64 characters.
+
+        :default: - a generated name
+        '''
+        result = self._values.get("origin_access_control_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def signing(self) -> typing.Optional["Signing"]:
+        '''Specifies which requests CloudFront signs and the signing protocol.
+
+        :default: SIGV4_ALWAYS
+
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-originaccesscontrol-originaccesscontrolconfig.html#cfn-cloudfront-originaccesscontrol-originaccesscontrolconfig-signingbehavior
+        '''
+        result = self._values.get("signing")
+        return typing.cast(typing.Optional["Signing"], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "S3OriginAccessControlProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_cloudfront.S3OriginConfig",
     jsii_struct_bases=[],
@@ -22015,6 +22439,100 @@ class SecurityPolicyProtocol(enum.Enum):
     TLS_V1_2_2021 = "TLS_V1_2_2021"
 
 
+class Signing(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_cloudfront.Signing"):
+    '''Options for how CloudFront signs requests.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        my_bucket = s3.Bucket(self, "myBucket")
+        oac = cloudfront.S3OriginAccessControl(self, "MyOAC",
+            signing=cloudfront.Signing.SIGV4_NO_OVERRIDE
+        )
+        s3_origin = origins.S3BucketOrigin.with_origin_access_control(my_bucket,
+            origin_access_control=oac
+        )
+        cloudfront.Distribution(self, "myDist",
+            default_behavior=cloudfront.BehaviorOptions(
+                origin=s3_origin
+            )
+        )
+    '''
+
+    def __init__(
+        self,
+        protocol: "SigningProtocol",
+        behavior: "SigningBehavior",
+    ) -> None:
+        '''
+        :param protocol: -
+        :param behavior: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__8c00ffc80ad080f771484098ccaf55fd1d267675565e970bd2559fe788ce72e6)
+            check_type(argname="argument protocol", value=protocol, expected_type=type_hints["protocol"])
+            check_type(argname="argument behavior", value=behavior, expected_type=type_hints["behavior"])
+        jsii.create(self.__class__, self, [protocol, behavior])
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="NEVER")
+    def NEVER(cls) -> "Signing":
+        '''Do not sign any origin requests.'''
+        return typing.cast("Signing", jsii.sget(cls, "NEVER"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SIGV4_ALWAYS")
+    def SIGV4_ALWAYS(cls) -> "Signing":
+        '''Sign all origin requests using the AWS Signature Version 4 signing protocol.'''
+        return typing.cast("Signing", jsii.sget(cls, "SIGV4_ALWAYS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SIGV4_NO_OVERRIDE")
+    def SIGV4_NO_OVERRIDE(cls) -> "Signing":
+        '''Sign only if the viewer request doesn't contain the Authorization header using the AWS Signature Version 4 signing protocol.'''
+        return typing.cast("Signing", jsii.sget(cls, "SIGV4_NO_OVERRIDE"))
+
+    @builtins.property
+    @jsii.member(jsii_name="behavior")
+    def behavior(self) -> "SigningBehavior":
+        '''Which requests CloudFront signs.'''
+        return typing.cast("SigningBehavior", jsii.get(self, "behavior"))
+
+    @builtins.property
+    @jsii.member(jsii_name="protocol")
+    def protocol(self) -> "SigningProtocol":
+        '''The signing protocol.'''
+        return typing.cast("SigningProtocol", jsii.get(self, "protocol"))
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_cloudfront.SigningBehavior")
+class SigningBehavior(enum.Enum):
+    '''Options for which requests CloudFront signs.
+
+    The recommended setting is ``always``.
+    '''
+
+    ALWAYS = "ALWAYS"
+    '''Sign all origin requests, overwriting the Authorization header from the viewer request if one exists.'''
+    NEVER = "NEVER"
+    '''Do not sign any origin requests.
+
+    This value turns off origin access control for all origins in all
+    distributions that use this origin access control.
+    '''
+    NO_OVERRIDE = "NO_OVERRIDE"
+    '''Sign origin requests only if the viewer request doesn't contain the Authorization header.'''
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_cloudfront.SigningProtocol")
+class SigningProtocol(enum.Enum):
+    '''The signing protocol of the Origin Access Control.'''
+
+    SIGV4 = "SIGV4"
+    '''The AWS Signature Version 4 signing protocol.'''
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_cloudfront.SourceConfiguration",
     jsii_struct_bases=[],
@@ -22691,7 +23209,7 @@ class CachePolicy(
         :param scope: -
         :param id: -
         :param cache_policy_name: A unique name to identify the cache policy. The name must only include '-', '_', or alphanumeric characters. Default: - generated from the ``id``
-        :param comment: A comment to describe the cache policy. Default: - no comment
+        :param comment: A comment to describe the cache policy. The comment cannot be longer than 128 characters. Default: - no comment
         :param cookie_behavior: Determines whether any cookies in viewer requests are included in the cache key and automatically included in requests that CloudFront sends to the origin. Default: CacheCookieBehavior.none()
         :param default_ttl: The default amount of time for objects to stay in the CloudFront cache. Only used when the origin does not send Cache-Control or Expires headers with the object. Default: - The greater of 1 day and ``minTtl``
         :param enable_accept_encoding_brotli: Whether to normalize and include the ``Accept-Encoding`` header in the cache key when the ``Accept-Encoding`` header is 'br'. Default: false
@@ -22806,7 +23324,7 @@ class CloudFrontWebDistribution(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_cloudfront.CloudFrontWebDistribution",
 ):
-    '''Amazon CloudFront is a global content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to your viewers with low latency and high transfer speeds.
+    '''(deprecated) Amazon CloudFront is a global content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to your viewers with low latency and high transfer speeds.
 
     CloudFront fronts user provided content and caches it at edge locations across the world.
 
@@ -22828,6 +23346,9 @@ class CloudFrontWebDistribution(
 
     You can customize the distribution using additional properties from the CloudFrontWebDistributionProps interface.
 
+    :deprecated: Use ``Distribution`` instead
+
+    :stability: deprecated
     :resource: AWS::CloudFront::Distribution
     :exampleMetadata: infused
 
@@ -22886,6 +23407,8 @@ class CloudFrontWebDistribution(
         :param viewer_certificate: Specifies whether you want viewers to use HTTP or HTTPS to request your objects, whether you're using an alternate domain name with HTTPS, and if so, if you're using AWS Certificate Manager (ACM) or a third-party certificate authority. Default: ViewerCertificate.fromCloudFrontDefaultCertificate()
         :param viewer_protocol_policy: The default viewer policy for incoming clients. Default: RedirectToHTTPs
         :param web_acl_id: Unique identifier that specifies the AWS WAF web ACL to associate with this CloudFront distribution. To specify a web ACL created using the latest version of AWS WAF, use the ACL ARN, for example ``arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a``. To specify a web ACL created using AWS WAF Classic, use the ACL ID, for example ``473e64fd-f30b-4765-81a0-62ad96dd167a``. Default: - No AWS Web Application Firewall web access control list (web ACL).
+
+        :stability: deprecated
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__10cf4b33f291ebea192f1ea6c37ed91936b858def6e1350c920f21db71902d54)
@@ -22919,12 +23442,14 @@ class CloudFrontWebDistribution(
         distribution_id: builtins.str,
         domain_name: builtins.str,
     ) -> IDistribution:
-        '''Creates a construct that represents an external (imported) distribution.
+        '''(deprecated) Creates a construct that represents an external (imported) distribution.
 
         :param scope: -
         :param id: -
         :param distribution_id: The distribution ID for this distribution.
         :param domain_name: The generated domain name of the Distribution, such as d111111abcdef8.cloudfront.net.
+
+        :stability: deprecated
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__ea3b674a8185c8a9d03501ece5d860a4700034e19e03fc3a57d05fc8623fafc9)
@@ -22942,10 +23467,12 @@ class CloudFrontWebDistribution(
         identity: _IGrantable_71c4f5de,
         *actions: builtins.str,
     ) -> _Grant_a7ae64f8:
-        '''Adds an IAM policy statement associated with this distribution to an IAM principal's policy.
+        '''(deprecated) Adds an IAM policy statement associated with this distribution to an IAM principal's policy.
 
         :param identity: The principal.
         :param actions: The set of actions to allow (i.e. "cloudfront:ListInvalidations").
+
+        :stability: deprecated
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__bbe540671a65a5420a5e19288df418399a2c78bc5c1c07de38b3f735b89a36ed)
@@ -22958,9 +23485,11 @@ class CloudFrontWebDistribution(
         self,
         identity: _IGrantable_71c4f5de,
     ) -> _Grant_a7ae64f8:
-        '''Grant to create invalidations for this bucket to an IAM principal (Role/Group/User).
+        '''(deprecated) Grant to create invalidations for this bucket to an IAM principal (Role/Group/User).
 
         :param identity: The principal.
+
+        :stability: deprecated
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__1e035551f14cb51c65a18baf4f340f3be55199133afe180ca2138a8a0e86e6f8)
@@ -22970,25 +23499,32 @@ class CloudFrontWebDistribution(
     @builtins.property
     @jsii.member(jsii_name="distributionDomainName")
     def distribution_domain_name(self) -> builtins.str:
-        '''The domain name created by CloudFront for this distribution.
+        '''(deprecated) The domain name created by CloudFront for this distribution.
 
         If you are using aliases for your distribution, this is the domainName your DNS records should point to.
         (In Route53, you could create an ALIAS record to this value, for example.)
+
+        :stability: deprecated
         '''
         return typing.cast(builtins.str, jsii.get(self, "distributionDomainName"))
 
     @builtins.property
     @jsii.member(jsii_name="distributionId")
     def distribution_id(self) -> builtins.str:
-        '''The distribution ID for this distribution.'''
+        '''(deprecated) The distribution ID for this distribution.
+
+        :stability: deprecated
+        '''
         return typing.cast(builtins.str, jsii.get(self, "distributionId"))
 
     @builtins.property
     @jsii.member(jsii_name="loggingBucket")
     def logging_bucket(self) -> typing.Optional[_IBucket_42e086fd]:
-        '''The logging bucket for this CloudFront distribution.
+        '''(deprecated) The logging bucket for this CloudFront distribution.
 
         If logging is not enabled for this distribution - this property will be undefined.
+
+        :stability: deprecated
         '''
         return typing.cast(typing.Optional[_IBucket_42e086fd], jsii.get(self, "loggingBucket"))
 
@@ -23972,6 +24508,7 @@ class Function(
 
 
 __all__ = [
+    "AccessLevel",
     "AddBehaviorOptions",
     "AllowedMethods",
     "AssetImportSource",
@@ -24042,6 +24579,7 @@ __all__ = [
     "IKeyGroup",
     "IKeyValueStore",
     "IOrigin",
+    "IOriginAccessControl",
     "IOriginAccessIdentity",
     "IOriginRequestPolicy",
     "IPublicKey",
@@ -24056,6 +24594,8 @@ __all__ = [
     "LambdaEdgeEventType",
     "LambdaFunctionAssociation",
     "LoggingConfiguration",
+    "OriginAccessControlBaseProps",
+    "OriginAccessControlOriginType",
     "OriginAccessIdentity",
     "OriginAccessIdentityProps",
     "OriginBase",
@@ -24089,9 +24629,14 @@ __all__ = [
     "ResponseHeadersXSSProtection",
     "ResponseSecurityHeadersBehavior",
     "S3ImportSource",
+    "S3OriginAccessControl",
+    "S3OriginAccessControlProps",
     "S3OriginConfig",
     "SSLMethod",
     "SecurityPolicyProtocol",
+    "Signing",
+    "SigningBehavior",
+    "SigningProtocol",
     "SourceConfiguration",
     "ViewerCertificate",
     "ViewerCertificateOptions",
@@ -25668,6 +26213,7 @@ def _typecheckingstub__88031486a507fddae1a9cd6ed970521f2a57d7953a1e564c2c5d97b85
     scope: _constructs_77d1e7e8.Construct,
     *,
     origin_id: builtins.str,
+    distribution_id: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -25780,6 +26326,15 @@ def _typecheckingstub__c1c495121d3f25343764da863019d723da4b7d05ac74ed07b91c30326
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__a8b924ff1ec7417df56da9ecb0d84f08365a3b3c38c90dae9c47f3745f55d369(
+    *,
+    description: typing.Optional[builtins.str] = None,
+    origin_access_control_name: typing.Optional[builtins.str] = None,
+    signing: typing.Optional[Signing] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__ff86c7c3a54c3012c2e56787024ba13254594b3c0ca9aa271798797fe668270a(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -25819,6 +26374,7 @@ def _typecheckingstub__5b13f814bf47a5f3949ffc4b53034b4702a02836213167c9ba4c6a8d6
     connection_attempts: typing.Optional[jsii.Number] = None,
     connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
     custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
     origin_id: typing.Optional[builtins.str] = None,
     origin_shield_enabled: typing.Optional[builtins.bool] = None,
     origin_shield_region: typing.Optional[builtins.str] = None,
@@ -25830,6 +26386,7 @@ def _typecheckingstub__8428dfc90e69bdd5363e69afd9c590a4ed2f1363b22242197295117dc
     _scope: _constructs_77d1e7e8.Construct,
     *,
     origin_id: builtins.str,
+    distribution_id: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -25845,6 +26402,7 @@ def _typecheckingstub__d3e6a8992dd905a0c0d851cfed62aa0f881803068317a0b59eb845712
 def _typecheckingstub__0dbe700920dc77d0410da01e091c5caab2d3bb29313320e6057ed87275ccc649(
     *,
     origin_id: builtins.str,
+    distribution_id: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -25862,6 +26420,7 @@ def _typecheckingstub__554f93c57439378c8175676cc442eaea5c8ec961a156b1f26e60df9cd
     connection_attempts: typing.Optional[jsii.Number] = None,
     connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
     custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
     origin_id: typing.Optional[builtins.str] = None,
     origin_shield_enabled: typing.Optional[builtins.bool] = None,
     origin_shield_region: typing.Optional[builtins.str] = None,
@@ -25874,6 +26433,7 @@ def _typecheckingstub__e1f5da480c426bb32e14bbbeb482146cc90bcd3678f902c46f0f2f739
     connection_attempts: typing.Optional[jsii.Number] = None,
     connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
     custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
     origin_id: typing.Optional[builtins.str] = None,
     origin_shield_enabled: typing.Optional[builtins.bool] = None,
     origin_shield_region: typing.Optional[builtins.str] = None,
@@ -26141,6 +26701,34 @@ def _typecheckingstub__50b2e52880076ae956da5eb2d05fa8de1161eb1b2df762d8dafbf8e6b
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__7b2a85cd0fa604a08b24dc8c92dc0ab531d0bddfb7ae38aea9da131ae6d978b9(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    description: typing.Optional[builtins.str] = None,
+    origin_access_control_name: typing.Optional[builtins.str] = None,
+    signing: typing.Optional[Signing] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__b29164c2163d9cc22b4d251b78a9ef345abc13ec4b3000f567a67ab55c65e345(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    origin_access_control_id: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__8f6d25b92869f9d23abd5a05839feb0af6686aa049fbbe51cca648f46cad1567(
+    *,
+    description: typing.Optional[builtins.str] = None,
+    origin_access_control_name: typing.Optional[builtins.str] = None,
+    signing: typing.Optional[Signing] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__e5837aa017bcf235e169321284a6cfe3cd3ac7b3c0baef0d9b68b55e8da518be(
     *,
     s3_bucket_source: _IBucket_42e086fd,
@@ -26152,6 +26740,13 @@ def _typecheckingstub__e5837aa017bcf235e169321284a6cfe3cd3ac7b3c0baef0d9b68b55e8
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__8c00ffc80ad080f771484098ccaf55fd1d267675565e970bd2559fe788ce72e6(
+    protocol: SigningProtocol,
+    behavior: SigningBehavior,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__ccea0761c172529885c07d5e167927d1ae78b92776ef8b892c36faadf6bb0dce(
     *,
     behaviors: typing.Sequence[typing.Union[Behavior, typing.Dict[builtins.str, typing.Any]]],