aws-cdk-lib 2.154.1__py3-none-any.whl → 2.156.0__py3-none-any.whl

aws_cdk/aws_cloudfront_origins/__init__.py

@@ -6,21 +6,503 @@ S3 buckets, Elastic Load Balancing v2 load balancers, or any other domain name.
 
 ## S3 Bucket
 
-An S3 bucket can be added as an origin. If the bucket is configured as a website endpoint, the distribution can use S3 redirects and S3 custom error
-documents.
+An S3 bucket can be used as an origin. An S3 bucket origin can either be configured using a standard S3 bucket or using a S3 bucket that's configured as a website endpoint (see AWS docs for [Using an S3 Bucket](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.html#using-s3-as-origin)).
+
+> Note: `S3Origin` has been deprecated. Use `S3BucketOrigin` for standard S3 origins and `S3StaticWebsiteOrigin` for static website S3 origins.
+
+### Standard S3 Bucket
+
+To set up an origin using a standard S3 bucket, use the `S3BucketOrigin` class. The bucket
+is handled as a bucket origin and
+CloudFront's redirect and error handling will be used. It is recommended to use `S3BucketOrigin.withOriginAccessControl()` to configure OAC for your origin.
+
+```python
+my_bucket = s3.Bucket(self, "myBucket")
+cloudfront.Distribution(self, "myDist",
+    default_behavior=cloudfront.BehaviorOptions(origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket))
+)
+```
+
+> Note: When you use CloudFront OAC with Amazon S3 bucket origins, you must set Amazon S3 Object Ownership to Bucket owner enforced (the default for new Amazon S3 buckets). If you require ACLs, use the Bucket owner preferred setting to maintain control over objects uploaded via CloudFront.
+
+### S3 Bucket Configured as a Website Endpoint
+
+To set up an origin using an S3 bucket configured as a website endpoint, use the `S3StaticWebsiteOrigin` class. When the bucket is configured as a
+website endpoint, the bucket is treated as an HTTP origin,
+and the distribution can use built-in S3 redirects and S3 custom error pages.
+
+```python
+my_bucket = s3.Bucket(self, "myBucket")
+cloudfront.Distribution(self, "myDist",
+    default_behavior=cloudfront.BehaviorOptions(origin=origins.S3StaticWebsiteOrigin(my_bucket))
+)
+```
+
+### Restricting access to a standard S3 Origin
+
+CloudFront provides two ways to send authenticated requests to a standard Amazon S3 origin:
+
+* origin access control (OAC) and
+* origin access identity (OAI)
+
+OAI is considered legacy due to limited functionality and regional
+limitations, whereas OAC is recommended because it supports all Amazon S3
+buckets in all AWS Regions, Amazon S3 server-side encryption with AWS KMS (SSE-KMS), and dynamic requests (PUT and DELETE) to Amazon S3. Additionally,
+OAC provides stronger security posture with short term credentials,
+and more frequent credential rotations as compared to OAI. OAI and OAC can be used in conjunction with a bucket that is not public to
+require that your users access your content using CloudFront URLs and not S3 URLs directly.
+
+See AWS docs on [Restricting access to an Amazon S3 Origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) for more details.
+
+> Note: OAC and OAI can only be used with an regular S3 bucket origin (not a bucket configured as a website endpoint).
+
+The `S3BucketOrigin` class supports creating a standard S3 origin with OAC, OAI, and no access control (using your bucket access settings) via
+the `withOriginAccessControl()`, `withOriginAccessIdentity()`, and `withBucketDefaults()` methods respectively.
+
+#### Setting up a new origin access control (OAC)
+
+Setup a standard S3 origin with origin access control as follows:
+
+```python
+my_bucket = s3.Bucket(self, "myBucket")
+cloudfront.Distribution(self, "myDist",
+    default_behavior=cloudfront.BehaviorOptions(
+        origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket)
+    )
+)
+```
+
+When creating a standard S3 origin using `origins.S3BucketOrigin.withOriginAccessControl()`, an [Origin Access Control resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-originaccesscontrol-originaccesscontrolconfig.html) is automatically created with the origin type set to `s3` and signing behavior set to `always`.
+
+You can grant read, write or delete access to the OAC using the `originAccessLevels` property:
+
+```python
+my_bucket = s3.Bucket(self, "myBucket")
+s3_origin = origins.S3BucketOrigin.with_origin_access_control(my_bucket,
+    origin_access_levels=[cloudfront.AccessLevel.READ, cloudfront.AccessLevel.WRITE, cloudfront.AccessLevel.DELETE]
+)
+```
+
+You can also pass in a custom S3 origin access control:
+
+```python
+my_bucket = s3.Bucket(self, "myBucket")
+oac = cloudfront.S3OriginAccessControl(self, "MyOAC",
+    signing=cloudfront.Signing.SIGV4_NO_OVERRIDE
+)
+s3_origin = origins.S3BucketOrigin.with_origin_access_control(my_bucket,
+    origin_access_control=oac
+)
+cloudfront.Distribution(self, "myDist",
+    default_behavior=cloudfront.BehaviorOptions(
+        origin=s3_origin
+    )
+)
+```
+
+An existing S3 origin access control can be imported using the `fromOriginAccessControlId` method:
+
+```python
+imported_oAC = cloudfront.S3OriginAccessControl.from_origin_access_control_id(self, "myImportedOAC", "ABC123ABC123AB")
+```
+
+> [Note](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html): When you use OAC with S3
+> bucket origins, the bucket's object ownership must be either set to Bucket owner enforced (default for new S3 buckets) or Bucket owner preferred (only if you require ACLs).
+
+#### Setting up OAC with a SSE-KMS encrypted S3 origin
+
+If the objects in the S3 bucket origin are encrypted using server-side encryption with
+AWS Key Management Service (SSE-KMS), the OAC must have permission to use the KMS key.
+
+Setting up a standard S3 origin using `S3BucketOrigin.withOriginAccessControl()` will automatically add the statement to the KMS key policy
+to give the OAC permission to use the KMS key.
+
+```python
+import aws_cdk.aws_kms as kms
+
+
+my_kms_key = kms.Key(self, "myKMSKey")
+my_bucket = s3.Bucket(self, "mySSEKMSEncryptedBucket",
+    encryption=s3.BucketEncryption.KMS,
+    encryption_key=my_kms_key,
+    object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED
+)
+cloudfront.Distribution(self, "myDist",
+    default_behavior=cloudfront.BehaviorOptions(
+        origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket)
+    )
+)
+```
+
+##### Scoping down the key policy
+
+I saw this warning message during synth time. What do I do?
+
+```text
+To avoid a circular dependency between the KMS key, Bucket, and Distribution during the initial deployment, a wildcard is used in the Key policy condition to match all Distribution IDs.
+After deploying once, it is strongly recommended to further scope down the policy for best security practices by following the guidance in the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README.
+```
+
+If the S3 bucket has an `encryptionKey` defined, `S3BucketOrigin.withOriginAccessControl()`
+will automatically add the following policy statement to the KMS key policy to allow CloudFront read-only access (unless otherwise specified in the `originAccessLevels` property).
+
+```json
+{
+    "Statement": {
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "cloudfront.amazonaws.com"
+        },
+        "Action": "kms:Decrypt",
+        "Resource": "*",
+        "Condition": {
+            "ArnLike": {
+                "AWS:SourceArn": "arn:aws:cloudfront::<account ID>:distribution/*"
+            }
+        }
+    }
+}
+```
+
+This policy uses a wildcard to match all distribution IDs in the account instead of referencing the specific distribution ID to resolve the circular dependency. The policy statement is not as scoped down as the example in the AWS CloudFront docs (see [SSE-KMS section](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#create-oac-overview-s3)).
+
+After you have deployed the Distribution, you should follow these steps to only grant permissions to the specific distribution according to AWS best practices:
+
+**Step 1.** Copy the key policy
+
+**Step 2.** Use an escape hatch to update the policy statement condition so that
+
+```json
+  "Condition": {
+      "ArnLike": {
+          "AWS:SourceArn": "arn:aws:cloudfront::<account ID>:distribution/*"
+      }
+  }
+```
+
+...becomes...
+
+```json
+  "Condition": {
+      "StringEquals": {
+          "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
+      }
+  }
+```
+
+> Note the change of condition operator from `ArnLike` to `StringEquals` in addition to replacing the wildcard (`*`) with the distribution ID.
+
+To set the key policy using an escape hatch:
+
+```python
+import aws_cdk.aws_kms as kms
+
+
+kms_key = kms.Key(self, "myKMSKey")
+my_bucket = s3.Bucket(self, "mySSEKMSEncryptedBucket",
+    encryption=s3.BucketEncryption.KMS,
+    encryption_key=kms_key,
+    object_ownership=s3.ObjectOwnership.BUCKET_OWNER_ENFORCED
+)
+cloudfront.Distribution(self, "myDist",
+    default_behavior=cloudfront.BehaviorOptions(
+        origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket)
+    )
+)
+
+# Add the following to scope down the key policy
+scoped_down_key_policy = {
+    "Version": "2012-10-17",
+    "Statement": [{
+        "Effect": "Allow",
+        "Principal": {
+            "AWS": "arn:aws:iam::111122223333:root"
+        },
+        "Action": "kms:*",
+        "Resource": "*"
+    }, {
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "cloudfront.amazonaws.com"
+        },
+        "Action": ["kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*"
+        ],
+        "Resource": "*",
+        "Condition": {
+            "StringEquals": {
+                "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
+            }
+        }
+    }
+    ]
+}
+cfn_key = (kms_key.node.default_child)
+cfn_key.key_policy = scoped_down_key_policy
+```
+
+**Step 3.** Deploy the stack
+
+> Tip: Run `cdk diff` before deploying to verify the
+> changes to your stack.
+
+**Step 4.** Verify your final key policy includes the following statement after deploying:
+
+```json
+{
+    "Effect": "Allow",
+    "Principal": {
+        "Service": [
+            "cloudfront.amazonaws.com"
+        ]
+     },
+    "Action": [
+        "kms:Decrypt",
+        "kms:Encrypt",
+        "kms:GenerateDataKey*"
+    ],
+    "Resource": "*",
+    "Condition": {
+            "StringEquals": {
+                "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
+            }
+        }
+}
+```
+
+##### Updating imported key policies
+
+If you are using an imported KMS key to encrypt your S3 bucket and want to use OAC, you will need to update the
+key policy manually to allow CloudFront to use the key. Like most imported resources, CDK apps cannot modify the configuration of imported keys.
+
+After deploying the distribution, add the following policy statement to your key policy to allow CloudFront OAC to access your KMS key for SSE-KMS:
+
+```json
+{
+    "Sid": "AllowCloudFrontServicePrincipalSSE-KMS",
+    "Effect": "Allow",
+    "Principal": {
+        "Service": [
+            "cloudfront.amazonaws.com"
+        ]
+     },
+    "Action": [
+        "kms:Decrypt",
+        "kms:Encrypt",
+        "kms:GenerateDataKey*"
+    ],
+    "Resource": "*",
+    "Condition": {
+            "StringEquals": {
+                "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
+            }
+        }
+}
+```
+
+See CloudFront docs on [SSE-KMS](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#create-oac-overview-s3) for more details.
+
+#### Setting up OAC with imported S3 buckets
+
+If you are using an imported bucket for your S3 Origin and want to use OAC,
+you will need to update
+the S3 bucket policy manually to allow the OAC to access the S3 origin. Like most imported resources, CDK apps cannot modify the configuration of imported buckets.
+
+After deploying the distribution, add the following
+policy statement to your
+S3 bucket to allow CloudFront read-only access
+(or additional S3 permissions as required):
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "cloudfront.amazonaws.com"
+        },
+        "Action": "s3:GetObject",
+        "Resource": "arn:aws:s3:::<S3 bucket name>/*",
+        "Condition": {
+            "StringEquals": {
+                "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
+            }
+        }
+    }
+}
+```
+
+See CloudFront docs on [Giving the origin access control permission to access the S3 bucket](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#create-oac-overview-s3) for more details.
+
+> Note: If your bucket previously used OAI, you will need to manually remove the policy statement
+> that gives the OAI access to your bucket after setting up OAC.
+
+#### Setting up an OAI (legacy)
+
+Setup an S3 origin with origin access identity (legacy) as follows:
+
+```python
+my_bucket = s3.Bucket(self, "myBucket")
+cloudfront.Distribution(self, "myDist",
+    default_behavior=cloudfront.BehaviorOptions(
+        origin=origins.S3BucketOrigin.with_origin_access_identity(my_bucket)
+    )
+)
+```
+
+You can also pass in a custom S3 origin access identity:
+
+```python
+my_bucket = s3.Bucket(self, "myBucket")
+my_oai = cloudfront.OriginAccessIdentity(self, "myOAI",
+    comment="My custom OAI"
+)
+s3_origin = origins.S3BucketOrigin.with_origin_access_identity(my_bucket,
+    origin_access_identity=my_oai
+)
+cloudfront.Distribution(self, "myDist",
+    default_behavior=cloudfront.BehaviorOptions(
+        origin=s3_origin
+    )
+)
+```
+
+#### Setting up OAI with imported S3 buckets (legacy)
+
+If you are using an imported bucket for your S3 Origin and want to use OAI,
+you will need to update
+the S3 bucket policy manually to allow the OAI to access the S3 origin. Like most imported resources, CDK apps cannot modify the configuration of imported buckets.
+
+Add the following
+policy statement to your
+S3 bucket to allow the OAI read access:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Id": "PolicyForCloudFrontPrivateContent",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <origin access identity ID>"
+            },
+            "Action": "s3:GetObject",
+            "Resource": "arn:aws:s3:::<S3 bucket name>/*"
+        }
+    ]
+}
+```
+
+See AWS docs on [Giving an origin access identity permission to read files in the Amazon S3 bucket](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-restricting-access-to-s3-oai) for more details.
+
+### Setting up a S3 origin with no origin access control
+
+To setup a standard S3 origin with no access control (no OAI nor OAC), use `origins.S3BucketOrigin.withBucketDefaults()`:
 
 ```python
 my_bucket = s3.Bucket(self, "myBucket")
 cloudfront.Distribution(self, "myDist",
-    default_behavior=cloudfront.BehaviorOptions(origin=origins.S3Origin(my_bucket))
+    default_behavior=cloudfront.BehaviorOptions(
+        origin=origins.S3BucketOrigin.with_bucket_defaults(my_bucket)
+    )
+)
+```
+
+### Migrating from OAI to OAC
+
+If you are currently using OAI for your S3 origin and wish to migrate to OAC,
+replace the `S3Origin` construct (deprecated) with `S3BucketOrigin.withOriginAccessControl()` which automatically
+creates and sets up an OAC for you.
+
+Existing setup using OAI and `S3Origin`:
+
+```python
+my_bucket = s3.Bucket(self, "myBucket")
+s3_origin = origins.S3Origin(my_bucket)
+distribution = cloudfront.Distribution(self, "myDist",
+    default_behavior=cloudfront.BehaviorOptions(origin=s3_origin)
+)
+```
+
+**Step 1:**
+
+To ensure CloudFront doesn't lose access to the bucket during the transition, add a statement to bucket policy to grant OAC access to the S3 origin. Deploy the stack. If you are okay with downtime during the transition, you can skip this step.
+
+> Tip: Run `cdk diff` before deploying to verify the
+> changes to your stack.
+
+```python
+import aws_cdk as cdk
+import aws_cdk.aws_iam as iam
+
+
+stack = Stack()
+my_bucket = s3.Bucket(self, "myBucket")
+s3_origin = origins.S3Origin(my_bucket)
+distribution = cloudfront.Distribution(self, "myDist",
+    default_behavior=cloudfront.BehaviorOptions(origin=s3_origin)
+)
+
+# Construct the bucket policy statement
+distribution_arn = stack.format_arn(
+    service="cloudfront",
+    region="",
+    resource="distribution",
+    resource_name=distribution.distribution_id,
+    arn_format=cdk.ArnFormat.SLASH_RESOURCE_NAME
+)
+
+cloudfront_sP = iam.ServicePrincipal("cloudfront.amazonaws.com")
+
+oac_bucket_policy_statement = iam.PolicyStatement(
+    effect=iam.Effect.ALLOW,
+    principals=[cloudfront_sP],
+    actions=["s3:GetObject"],
+    resources=[my_bucket.arn_for_objects("*")],
+    conditions={
+        "StringEquals": {
+            "AWS:SourceArn": distribution_arn
+        }
+    }
+)
+
+# Add statement to bucket policy
+my_bucket.add_to_resource_policy(oac_bucket_policy_statement)
+```
+
+The following changes will take place:
+
+1. The bucket policy will be modified to grant the CloudFront distribution access. At this point the bucket policy allows both an OAI and an OAC to access the S3 origin.
+
+**Step 2:**
+
+Replace `S3Origin` with `S3BucketOrigin.withOriginAccessControl()`, which creates an OAC and attaches it to the distribution. You can remove the code from Step 1 which updated the bucket policy, as `S3BucketOrigin.withOriginAccessControl()` updates the bucket policy automatically with the same statement when defined in the `Distribution` (no net difference).
+
+Run `cdk diff` before deploying to verify the changes to your stack.
+
+```python
+bucket = s3.Bucket(self, "Bucket")
+s3_origin = origins.S3BucketOrigin.with_origin_access_control(bucket)
+distribution = cloudfront.Distribution(self, "Distribution",
+    default_behavior=cloudfront.BehaviorOptions(origin=s3_origin)
 )
 ```
 
-The above will treat the bucket differently based on if `IBucket.isWebsite` is set or not. If the bucket is configured as a website, the bucket is
-treated as an HTTP origin, and the built-in S3 redirects and error pages can be used. Otherwise, the bucket is handled as a bucket origin and
-CloudFront's redirect and error handling will be used. In the latter case, the Origin will create an origin access identity and grant it access to the
-underlying bucket. This can be used in conjunction with a bucket that is not public to require that your users access your content using CloudFront
-URLs and not S3 URLs directly. Alternatively, a custom origin access identity can be passed to the S3 origin in the properties.
+The following changes will take place:
+
+1. A `AWS::CloudFront::OriginAccessControl` resource will be created.
+2. The `Origin` property of the `AWS::CloudFront::Distribution` will set [`OriginAccessControlId`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html#cfn-cloudfront-distribution-origin-originaccesscontrolid) to the OAC ID after it is created. It will also set [`S3OriginConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-s3originconfig.html#aws-properties-cloudfront-distribution-s3originconfig-properties) to `{"OriginAccessIdentity": ""}`, which deletes the origin access identity from the existing distribution.
+3. The `AWS::CloudFront::CloudFrontOriginAccessIdentity` resource will be deleted.
+
+**Will migrating from OAI to OAC cause any resource replacement?**
+
+No, following the migration steps does not cause any replacement of the existing `AWS::CloudFront::Distribution`, `AWS::S3::Bucket` nor `AWS::S3::BucketPolicy` resources. It will modify the bucket policy, create a `AWS::CloudFront::OriginAccessControl` resource, and delete the existing `AWS::CloudFront::CloudFrontOriginAccessIdentity`.
+
+**Will migrating from OAI to OAC have any availability implications for my application?**
+
+Updates to bucket policies are eventually consistent. Therefore, removing OAI permissions and setting up OAC in the same CloudFormation stack deployment is not recommended as it may cause downtime where CloudFront loses access to the bucket. Following the steps outlined above lowers the risk of downtime as the bucket policy is updated to have both OAI and OAC permissions, then in a subsequent deployment, the OAI permissions are removed.
+
+For more information, see [Migrating from origin access identity (OAI) to origin access control (OAC)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#migrate-from-oai-to-oac).
 
 ### Adding Custom Headers
 
@@ -29,7 +511,7 @@ You can configure CloudFront to add custom headers to the requests that it sends
 ```python
 my_bucket = s3.Bucket(self, "myBucket")
 cloudfront.Distribution(self, "myDist",
-    default_behavior=cloudfront.BehaviorOptions(origin=origins.S3Origin(my_bucket,
+    default_behavior=cloudfront.BehaviorOptions(origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket,
         custom_headers={
             "Foo": "bar"
         }
@@ -104,7 +586,7 @@ my_bucket = s3.Bucket(self, "myBucket")
 cloudfront.Distribution(self, "myDist",
     default_behavior=cloudfront.BehaviorOptions(
         origin=origins.OriginGroup(
-            primary_origin=origins.S3Origin(my_bucket),
+            primary_origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket),
             fallback_origin=origins.HttpOrigin("www.example.com"),
             # optional, defaults to: 500, 502, 503 and 504
             fallback_status_codes=[404]
@@ -173,8 +655,10 @@ import constructs as _constructs_77d1e7e8
 from .. import Duration as _Duration_4839e8c3
 from ..aws_apigateway import RestApiBase as _RestApiBase_0431da32
 from ..aws_cloudfront import (
+    AccessLevel as _AccessLevel_315d9a76,
     CfnDistribution as _CfnDistribution_d9ad3595,
     IOrigin as _IOrigin_83d4c1fa,
+    IOriginAccessControl as _IOriginAccessControl_82a6fe5a,
     IOriginAccessIdentity as _IOriginAccessIdentity_a922494c,
     OriginBase as _OriginBase_b8fe5bcc,
     OriginBindConfig as _OriginBindConfig_25a57096,
@@ -220,6 +704,7 @@ class FunctionUrlOrigin(
         connection_attempts: typing.Optional[jsii.Number] = None,
         connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
         custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
         origin_id: typing.Optional[builtins.str] = None,
         origin_shield_enabled: typing.Optional[builtins.bool] = None,
         origin_shield_region: typing.Optional[builtins.str] = None,
@@ -232,6 +717,7 @@ class FunctionUrlOrigin(
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
         :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
         :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
         :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
         :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
@@ -246,6 +732,7 @@ class FunctionUrlOrigin(
             connection_attempts=connection_attempts,
             connection_timeout=connection_timeout,
             custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
             origin_id=origin_id,
             origin_shield_enabled=origin_shield_enabled,
             origin_shield_region=origin_shield_region,
@@ -267,6 +754,7 @@ class FunctionUrlOrigin(
         "connection_attempts": "connectionAttempts",
         "connection_timeout": "connectionTimeout",
         "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
         "origin_id": "originId",
         "origin_shield_enabled": "originShieldEnabled",
         "origin_shield_region": "originShieldRegion",
@@ -282,6 +770,7 @@ class FunctionUrlOriginProps(_OriginProps_0675928d):
         connection_attempts: typing.Optional[jsii.Number] = None,
         connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
         custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
         origin_id: typing.Optional[builtins.str] = None,
         origin_shield_enabled: typing.Optional[builtins.bool] = None,
         origin_shield_region: typing.Optional[builtins.str] = None,
@@ -294,6 +783,7 @@ class FunctionUrlOriginProps(_OriginProps_0675928d):
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
         :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
         :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
         :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
         :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
@@ -317,6 +807,7 @@ class FunctionUrlOriginProps(_OriginProps_0675928d):
                     "custom_headers_key": "customHeaders"
                 },
                 keepalive_timeout=cdk.Duration.minutes(30),
+                origin_access_control_id="originAccessControlId",
                 origin_id="originId",
                 origin_path="originPath",
                 origin_shield_enabled=False,
@@ -329,6 +820,7 @@ class FunctionUrlOriginProps(_OriginProps_0675928d):
             check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
             check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
             check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
             check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
             check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
             check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
@@ -342,6 +834,8 @@ class FunctionUrlOriginProps(_OriginProps_0675928d):
             self._values["connection_timeout"] = connection_timeout
         if custom_headers is not None:
             self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
         if origin_id is not None:
             self._values["origin_id"] = origin_id
         if origin_shield_enabled is not None:
@@ -388,6 +882,15 @@ class FunctionUrlOriginProps(_OriginProps_0675928d):
         result = self._values.get("custom_headers")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def origin_id(self) -> typing.Optional[builtins.str]:
         '''A unique identifier for the origin.
@@ -481,25 +984,26 @@ class HttpOrigin(
 
     Example::
 
-        # Validating signed URLs or signed cookies with Trusted Key Groups
+        # Adding realtime logs config to a Cloudfront Distribution on default behavior.
+        import aws_cdk.aws_kinesis as kinesis
         
-        # public key in PEM format
-        # public_key: str
+        # stream: kinesis.Stream
         
-        pub_key = cloudfront.PublicKey(self, "MyPubKey",
-            encoded_key=public_key
-        )
         
-        key_group = cloudfront.KeyGroup(self, "MyKeyGroup",
-            items=[pub_key
-            ]
+        real_time_config = cloudfront.RealtimeLogConfig(self, "realtimeLog",
+            end_points=[
+                cloudfront.Endpoint.from_kinesis_stream(stream)
+            ],
+            fields=["timestamp", "c-ip", "time-to-first-byte", "sc-status"
+            ],
+            realtime_log_config_name="my-delivery-stream",
+            sampling_rate=100
         )
         
-        cloudfront.Distribution(self, "Dist",
+        cloudfront.Distribution(self, "myCdn",
             default_behavior=cloudfront.BehaviorOptions(
                 origin=origins.HttpOrigin("www.example.com"),
-                trusted_key_groups=[key_group
-                ]
+                realtime_log_config=real_time_config
             )
         )
     '''
@@ -518,6 +1022,7 @@ class HttpOrigin(
         connection_attempts: typing.Optional[jsii.Number] = None,
         connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
         custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
         origin_id: typing.Optional[builtins.str] = None,
         origin_shield_enabled: typing.Optional[builtins.bool] = None,
         origin_shield_region: typing.Optional[builtins.str] = None,
@@ -534,6 +1039,7 @@ class HttpOrigin(
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
         :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
         :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
         :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
         :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
@@ -552,6 +1058,7 @@ class HttpOrigin(
             connection_attempts=connection_attempts,
             connection_timeout=connection_timeout,
             custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
             origin_id=origin_id,
             origin_shield_enabled=origin_shield_enabled,
             origin_shield_region=origin_shield_region,
@@ -573,6 +1080,7 @@ class HttpOrigin(
         "connection_attempts": "connectionAttempts",
         "connection_timeout": "connectionTimeout",
         "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
         "origin_id": "originId",
         "origin_shield_enabled": "originShieldEnabled",
         "origin_shield_region": "originShieldRegion",
@@ -592,6 +1100,7 @@ class HttpOriginProps(_OriginProps_0675928d):
         connection_attempts: typing.Optional[jsii.Number] = None,
         connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
         custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
         origin_id: typing.Optional[builtins.str] = None,
         origin_shield_enabled: typing.Optional[builtins.bool] = None,
         origin_shield_region: typing.Optional[builtins.str] = None,
@@ -608,6 +1117,7 @@ class HttpOriginProps(_OriginProps_0675928d):
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
         :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
         :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
         :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
         :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
@@ -638,6 +1148,7 @@ class HttpOriginProps(_OriginProps_0675928d):
                 http_port=123,
                 https_port=123,
                 keepalive_timeout=cdk.Duration.minutes(30),
+                origin_access_control_id="originAccessControlId",
                 origin_id="originId",
                 origin_path="originPath",
                 origin_shield_enabled=False,
@@ -652,6 +1163,7 @@ class HttpOriginProps(_OriginProps_0675928d):
             check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
             check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
             check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
             check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
             check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
             check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
@@ -669,6 +1181,8 @@ class HttpOriginProps(_OriginProps_0675928d):
             self._values["connection_timeout"] = connection_timeout
         if custom_headers is not None:
             self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
         if origin_id is not None:
             self._values["origin_id"] = origin_id
         if origin_shield_enabled is not None:
@@ -723,6 +1237,15 @@ class HttpOriginProps(_OriginProps_0675928d):
         result = self._values.get("custom_headers")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def origin_id(self) -> typing.Optional[builtins.str]:
         '''A unique identifier for the origin.
@@ -884,6 +1407,7 @@ class LoadBalancerV2Origin(
         connection_attempts: typing.Optional[jsii.Number] = None,
         connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
         custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
         origin_id: typing.Optional[builtins.str] = None,
         origin_shield_enabled: typing.Optional[builtins.bool] = None,
         origin_shield_region: typing.Optional[builtins.str] = None,
@@ -900,6 +1424,7 @@ class LoadBalancerV2Origin(
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
         :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
         :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
         :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
         :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
@@ -918,6 +1443,7 @@ class LoadBalancerV2Origin(
             connection_attempts=connection_attempts,
             connection_timeout=connection_timeout,
             custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
             origin_id=origin_id,
             origin_shield_enabled=origin_shield_enabled,
             origin_shield_region=origin_shield_region,
@@ -933,6 +1459,7 @@ class LoadBalancerV2Origin(
         "connection_attempts": "connectionAttempts",
         "connection_timeout": "connectionTimeout",
         "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
         "origin_id": "originId",
         "origin_shield_enabled": "originShieldEnabled",
         "origin_shield_region": "originShieldRegion",
@@ -952,6 +1479,7 @@ class LoadBalancerV2OriginProps(HttpOriginProps):
         connection_attempts: typing.Optional[jsii.Number] = None,
         connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
         custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
         origin_id: typing.Optional[builtins.str] = None,
         origin_shield_enabled: typing.Optional[builtins.bool] = None,
         origin_shield_region: typing.Optional[builtins.str] = None,
@@ -968,6 +1496,7 @@ class LoadBalancerV2OriginProps(HttpOriginProps):
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
         :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
         :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
         :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
         :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
@@ -1000,6 +1529,7 @@ class LoadBalancerV2OriginProps(HttpOriginProps):
             check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
             check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
             check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
             check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
             check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
             check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
@@ -1017,6 +1547,8 @@ class LoadBalancerV2OriginProps(HttpOriginProps):
             self._values["connection_timeout"] = connection_timeout
         if custom_headers is not None:
             self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
         if origin_id is not None:
             self._values["origin_id"] = origin_id
         if origin_shield_enabled is not None:
@@ -1071,6 +1603,15 @@ class LoadBalancerV2OriginProps(HttpOriginProps):
         result = self._values.get("custom_headers")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def origin_id(self) -> typing.Optional[builtins.str]:
         '''A unique identifier for the origin.
@@ -1209,7 +1750,7 @@ class OriginGroup(
         cloudfront.Distribution(self, "myDist",
             default_behavior=cloudfront.BehaviorOptions(
                 origin=origins.OriginGroup(
-                    primary_origin=origins.S3Origin(my_bucket),
+                    primary_origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket),
                     fallback_origin=origins.HttpOrigin("www.example.com"),
                     # optional, defaults to: 500, 502, 503 and 504
                     fallback_status_codes=[404]
@@ -1244,16 +1785,20 @@ class OriginGroup(
         scope: _constructs_77d1e7e8.Construct,
         *,
         origin_id: builtins.str,
+        distribution_id: typing.Optional[builtins.str] = None,
     ) -> _OriginBindConfig_25a57096:
         '''The method called when a given Origin is added (for the first time) to a Distribution.
 
         :param scope: -
         :param origin_id: The identifier of this Origin, as assigned by the Distribution this Origin has been used added to.
+        :param distribution_id: The identifier of the Distribution this Origin is used for. This is used to grant origin access permissions to the distribution for origin access control. Default: - no distribution id
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__428f309ea8c48c002d77db24802c77164c9607d40492e08c4b243080f941ff61)
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
-        options = _OriginBindOptions_088c2b51(origin_id=origin_id)
+        options = _OriginBindOptions_088c2b51(
+            origin_id=origin_id, distribution_id=distribution_id
+        )
 
         return typing.cast(_OriginBindConfig_25a57096, jsii.invoke(self, "bind", [scope, options]))
 
@@ -1289,7 +1834,7 @@ class OriginGroupProps:
             cloudfront.Distribution(self, "myDist",
                 default_behavior=cloudfront.BehaviorOptions(
                     origin=origins.OriginGroup(
-                        primary_origin=origins.S3Origin(my_bucket),
+                        primary_origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket),
                         fallback_origin=origins.HttpOrigin("www.example.com"),
                         # optional, defaults to: 500, 502, 503 and 504
                         fallback_status_codes=[404]
@@ -1372,6 +1917,7 @@ class RestApiOrigin(
         connection_attempts: typing.Optional[jsii.Number] = None,
         connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
         custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
         origin_id: typing.Optional[builtins.str] = None,
         origin_shield_enabled: typing.Optional[builtins.bool] = None,
         origin_shield_region: typing.Optional[builtins.str] = None,
@@ -1384,6 +1930,7 @@ class RestApiOrigin(
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
         :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
         :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
         :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
         :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
@@ -1398,6 +1945,7 @@ class RestApiOrigin(
             connection_attempts=connection_attempts,
             connection_timeout=connection_timeout,
             custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
             origin_id=origin_id,
             origin_shield_enabled=origin_shield_enabled,
             origin_shield_region=origin_shield_region,
@@ -1419,6 +1967,7 @@ class RestApiOrigin(
         "connection_attempts": "connectionAttempts",
         "connection_timeout": "connectionTimeout",
         "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
         "origin_id": "originId",
         "origin_shield_enabled": "originShieldEnabled",
         "origin_shield_region": "originShieldRegion",
@@ -1434,6 +1983,7 @@ class RestApiOriginProps(_OriginProps_0675928d):
         connection_attempts: typing.Optional[jsii.Number] = None,
         connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
         custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
         origin_id: typing.Optional[builtins.str] = None,
         origin_shield_enabled: typing.Optional[builtins.bool] = None,
         origin_shield_region: typing.Optional[builtins.str] = None,
@@ -1446,6 +1996,7 @@ class RestApiOriginProps(_OriginProps_0675928d):
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
         :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
         :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
         :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
         :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
@@ -1468,6 +2019,7 @@ class RestApiOriginProps(_OriginProps_0675928d):
             check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
             check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
             check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
             check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
             check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
             check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
@@ -1481,6 +2033,8 @@ class RestApiOriginProps(_OriginProps_0675928d):
             self._values["connection_timeout"] = connection_timeout
         if custom_headers is not None:
             self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
         if origin_id is not None:
             self._values["origin_id"] = origin_id
         if origin_shield_enabled is not None:
@@ -1527,6 +2081,15 @@ class RestApiOriginProps(_OriginProps_0675928d):
         result = self._values.get("custom_headers")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def origin_id(self) -> typing.Optional[builtins.str]:
         '''A unique identifier for the origin.
@@ -1609,35 +2172,26 @@ class RestApiOriginProps(_OriginProps_0675928d):
         )
 
 
-@jsii.implements(_IOrigin_83d4c1fa)
-class S3Origin(
-    metaclass=jsii.JSIIMeta,
-    jsii_type="aws-cdk-lib.aws_cloudfront_origins.S3Origin",
+class S3BucketOrigin(
+    _OriginBase_b8fe5bcc,
+    metaclass=jsii.JSIIAbstractClass,
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.S3BucketOrigin",
 ):
-    '''An Origin that is backed by an S3 bucket.
-
-    If the bucket is configured for website hosting, this origin will be configured to use the bucket as an
-    HTTP server origin and will use the bucket's configured website redirects and error handling. Otherwise,
-    the origin is created as a bucket origin and will use CloudFront's redirect and error handling.
+    '''A S3 Bucket Origin.
 
     :exampleMetadata: infused
 
     Example::
 
-        # Adding an existing Lambda@Edge function created in a different stack
-        # to a CloudFront distribution.
-        # s3_bucket: s3.Bucket
-        
-        function_version = lambda_.Version.from_version_arn(self, "Version", "arn:aws:lambda:us-east-1:123456789012:function:functionName:1")
-        
-        cloudfront.Distribution(self, "distro",
+        my_bucket = s3.Bucket(self, "myBucket")
+        cloudfront.Distribution(self, "myDist",
             default_behavior=cloudfront.BehaviorOptions(
-                origin=origins.S3Origin(s3_bucket),
-                edge_lambdas=[cloudfront.EdgeLambda(
-                    function_version=function_version,
-                    event_type=cloudfront.LambdaEdgeEventType.VIEWER_REQUEST
+                origin=origins.OriginGroup(
+                    primary_origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket),
+                    fallback_origin=origins.HttpOrigin("www.example.com"),
+                    # optional, defaults to: 500, 502, 503 and 504
+                    fallback_status_codes=[404]
                 )
-                ]
             )
         )
     '''
@@ -1646,35 +2200,35 @@ class S3Origin(
         self,
         bucket: _IBucket_42e086fd,
         *,
-        origin_access_identity: typing.Optional[_IOriginAccessIdentity_a922494c] = None,
         origin_path: typing.Optional[builtins.str] = None,
         connection_attempts: typing.Optional[jsii.Number] = None,
         connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
         custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
         origin_id: typing.Optional[builtins.str] = None,
         origin_shield_enabled: typing.Optional[builtins.bool] = None,
         origin_shield_region: typing.Optional[builtins.str] = None,
     ) -> None:
         '''
         :param bucket: -
-        :param origin_access_identity: An optional Origin Access Identity of the origin identity cloudfront will use when calling your s3 bucket. Default: - An Origin Access Identity will be created.
         :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
         :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
         :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
         :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
         :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
         '''
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__9ba8623373b0faa9ac55c816167da21a58e0753e0dd032b1f3e6ccd0bd977994)
+            type_hints = typing.get_type_hints(_typecheckingstub__3cb1f0b82603224c7fbeb25b954355d9b19c8971c1f19cce6cc99b4579024f0f)
             check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
-        props = S3OriginProps(
-            origin_access_identity=origin_access_identity,
+        props = S3BucketOriginBaseProps(
             origin_path=origin_path,
             connection_attempts=connection_attempts,
             connection_timeout=connection_timeout,
             custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
             origin_id=origin_id,
             origin_shield_enabled=origin_shield_enabled,
             origin_shield_region=origin_shield_region,
@@ -1682,87 +2236,1233 @@ class S3Origin(
 
         jsii.create(self.__class__, self, [bucket, props])
 
-    @jsii.member(jsii_name="bind")
-    def bind(
-        self,
-        scope: _constructs_77d1e7e8.Construct,
+    @jsii.member(jsii_name="withBucketDefaults")
+    @builtins.classmethod
+    def with_bucket_defaults(
+        cls,
+        bucket: _IBucket_42e086fd,
         *,
-        origin_id: builtins.str,
-    ) -> _OriginBindConfig_25a57096:
-        '''The method called when a given Origin is added (for the first time) to a Distribution.
+        origin_path: typing.Optional[builtins.str] = None,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+    ) -> _IOrigin_83d4c1fa:
+        '''Create a S3 Origin with default S3 bucket settings (no origin access control).
 
-        :param scope: -
-        :param origin_id: The identifier of this Origin, as assigned by the Distribution this Origin has been used added to.
-        '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__1731b0d7a385b196730b287be11e2cb13fa03d064ae3ffbfd55c5422a8f2c430)
-            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
-        options = _OriginBindOptions_088c2b51(origin_id=origin_id)
+        :param bucket: -
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f676436dc530972f0e77d574f148913989a94d38c9af09bff28450e29ace8acb)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+        props = _OriginProps_0675928d(
+            origin_path=origin_path,
+            connection_attempts=connection_attempts,
+            connection_timeout=connection_timeout,
+            custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
+            origin_id=origin_id,
+            origin_shield_enabled=origin_shield_enabled,
+            origin_shield_region=origin_shield_region,
+        )
+
+        return typing.cast(_IOrigin_83d4c1fa, jsii.sinvoke(cls, "withBucketDefaults", [bucket, props]))
+
+    @jsii.member(jsii_name="withOriginAccessControl")
+    @builtins.classmethod
+    def with_origin_access_control(
+        cls,
+        bucket: _IBucket_42e086fd,
+        *,
+        origin_access_control: typing.Optional[_IOriginAccessControl_82a6fe5a] = None,
+        origin_access_levels: typing.Optional[typing.Sequence[_AccessLevel_315d9a76]] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+    ) -> _IOrigin_83d4c1fa:
+        '''Create a S3 Origin with Origin Access Control (OAC) configured.
+
+        :param bucket: -
+        :param origin_access_control: An optional Origin Access Control. Default: - an Origin Access Control will be created.
+        :param origin_access_levels: The level of permissions granted in the bucket policy and key policy (if applicable) to the CloudFront distribution. Default: [AccessLevel.READ]
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__23afb965139dc34be23cec3ad5506b4c5de509db9c0d653bed7877f463b7a9db)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+        props = S3BucketOriginWithOACProps(
+            origin_access_control=origin_access_control,
+            origin_access_levels=origin_access_levels,
+            origin_path=origin_path,
+            connection_attempts=connection_attempts,
+            connection_timeout=connection_timeout,
+            custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
+            origin_id=origin_id,
+            origin_shield_enabled=origin_shield_enabled,
+            origin_shield_region=origin_shield_region,
+        )
+
+        return typing.cast(_IOrigin_83d4c1fa, jsii.sinvoke(cls, "withOriginAccessControl", [bucket, props]))
+
+    @jsii.member(jsii_name="withOriginAccessIdentity")
+    @builtins.classmethod
+    def with_origin_access_identity(
+        cls,
+        bucket: _IBucket_42e086fd,
+        *,
+        origin_access_identity: typing.Optional[_IOriginAccessIdentity_a922494c] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+    ) -> _IOrigin_83d4c1fa:
+        '''Create a S3 Origin with Origin Access Identity (OAI) configured OAI is a legacy feature and we **strongly** recommend you to use OAC via ``withOriginAccessControl()`` unless it is not supported in your required region (e.g. China regions).
+
+        :param bucket: -
+        :param origin_access_identity: An optional Origin Access Identity. Default: - an Origin Access Identity will be created.
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__13e7421c65d5fbb92fc686fa854daca3e90dc002f3e99da4b4757e32e3c4105d)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+        props = S3BucketOriginWithOAIProps(
+            origin_access_identity=origin_access_identity,
+            origin_path=origin_path,
+            connection_attempts=connection_attempts,
+            connection_timeout=connection_timeout,
+            custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
+            origin_id=origin_id,
+            origin_shield_enabled=origin_shield_enabled,
+            origin_shield_region=origin_shield_region,
+        )
+
+        return typing.cast(_IOrigin_83d4c1fa, jsii.sinvoke(cls, "withOriginAccessIdentity", [bucket, props]))
+
+    @jsii.member(jsii_name="renderS3OriginConfig")
+    def _render_s3_origin_config(
+        self,
+    ) -> typing.Optional[_CfnDistribution_d9ad3595.S3OriginConfigProperty]:
+        return typing.cast(typing.Optional[_CfnDistribution_d9ad3595.S3OriginConfigProperty], jsii.invoke(self, "renderS3OriginConfig", []))
 
-        return typing.cast(_OriginBindConfig_25a57096, jsii.invoke(self, "bind", [scope, options]))
+
+class _S3BucketOriginProxy(
+    S3BucketOrigin,
+    jsii.proxy_for(_OriginBase_b8fe5bcc), # type: ignore[misc]
+):
+    pass
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the abstract class
+typing.cast(typing.Any, S3BucketOrigin).__jsii_proxy_class__ = lambda : _S3BucketOriginProxy
 
 
 @jsii.data_type(
-    jsii_type="aws-cdk-lib.aws_cloudfront_origins.S3OriginProps",
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.S3BucketOriginBaseProps",
     jsii_struct_bases=[_OriginProps_0675928d],
     name_mapping={
         "connection_attempts": "connectionAttempts",
         "connection_timeout": "connectionTimeout",
         "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
         "origin_id": "originId",
         "origin_shield_enabled": "originShieldEnabled",
         "origin_shield_region": "originShieldRegion",
         "origin_path": "originPath",
-        "origin_access_identity": "originAccessIdentity",
     },
 )
-class S3OriginProps(_OriginProps_0675928d):
+class S3BucketOriginBaseProps(_OriginProps_0675928d):
     def __init__(
         self,
         *,
         connection_attempts: typing.Optional[jsii.Number] = None,
         connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
         custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
         origin_id: typing.Optional[builtins.str] = None,
         origin_shield_enabled: typing.Optional[builtins.bool] = None,
         origin_shield_region: typing.Optional[builtins.str] = None,
         origin_path: typing.Optional[builtins.str] = None,
-        origin_access_identity: typing.Optional[_IOriginAccessIdentity_a922494c] = None,
     ) -> None:
-        '''Properties to use to customize an S3 Origin.
+        '''Properties for configuring a origin using a standard S3 bucket.
+
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            import aws_cdk as cdk
+            from aws_cdk import aws_cloudfront_origins as cloudfront_origins
+            
+            s3_bucket_origin_base_props = cloudfront_origins.S3BucketOriginBaseProps(
+                connection_attempts=123,
+                connection_timeout=cdk.Duration.minutes(30),
+                custom_headers={
+                    "custom_headers_key": "customHeaders"
+                },
+                origin_access_control_id="originAccessControlId",
+                origin_id="originId",
+                origin_path="originPath",
+                origin_shield_enabled=False,
+                origin_shield_region="originShieldRegion"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__c5e580c31fe629b713e1ecbf9905ebb4220e152805ab34129f693f2c4d4db098)
+            check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
+            check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
+            check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
+            check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
+            check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
+            check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
+            check_type(argname="argument origin_path", value=origin_path, expected_type=type_hints["origin_path"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if connection_attempts is not None:
+            self._values["connection_attempts"] = connection_attempts
+        if connection_timeout is not None:
+            self._values["connection_timeout"] = connection_timeout
+        if custom_headers is not None:
+            self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
+        if origin_id is not None:
+            self._values["origin_id"] = origin_id
+        if origin_shield_enabled is not None:
+            self._values["origin_shield_enabled"] = origin_shield_enabled
+        if origin_shield_region is not None:
+            self._values["origin_shield_region"] = origin_shield_region
+        if origin_path is not None:
+            self._values["origin_path"] = origin_path
+
+    @builtins.property
+    def connection_attempts(self) -> typing.Optional[jsii.Number]:
+        '''The number of times that CloudFront attempts to connect to the origin;
+
+        valid values are 1, 2, or 3 attempts.
+
+        :default: 3
+        '''
+        result = self._values.get("connection_attempts")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def connection_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''The number of seconds that CloudFront waits when trying to establish a connection to the origin.
+
+        Valid values are 1-10 seconds, inclusive.
+
+        :default: Duration.seconds(10)
+        '''
+        result = self._values.get("connection_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def custom_headers(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
+
+        :default: {}
+        '''
+        result = self._values.get("custom_headers")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_id(self) -> typing.Optional[builtins.str]:
+        '''A unique identifier for the origin.
+
+        This value must be unique within the distribution.
+
+        :default: - an originid will be generated for you
+        '''
+        result = self._values.get("origin_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_shield_enabled(self) -> typing.Optional[builtins.bool]:
+        '''Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
+
+        :default: - true
+        '''
+        result = self._values.get("origin_shield_enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def origin_shield_region(self) -> typing.Optional[builtins.str]:
+        '''When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
+
+        :default: - origin shield not enabled
+
+        :see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
+        '''
+        result = self._values.get("origin_shield_region")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_path(self) -> typing.Optional[builtins.str]:
+        '''An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
+
+        Must begin, but not end, with '/' (e.g., '/production/images').
+
+        :default: '/'
+        '''
+        result = self._values.get("origin_path")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "S3BucketOriginBaseProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.S3BucketOriginWithOACProps",
+    jsii_struct_bases=[S3BucketOriginBaseProps],
+    name_mapping={
+        "connection_attempts": "connectionAttempts",
+        "connection_timeout": "connectionTimeout",
+        "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
+        "origin_id": "originId",
+        "origin_shield_enabled": "originShieldEnabled",
+        "origin_shield_region": "originShieldRegion",
+        "origin_path": "originPath",
+        "origin_access_control": "originAccessControl",
+        "origin_access_levels": "originAccessLevels",
+    },
+)
+class S3BucketOriginWithOACProps(S3BucketOriginBaseProps):
+    def __init__(
+        self,
+        *,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        origin_access_control: typing.Optional[_IOriginAccessControl_82a6fe5a] = None,
+        origin_access_levels: typing.Optional[typing.Sequence[_AccessLevel_315d9a76]] = None,
+    ) -> None:
+        '''Properties for configuring a S3 origin with OAC.
+
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param origin_access_control: An optional Origin Access Control. Default: - an Origin Access Control will be created.
+        :param origin_access_levels: The level of permissions granted in the bucket policy and key policy (if applicable) to the CloudFront distribution. Default: [AccessLevel.READ]
+
+        :exampleMetadata: infused
+
+        Example::
+
+            my_bucket = s3.Bucket(self, "myBucket")
+            s3_origin = origins.S3BucketOrigin.with_origin_access_control(my_bucket,
+                origin_access_levels=[cloudfront.AccessLevel.READ, cloudfront.AccessLevel.WRITE, cloudfront.AccessLevel.DELETE]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__1af53a7ded1427e29cc874af45efdfe026a0004a1f2782a5bc936dbfcb4fe7a4)
+            check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
+            check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
+            check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
+            check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
+            check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
+            check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
+            check_type(argname="argument origin_path", value=origin_path, expected_type=type_hints["origin_path"])
+            check_type(argname="argument origin_access_control", value=origin_access_control, expected_type=type_hints["origin_access_control"])
+            check_type(argname="argument origin_access_levels", value=origin_access_levels, expected_type=type_hints["origin_access_levels"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if connection_attempts is not None:
+            self._values["connection_attempts"] = connection_attempts
+        if connection_timeout is not None:
+            self._values["connection_timeout"] = connection_timeout
+        if custom_headers is not None:
+            self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
+        if origin_id is not None:
+            self._values["origin_id"] = origin_id
+        if origin_shield_enabled is not None:
+            self._values["origin_shield_enabled"] = origin_shield_enabled
+        if origin_shield_region is not None:
+            self._values["origin_shield_region"] = origin_shield_region
+        if origin_path is not None:
+            self._values["origin_path"] = origin_path
+        if origin_access_control is not None:
+            self._values["origin_access_control"] = origin_access_control
+        if origin_access_levels is not None:
+            self._values["origin_access_levels"] = origin_access_levels
+
+    @builtins.property
+    def connection_attempts(self) -> typing.Optional[jsii.Number]:
+        '''The number of times that CloudFront attempts to connect to the origin;
+
+        valid values are 1, 2, or 3 attempts.
+
+        :default: 3
+        '''
+        result = self._values.get("connection_attempts")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def connection_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''The number of seconds that CloudFront waits when trying to establish a connection to the origin.
+
+        Valid values are 1-10 seconds, inclusive.
+
+        :default: Duration.seconds(10)
+        '''
+        result = self._values.get("connection_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def custom_headers(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
+
+        :default: {}
+        '''
+        result = self._values.get("custom_headers")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_id(self) -> typing.Optional[builtins.str]:
+        '''A unique identifier for the origin.
+
+        This value must be unique within the distribution.
+
+        :default: - an originid will be generated for you
+        '''
+        result = self._values.get("origin_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_shield_enabled(self) -> typing.Optional[builtins.bool]:
+        '''Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
+
+        :default: - true
+        '''
+        result = self._values.get("origin_shield_enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def origin_shield_region(self) -> typing.Optional[builtins.str]:
+        '''When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
+
+        :default: - origin shield not enabled
+
+        :see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
+        '''
+        result = self._values.get("origin_shield_region")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_path(self) -> typing.Optional[builtins.str]:
+        '''An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
+
+        Must begin, but not end, with '/' (e.g., '/production/images').
+
+        :default: '/'
+        '''
+        result = self._values.get("origin_path")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_access_control(self) -> typing.Optional[_IOriginAccessControl_82a6fe5a]:
+        '''An optional Origin Access Control.
+
+        :default: - an Origin Access Control will be created.
+        '''
+        result = self._values.get("origin_access_control")
+        return typing.cast(typing.Optional[_IOriginAccessControl_82a6fe5a], result)
+
+    @builtins.property
+    def origin_access_levels(
+        self,
+    ) -> typing.Optional[typing.List[_AccessLevel_315d9a76]]:
+        '''The level of permissions granted in the bucket policy and key policy (if applicable) to the CloudFront distribution.
+
+        :default: [AccessLevel.READ]
+        '''
+        result = self._values.get("origin_access_levels")
+        return typing.cast(typing.Optional[typing.List[_AccessLevel_315d9a76]], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "S3BucketOriginWithOACProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.S3BucketOriginWithOAIProps",
+    jsii_struct_bases=[S3BucketOriginBaseProps],
+    name_mapping={
+        "connection_attempts": "connectionAttempts",
+        "connection_timeout": "connectionTimeout",
+        "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
+        "origin_id": "originId",
+        "origin_shield_enabled": "originShieldEnabled",
+        "origin_shield_region": "originShieldRegion",
+        "origin_path": "originPath",
+        "origin_access_identity": "originAccessIdentity",
+    },
+)
+class S3BucketOriginWithOAIProps(S3BucketOriginBaseProps):
+    def __init__(
+        self,
+        *,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        origin_access_identity: typing.Optional[_IOriginAccessIdentity_a922494c] = None,
+    ) -> None:
+        '''Properties for configuring a S3 origin with OAI.
+
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param origin_access_identity: An optional Origin Access Identity. Default: - an Origin Access Identity will be created.
+
+        :exampleMetadata: infused
+
+        Example::
+
+            my_bucket = s3.Bucket(self, "myBucket")
+            my_oai = cloudfront.OriginAccessIdentity(self, "myOAI",
+                comment="My custom OAI"
+            )
+            s3_origin = origins.S3BucketOrigin.with_origin_access_identity(my_bucket,
+                origin_access_identity=my_oai
+            )
+            cloudfront.Distribution(self, "myDist",
+                default_behavior=cloudfront.BehaviorOptions(
+                    origin=s3_origin
+                )
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__4b64c18ef31b660c450eee84b6738d7bbd960797e1788e068be9663127832c26)
+            check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
+            check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
+            check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
+            check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
+            check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
+            check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
+            check_type(argname="argument origin_path", value=origin_path, expected_type=type_hints["origin_path"])
+            check_type(argname="argument origin_access_identity", value=origin_access_identity, expected_type=type_hints["origin_access_identity"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if connection_attempts is not None:
+            self._values["connection_attempts"] = connection_attempts
+        if connection_timeout is not None:
+            self._values["connection_timeout"] = connection_timeout
+        if custom_headers is not None:
+            self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
+        if origin_id is not None:
+            self._values["origin_id"] = origin_id
+        if origin_shield_enabled is not None:
+            self._values["origin_shield_enabled"] = origin_shield_enabled
+        if origin_shield_region is not None:
+            self._values["origin_shield_region"] = origin_shield_region
+        if origin_path is not None:
+            self._values["origin_path"] = origin_path
+        if origin_access_identity is not None:
+            self._values["origin_access_identity"] = origin_access_identity
+
+    @builtins.property
+    def connection_attempts(self) -> typing.Optional[jsii.Number]:
+        '''The number of times that CloudFront attempts to connect to the origin;
+
+        valid values are 1, 2, or 3 attempts.
+
+        :default: 3
+        '''
+        result = self._values.get("connection_attempts")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def connection_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''The number of seconds that CloudFront waits when trying to establish a connection to the origin.
+
+        Valid values are 1-10 seconds, inclusive.
+
+        :default: Duration.seconds(10)
+        '''
+        result = self._values.get("connection_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def custom_headers(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
+
+        :default: {}
+        '''
+        result = self._values.get("custom_headers")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_id(self) -> typing.Optional[builtins.str]:
+        '''A unique identifier for the origin.
+
+        This value must be unique within the distribution.
+
+        :default: - an originid will be generated for you
+        '''
+        result = self._values.get("origin_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_shield_enabled(self) -> typing.Optional[builtins.bool]:
+        '''Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
+
+        :default: - true
+        '''
+        result = self._values.get("origin_shield_enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def origin_shield_region(self) -> typing.Optional[builtins.str]:
+        '''When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
+
+        :default: - origin shield not enabled
+
+        :see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
+        '''
+        result = self._values.get("origin_shield_region")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_path(self) -> typing.Optional[builtins.str]:
+        '''An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
+
+        Must begin, but not end, with '/' (e.g., '/production/images').
+
+        :default: '/'
+        '''
+        result = self._values.get("origin_path")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_access_identity(
+        self,
+    ) -> typing.Optional[_IOriginAccessIdentity_a922494c]:
+        '''An optional Origin Access Identity.
+
+        :default: - an Origin Access Identity will be created.
+        '''
+        result = self._values.get("origin_access_identity")
+        return typing.cast(typing.Optional[_IOriginAccessIdentity_a922494c], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "S3BucketOriginWithOAIProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.implements(_IOrigin_83d4c1fa)
+class S3Origin(
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.S3Origin",
+):
+    '''(deprecated) An Origin that is backed by an S3 bucket.
+
+    If the bucket is configured for website hosting, this origin will be configured to use the bucket as an
+    HTTP server origin and will use the bucket's configured website redirects and error handling. Otherwise,
+    the origin is created as a bucket origin and will use CloudFront's redirect and error handling.
+
+    :deprecated: Use ``S3BucketOrigin`` or ``S3StaticWebsiteOrigin`` instead.
+
+    :stability: deprecated
+    :exampleMetadata: infused
+
+    Example::
+
+        # Adding an existing Lambda@Edge function created in a different stack
+        # to a CloudFront distribution.
+        # s3_bucket: s3.Bucket
+        
+        function_version = lambda_.Version.from_version_arn(self, "Version", "arn:aws:lambda:us-east-1:123456789012:function:functionName:1")
+        
+        cloudfront.Distribution(self, "distro",
+            default_behavior=cloudfront.BehaviorOptions(
+                origin=origins.S3Origin(s3_bucket),
+                edge_lambdas=[cloudfront.EdgeLambda(
+                    function_version=function_version,
+                    event_type=cloudfront.LambdaEdgeEventType.VIEWER_REQUEST
+                )
+                ]
+            )
+        )
+    '''
+
+    def __init__(
+        self,
+        bucket: _IBucket_42e086fd,
+        *,
+        origin_access_identity: typing.Optional[_IOriginAccessIdentity_a922494c] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''
+        :param bucket: -
+        :param origin_access_identity: An optional Origin Access Identity of the origin identity cloudfront will use when calling your s3 bucket. Default: - An Origin Access Identity will be created.
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+
+        :stability: deprecated
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__9ba8623373b0faa9ac55c816167da21a58e0753e0dd032b1f3e6ccd0bd977994)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+        props = S3OriginProps(
+            origin_access_identity=origin_access_identity,
+            origin_path=origin_path,
+            connection_attempts=connection_attempts,
+            connection_timeout=connection_timeout,
+            custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
+            origin_id=origin_id,
+            origin_shield_enabled=origin_shield_enabled,
+            origin_shield_region=origin_shield_region,
+        )
+
+        jsii.create(self.__class__, self, [bucket, props])
+
+    @jsii.member(jsii_name="bind")
+    def bind(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        *,
+        origin_id: builtins.str,
+        distribution_id: typing.Optional[builtins.str] = None,
+    ) -> _OriginBindConfig_25a57096:
+        '''(deprecated) The method called when a given Origin is added (for the first time) to a Distribution.
+
+        :param scope: -
+        :param origin_id: The identifier of this Origin, as assigned by the Distribution this Origin has been used added to.
+        :param distribution_id: The identifier of the Distribution this Origin is used for. This is used to grant origin access permissions to the distribution for origin access control. Default: - no distribution id
+
+        :stability: deprecated
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__1731b0d7a385b196730b287be11e2cb13fa03d064ae3ffbfd55c5422a8f2c430)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+        options = _OriginBindOptions_088c2b51(
+            origin_id=origin_id, distribution_id=distribution_id
+        )
+
+        return typing.cast(_OriginBindConfig_25a57096, jsii.invoke(self, "bind", [scope, options]))
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.S3OriginProps",
+    jsii_struct_bases=[_OriginProps_0675928d],
+    name_mapping={
+        "connection_attempts": "connectionAttempts",
+        "connection_timeout": "connectionTimeout",
+        "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
+        "origin_id": "originId",
+        "origin_shield_enabled": "originShieldEnabled",
+        "origin_shield_region": "originShieldRegion",
+        "origin_path": "originPath",
+        "origin_access_identity": "originAccessIdentity",
+    },
+)
+class S3OriginProps(_OriginProps_0675928d):
+    def __init__(
+        self,
+        *,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        origin_access_identity: typing.Optional[_IOriginAccessIdentity_a922494c] = None,
+    ) -> None:
+        '''Properties to use to customize an S3 Origin.
+
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param origin_access_identity: An optional Origin Access Identity of the origin identity cloudfront will use when calling your s3 bucket. Default: - An Origin Access Identity will be created.
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            import aws_cdk as cdk
+            from aws_cdk import aws_cloudfront as cloudfront
+            from aws_cdk import aws_cloudfront_origins as cloudfront_origins
+            
+            # origin_access_identity: cloudfront.OriginAccessIdentity
+            
+            s3_origin_props = cloudfront_origins.S3OriginProps(
+                connection_attempts=123,
+                connection_timeout=cdk.Duration.minutes(30),
+                custom_headers={
+                    "custom_headers_key": "customHeaders"
+                },
+                origin_access_control_id="originAccessControlId",
+                origin_access_identity=origin_access_identity,
+                origin_id="originId",
+                origin_path="originPath",
+                origin_shield_enabled=False,
+                origin_shield_region="originShieldRegion"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__bbd2a0ca1bf4d32899d90ea633e3ac416a6fa29972ee055a5866ec269b24307e)
+            check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
+            check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
+            check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
+            check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
+            check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
+            check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
+            check_type(argname="argument origin_path", value=origin_path, expected_type=type_hints["origin_path"])
+            check_type(argname="argument origin_access_identity", value=origin_access_identity, expected_type=type_hints["origin_access_identity"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if connection_attempts is not None:
+            self._values["connection_attempts"] = connection_attempts
+        if connection_timeout is not None:
+            self._values["connection_timeout"] = connection_timeout
+        if custom_headers is not None:
+            self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
+        if origin_id is not None:
+            self._values["origin_id"] = origin_id
+        if origin_shield_enabled is not None:
+            self._values["origin_shield_enabled"] = origin_shield_enabled
+        if origin_shield_region is not None:
+            self._values["origin_shield_region"] = origin_shield_region
+        if origin_path is not None:
+            self._values["origin_path"] = origin_path
+        if origin_access_identity is not None:
+            self._values["origin_access_identity"] = origin_access_identity
+
+    @builtins.property
+    def connection_attempts(self) -> typing.Optional[jsii.Number]:
+        '''The number of times that CloudFront attempts to connect to the origin;
+
+        valid values are 1, 2, or 3 attempts.
+
+        :default: 3
+        '''
+        result = self._values.get("connection_attempts")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def connection_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''The number of seconds that CloudFront waits when trying to establish a connection to the origin.
+
+        Valid values are 1-10 seconds, inclusive.
+
+        :default: Duration.seconds(10)
+        '''
+        result = self._values.get("connection_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def custom_headers(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
+
+        :default: {}
+        '''
+        result = self._values.get("custom_headers")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_id(self) -> typing.Optional[builtins.str]:
+        '''A unique identifier for the origin.
+
+        This value must be unique within the distribution.
+
+        :default: - an originid will be generated for you
+        '''
+        result = self._values.get("origin_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_shield_enabled(self) -> typing.Optional[builtins.bool]:
+        '''Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
+
+        :default: - true
+        '''
+        result = self._values.get("origin_shield_enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def origin_shield_region(self) -> typing.Optional[builtins.str]:
+        '''When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
+
+        :default: - origin shield not enabled
+
+        :see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
+        '''
+        result = self._values.get("origin_shield_region")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_path(self) -> typing.Optional[builtins.str]:
+        '''An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
+
+        Must begin, but not end, with '/' (e.g., '/production/images').
+
+        :default: '/'
+        '''
+        result = self._values.get("origin_path")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_access_identity(
+        self,
+    ) -> typing.Optional[_IOriginAccessIdentity_a922494c]:
+        '''An optional Origin Access Identity of the origin identity cloudfront will use when calling your s3 bucket.
+
+        :default: - An Origin Access Identity will be created.
+        '''
+        result = self._values.get("origin_access_identity")
+        return typing.cast(typing.Optional[_IOriginAccessIdentity_a922494c], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "S3OriginProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+class S3StaticWebsiteOrigin(
+    HttpOrigin,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.S3StaticWebsiteOrigin",
+):
+    '''An Origin for a S3 bucket configured as a website endpoint.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        my_bucket = s3.Bucket(self, "myBucket")
+        cloudfront.Distribution(self, "myDist",
+            default_behavior=cloudfront.BehaviorOptions(origin=origins.S3StaticWebsiteOrigin(my_bucket))
+        )
+    '''
+
+    def __init__(
+        self,
+        bucket: _IBucket_42e086fd,
+        *,
+        http_port: typing.Optional[jsii.Number] = None,
+        https_port: typing.Optional[jsii.Number] = None,
+        keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        origin_ssl_protocols: typing.Optional[typing.Sequence[_OriginSslPolicy_d65cede2]] = None,
+        protocol_policy: typing.Optional[_OriginProtocolPolicy_967ed73c] = None,
+        read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''
+        :param bucket: -
+        :param http_port: The HTTP port that CloudFront uses to connect to the origin. Default: 80
+        :param https_port: The HTTPS port that CloudFront uses to connect to the origin. Default: 443
+        :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
+        :param origin_ssl_protocols: The SSL versions to use when interacting with the origin. Default: OriginSslPolicy.TLS_V1_2
+        :param protocol_policy: Specifies the protocol (HTTP or HTTPS) that CloudFront uses to connect to the origin. Default: OriginProtocolPolicy.HTTPS_ONLY
+        :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f0edd2083352b96faf3ea9eb05136629dff841fa272ecdb6dfb52772a77b9b22)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+        props = S3StaticWebsiteOriginProps(
+            http_port=http_port,
+            https_port=https_port,
+            keepalive_timeout=keepalive_timeout,
+            origin_ssl_protocols=origin_ssl_protocols,
+            protocol_policy=protocol_policy,
+            read_timeout=read_timeout,
+            origin_path=origin_path,
+            connection_attempts=connection_attempts,
+            connection_timeout=connection_timeout,
+            custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
+            origin_id=origin_id,
+            origin_shield_enabled=origin_shield_enabled,
+            origin_shield_region=origin_shield_region,
+        )
+
+        jsii.create(self.__class__, self, [bucket, props])
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.S3StaticWebsiteOriginProps",
+    jsii_struct_bases=[HttpOriginProps],
+    name_mapping={
+        "connection_attempts": "connectionAttempts",
+        "connection_timeout": "connectionTimeout",
+        "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
+        "origin_id": "originId",
+        "origin_shield_enabled": "originShieldEnabled",
+        "origin_shield_region": "originShieldRegion",
+        "origin_path": "originPath",
+        "http_port": "httpPort",
+        "https_port": "httpsPort",
+        "keepalive_timeout": "keepaliveTimeout",
+        "origin_ssl_protocols": "originSslProtocols",
+        "protocol_policy": "protocolPolicy",
+        "read_timeout": "readTimeout",
+    },
+)
+class S3StaticWebsiteOriginProps(HttpOriginProps):
+    def __init__(
+        self,
+        *,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        http_port: typing.Optional[jsii.Number] = None,
+        https_port: typing.Optional[jsii.Number] = None,
+        keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        origin_ssl_protocols: typing.Optional[typing.Sequence[_OriginSslPolicy_d65cede2]] = None,
+        protocol_policy: typing.Optional[_OriginProtocolPolicy_967ed73c] = None,
+        read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    ) -> None:
+        '''Properties for configuring a origin using a S3 bucket configured as a website endpoint.
 
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
         :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
         :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
         :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
         :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
         :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
-        :param origin_access_identity: An optional Origin Access Identity of the origin identity cloudfront will use when calling your s3 bucket. Default: - An Origin Access Identity will be created.
+        :param http_port: The HTTP port that CloudFront uses to connect to the origin. Default: 80
+        :param https_port: The HTTPS port that CloudFront uses to connect to the origin. Default: 443
+        :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
+        :param origin_ssl_protocols: The SSL versions to use when interacting with the origin. Default: OriginSslPolicy.TLS_V1_2
+        :param protocol_policy: Specifies the protocol (HTTP or HTTPS) that CloudFront uses to connect to the origin. Default: OriginProtocolPolicy.HTTPS_ONLY
+        :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
 
-        :exampleMetadata: infused
+        :exampleMetadata: fixture=_generated
 
         Example::
 
-            my_bucket = s3.Bucket(self, "myBucket")
-            cloudfront.Distribution(self, "myDist",
-                default_behavior=cloudfront.BehaviorOptions(origin=origins.S3Origin(my_bucket,
-                    custom_headers={
-                        "Foo": "bar"
-                    }
-                ))
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            import aws_cdk as cdk
+            from aws_cdk import aws_cloudfront as cloudfront
+            from aws_cdk import aws_cloudfront_origins as cloudfront_origins
+            
+            s3_static_website_origin_props = cloudfront_origins.S3StaticWebsiteOriginProps(
+                connection_attempts=123,
+                connection_timeout=cdk.Duration.minutes(30),
+                custom_headers={
+                    "custom_headers_key": "customHeaders"
+                },
+                http_port=123,
+                https_port=123,
+                keepalive_timeout=cdk.Duration.minutes(30),
+                origin_access_control_id="originAccessControlId",
+                origin_id="originId",
+                origin_path="originPath",
+                origin_shield_enabled=False,
+                origin_shield_region="originShieldRegion",
+                origin_ssl_protocols=[cloudfront.OriginSslPolicy.SSL_V3],
+                protocol_policy=cloudfront.OriginProtocolPolicy.HTTP_ONLY,
+                read_timeout=cdk.Duration.minutes(30)
             )
         '''
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__bbd2a0ca1bf4d32899d90ea633e3ac416a6fa29972ee055a5866ec269b24307e)
+            type_hints = typing.get_type_hints(_typecheckingstub__5bc18cdba7c0e6d7d0a68d2a1cf3c3f91f50a7e3e7384f5f62ebee6006adbb85)
             check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
             check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
             check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
             check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
             check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
             check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
             check_type(argname="argument origin_path", value=origin_path, expected_type=type_hints["origin_path"])
-            check_type(argname="argument origin_access_identity", value=origin_access_identity, expected_type=type_hints["origin_access_identity"])
+            check_type(argname="argument http_port", value=http_port, expected_type=type_hints["http_port"])
+            check_type(argname="argument https_port", value=https_port, expected_type=type_hints["https_port"])
+            check_type(argname="argument keepalive_timeout", value=keepalive_timeout, expected_type=type_hints["keepalive_timeout"])
+            check_type(argname="argument origin_ssl_protocols", value=origin_ssl_protocols, expected_type=type_hints["origin_ssl_protocols"])
+            check_type(argname="argument protocol_policy", value=protocol_policy, expected_type=type_hints["protocol_policy"])
+            check_type(argname="argument read_timeout", value=read_timeout, expected_type=type_hints["read_timeout"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if connection_attempts is not None:
             self._values["connection_attempts"] = connection_attempts
@@ -1770,6 +3470,8 @@ class S3OriginProps(_OriginProps_0675928d):
             self._values["connection_timeout"] = connection_timeout
         if custom_headers is not None:
             self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
         if origin_id is not None:
             self._values["origin_id"] = origin_id
         if origin_shield_enabled is not None:
@@ -1778,8 +3480,18 @@ class S3OriginProps(_OriginProps_0675928d):
             self._values["origin_shield_region"] = origin_shield_region
         if origin_path is not None:
             self._values["origin_path"] = origin_path
-        if origin_access_identity is not None:
-            self._values["origin_access_identity"] = origin_access_identity
+        if http_port is not None:
+            self._values["http_port"] = http_port
+        if https_port is not None:
+            self._values["https_port"] = https_port
+        if keepalive_timeout is not None:
+            self._values["keepalive_timeout"] = keepalive_timeout
+        if origin_ssl_protocols is not None:
+            self._values["origin_ssl_protocols"] = origin_ssl_protocols
+        if protocol_policy is not None:
+            self._values["protocol_policy"] = protocol_policy
+        if read_timeout is not None:
+            self._values["read_timeout"] = read_timeout
 
     @builtins.property
     def connection_attempts(self) -> typing.Optional[jsii.Number]:
@@ -1814,6 +3526,15 @@ class S3OriginProps(_OriginProps_0675928d):
         result = self._values.get("custom_headers")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
 
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def origin_id(self) -> typing.Optional[builtins.str]:
         '''A unique identifier for the origin.
@@ -1857,15 +3578,70 @@ class S3OriginProps(_OriginProps_0675928d):
         return typing.cast(typing.Optional[builtins.str], result)
 
     @builtins.property
-    def origin_access_identity(
+    def http_port(self) -> typing.Optional[jsii.Number]:
+        '''The HTTP port that CloudFront uses to connect to the origin.
+
+        :default: 80
+        '''
+        result = self._values.get("http_port")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def https_port(self) -> typing.Optional[jsii.Number]:
+        '''The HTTPS port that CloudFront uses to connect to the origin.
+
+        :default: 443
+        '''
+        result = self._values.get("https_port")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def keepalive_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''Specifies how long, in seconds, CloudFront persists its connection to the origin.
+
+        The valid range is from 1 to 180 seconds, inclusive.
+
+        Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
+        has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
+
+        :default: Duration.seconds(5)
+        '''
+        result = self._values.get("keepalive_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def origin_ssl_protocols(
         self,
-    ) -> typing.Optional[_IOriginAccessIdentity_a922494c]:
-        '''An optional Origin Access Identity of the origin identity cloudfront will use when calling your s3 bucket.
+    ) -> typing.Optional[typing.List[_OriginSslPolicy_d65cede2]]:
+        '''The SSL versions to use when interacting with the origin.
 
-        :default: - An Origin Access Identity will be created.
+        :default: OriginSslPolicy.TLS_V1_2
         '''
-        result = self._values.get("origin_access_identity")
-        return typing.cast(typing.Optional[_IOriginAccessIdentity_a922494c], result)
+        result = self._values.get("origin_ssl_protocols")
+        return typing.cast(typing.Optional[typing.List[_OriginSslPolicy_d65cede2]], result)
+
+    @builtins.property
+    def protocol_policy(self) -> typing.Optional[_OriginProtocolPolicy_967ed73c]:
+        '''Specifies the protocol (HTTP or HTTPS) that CloudFront uses to connect to the origin.
+
+        :default: OriginProtocolPolicy.HTTPS_ONLY
+        '''
+        result = self._values.get("protocol_policy")
+        return typing.cast(typing.Optional[_OriginProtocolPolicy_967ed73c], result)
+
+    @builtins.property
+    def read_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout.
+
+        The valid range is from 1 to 180 seconds, inclusive.
+
+        Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
+        has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
+
+        :default: Duration.seconds(30)
+        '''
+        result = self._values.get("read_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
 
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
@@ -1874,7 +3650,7 @@ class S3OriginProps(_OriginProps_0675928d):
         return not (rhs == self)
 
     def __repr__(self) -> str:
-        return "S3OriginProps(%s)" % ", ".join(
+        return "S3StaticWebsiteOriginProps(%s)" % ", ".join(
             k + "=" + repr(v) for k, v in self._values.items()
         )
 
@@ -1890,8 +3666,14 @@ __all__ = [
     "OriginGroupProps",
     "RestApiOrigin",
     "RestApiOriginProps",
+    "S3BucketOrigin",
+    "S3BucketOriginBaseProps",
+    "S3BucketOriginWithOACProps",
+    "S3BucketOriginWithOAIProps",
     "S3Origin",
     "S3OriginProps",
+    "S3StaticWebsiteOrigin",
+    "S3StaticWebsiteOriginProps",
 ]
 
 publication.publish()
@@ -1905,6 +3687,7 @@ def _typecheckingstub__fcda903697b26acfe2149a285d5a64619682b675affb52f4ae2d1aca4
     connection_attempts: typing.Optional[jsii.Number] = None,
     connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
     custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
     origin_id: typing.Optional[builtins.str] = None,
     origin_shield_enabled: typing.Optional[builtins.bool] = None,
     origin_shield_region: typing.Optional[builtins.str] = None,
@@ -1917,6 +3700,7 @@ def _typecheckingstub__56d340a9ac5dd93c6aa22cb98bcbc860fb23f8d247b53c2cd1a51ecd8
     connection_attempts: typing.Optional[jsii.Number] = None,
     connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
     custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
     origin_id: typing.Optional[builtins.str] = None,
     origin_shield_enabled: typing.Optional[builtins.bool] = None,
     origin_shield_region: typing.Optional[builtins.str] = None,
@@ -1940,6 +3724,7 @@ def _typecheckingstub__57d13f69f251622e0723aa73c3eb93e482e0deb7a7b1e8439c7d7ad35
     connection_attempts: typing.Optional[jsii.Number] = None,
     connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
     custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
     origin_id: typing.Optional[builtins.str] = None,
     origin_shield_enabled: typing.Optional[builtins.bool] = None,
     origin_shield_region: typing.Optional[builtins.str] = None,
@@ -1952,6 +3737,7 @@ def _typecheckingstub__13f43bf70f0a97ee8ca0e4f7aca38d43089ed2bc254d5c2b57c73b51c
     connection_attempts: typing.Optional[jsii.Number] = None,
     connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
     custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
     origin_id: typing.Optional[builtins.str] = None,
     origin_shield_enabled: typing.Optional[builtins.bool] = None,
     origin_shield_region: typing.Optional[builtins.str] = None,
@@ -1979,6 +3765,7 @@ def _typecheckingstub__2e5124d4f469d6539077a529c09cfba685fe4a7037b9417216b18f6cc
     connection_attempts: typing.Optional[jsii.Number] = None,
     connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
     custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
     origin_id: typing.Optional[builtins.str] = None,
     origin_shield_enabled: typing.Optional[builtins.bool] = None,
     origin_shield_region: typing.Optional[builtins.str] = None,
@@ -1991,6 +3778,7 @@ def _typecheckingstub__c72b63200b184ae3f51c9b6a19be2eef9bddae313ee00c7378396c0dc
     connection_attempts: typing.Optional[jsii.Number] = None,
     connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
     custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
     origin_id: typing.Optional[builtins.str] = None,
     origin_shield_enabled: typing.Optional[builtins.bool] = None,
     origin_shield_region: typing.Optional[builtins.str] = None,
@@ -2009,6 +3797,7 @@ def _typecheckingstub__428f309ea8c48c002d77db24802c77164c9607d40492e08c4b243080f
     scope: _constructs_77d1e7e8.Construct,
     *,
     origin_id: builtins.str,
+    distribution_id: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -2031,6 +3820,7 @@ def _typecheckingstub__56b6a9ee9b4e8ac821a25cc86fc2ff9f7490081ff9a35a5c551216af6
     connection_attempts: typing.Optional[jsii.Number] = None,
     connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
     custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
     origin_id: typing.Optional[builtins.str] = None,
     origin_shield_enabled: typing.Optional[builtins.bool] = None,
     origin_shield_region: typing.Optional[builtins.str] = None,
@@ -2043,6 +3833,7 @@ def _typecheckingstub__0eca8c8f76c90eb80c45563b1a8eb9b9f1868ad621b45412a4cb93529
     connection_attempts: typing.Optional[jsii.Number] = None,
     connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
     custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
     origin_id: typing.Optional[builtins.str] = None,
     origin_shield_enabled: typing.Optional[builtins.bool] = None,
     origin_shield_region: typing.Optional[builtins.str] = None,
@@ -2053,6 +3844,114 @@ def _typecheckingstub__0eca8c8f76c90eb80c45563b1a8eb9b9f1868ad621b45412a4cb93529
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__3cb1f0b82603224c7fbeb25b954355d9b19c8971c1f19cce6cc99b4579024f0f(
+    bucket: _IBucket_42e086fd,
+    *,
+    origin_path: typing.Optional[builtins.str] = None,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__f676436dc530972f0e77d574f148913989a94d38c9af09bff28450e29ace8acb(
+    bucket: _IBucket_42e086fd,
+    *,
+    origin_path: typing.Optional[builtins.str] = None,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__23afb965139dc34be23cec3ad5506b4c5de509db9c0d653bed7877f463b7a9db(
+    bucket: _IBucket_42e086fd,
+    *,
+    origin_access_control: typing.Optional[_IOriginAccessControl_82a6fe5a] = None,
+    origin_access_levels: typing.Optional[typing.Sequence[_AccessLevel_315d9a76]] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__13e7421c65d5fbb92fc686fa854daca3e90dc002f3e99da4b4757e32e3c4105d(
+    bucket: _IBucket_42e086fd,
+    *,
+    origin_access_identity: typing.Optional[_IOriginAccessIdentity_a922494c] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__c5e580c31fe629b713e1ecbf9905ebb4220e152805ab34129f693f2c4d4db098(
+    *,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__1af53a7ded1427e29cc874af45efdfe026a0004a1f2782a5bc936dbfcb4fe7a4(
+    *,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    origin_access_control: typing.Optional[_IOriginAccessControl_82a6fe5a] = None,
+    origin_access_levels: typing.Optional[typing.Sequence[_AccessLevel_315d9a76]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__4b64c18ef31b660c450eee84b6738d7bbd960797e1788e068be9663127832c26(
+    *,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    origin_access_identity: typing.Optional[_IOriginAccessIdentity_a922494c] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__9ba8623373b0faa9ac55c816167da21a58e0753e0dd032b1f3e6ccd0bd977994(
     bucket: _IBucket_42e086fd,
     *,
@@ -2061,6 +3960,7 @@ def _typecheckingstub__9ba8623373b0faa9ac55c816167da21a58e0753e0dd032b1f3e6ccd0b
     connection_attempts: typing.Optional[jsii.Number] = None,
     connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
     custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
     origin_id: typing.Optional[builtins.str] = None,
     origin_shield_enabled: typing.Optional[builtins.bool] = None,
     origin_shield_region: typing.Optional[builtins.str] = None,
@@ -2072,6 +3972,7 @@ def _typecheckingstub__1731b0d7a385b196730b287be11e2cb13fa03d064ae3ffbfd55c5422a
     scope: _constructs_77d1e7e8.Construct,
     *,
     origin_id: builtins.str,
+    distribution_id: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -2081,6 +3982,7 @@ def _typecheckingstub__bbd2a0ca1bf4d32899d90ea633e3ac416a6fa29972ee055a5866ec269
     connection_attempts: typing.Optional[jsii.Number] = None,
     connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
     custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
     origin_id: typing.Optional[builtins.str] = None,
     origin_shield_enabled: typing.Optional[builtins.bool] = None,
     origin_shield_region: typing.Optional[builtins.str] = None,
@@ -2089,3 +3991,44 @@ def _typecheckingstub__bbd2a0ca1bf4d32899d90ea633e3ac416a6fa29972ee055a5866ec269
 ) -> None:
     """Type checking stubs"""
     pass
+
+def _typecheckingstub__f0edd2083352b96faf3ea9eb05136629dff841fa272ecdb6dfb52772a77b9b22(
+    bucket: _IBucket_42e086fd,
+    *,
+    http_port: typing.Optional[jsii.Number] = None,
+    https_port: typing.Optional[jsii.Number] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    origin_ssl_protocols: typing.Optional[typing.Sequence[_OriginSslPolicy_d65cede2]] = None,
+    protocol_policy: typing.Optional[_OriginProtocolPolicy_967ed73c] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__5bc18cdba7c0e6d7d0a68d2a1cf3c3f91f50a7e3e7384f5f62ebee6006adbb85(
+    *,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    http_port: typing.Optional[jsii.Number] = None,
+    https_port: typing.Optional[jsii.Number] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    origin_ssl_protocols: typing.Optional[typing.Sequence[_OriginSslPolicy_d65cede2]] = None,
+    protocol_policy: typing.Optional[_OriginProtocolPolicy_967ed73c] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+) -> None:
+    """Type checking stubs"""
+    pass