diff --git a/packages/@aws-cdk/aws-cloudfront-origins/README.md b/packages/@aws-cdk/aws-cloudfront-origins/README.md
index 614a089247459..1fe19e77ebf1b 100644
--- a/packages/@aws-cdk/aws-cloudfront-origins/README.md
+++ b/packages/@aws-cdk/aws-cloudfront-origins/README.md
@@ -32,7 +32,7 @@ The above will treat the bucket differently based on if `IBucket.isWebsite` is s
 treated as an HTTP origin, and the built-in S3 redirects and error pages can be used. Otherwise, the bucket is handled as a bucket origin and
 CloudFront's redirect and error handling will be used. In the latter case, the Origin wil create an origin access identity and grant it access to the
 underlying bucket. This can be used in conjunction with a bucket that is not public to require that your users access your content using CloudFront
-URLs and not S3 URLs directly.
+URLs and not S3 URLs directly. Alternatively, a custom origin access identity can be passed to the S3 origin in the properties.
 
 ## ELBv2 Load Balancer
 
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts b/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts
index 04c3d5175cace..7fe8fb8f5a52c 100644
--- a/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts
+++ b/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts
@@ -16,6 +16,12 @@ export interface S3OriginProps {
    * @default '/'
    */
   readonly originPath?: string;
+  /**
+   * An optional Origin Access Identity of the origin identity cloudfront will use when calling your s3 bucket.
+   *
+   * @default - An Origin Access Identity will be created.
+   */
+  readonly originAccessIdentity?: cloudfront.IOriginAccessIdentity;
 }
 
 /**
@@ -50,10 +56,13 @@ export class S3Origin implements cloudfront.IOrigin {
  * Contains additional logic around bucket permissions and origin access identities.
  */
 class S3BucketOrigin extends cloudfront.OriginBase {
-  private originAccessIdentity!: cloudfront.OriginAccessIdentity;
+  private originAccessIdentity!: cloudfront.IOriginAccessIdentity;
 
-  constructor(private readonly bucket: s3.IBucket, props: S3OriginProps) {
+  constructor(private readonly bucket: s3.IBucket, { originAccessIdentity, ...props }: S3OriginProps) {
     super(bucket.bucketRegionalDomainName, props);
+    if (originAccessIdentity) {
+      this.originAccessIdentity = originAccessIdentity;
+    }
   }
 
   public bind(scope: cdk.Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.expected.json b/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.expected.json
new file mode 100644
index 0000000000000..2a41a79aae0ba
--- /dev/null
+++ b/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.expected.json
@@ -0,0 +1,58 @@
+{
+  "Resources": {
+    "Bucket83908E77": {
+      "Type": "AWS::S3::Bucket",
+      "UpdateReplacePolicy": "Retain",
+      "DeletionPolicy": "Retain"
+    },
+    "OriginAccessIdentityDF1E3CAC": {
+      "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
+      "Properties": {
+        "CloudFrontOriginAccessIdentityConfig": {
+          "Comment": "Identity for bucket provided by test"
+        }
+      }
+    },
+    "Distribution830FAC52": {
+      "Type": "AWS::CloudFront::Distribution",
+      "Properties": {
+        "DistributionConfig": {
+          "DefaultCacheBehavior": {
+            "ForwardedValues": {
+              "QueryString": false
+            },
+            "TargetOriginId": "cloudfronts3originDistributionOrigin1741C4E95",
+            "ViewerProtocolPolicy": "allow-all"
+          },
+          "Enabled": true,
+          "HttpVersion": "http2",
+          "IPV6Enabled": true,
+          "Origins": [
+            {
+              "DomainName": {
+                "Fn::GetAtt": [
+                  "Bucket83908E77",
+                  "RegionalDomainName"
+                ]
+              },
+              "Id": "cloudfronts3originDistributionOrigin1741C4E95",
+              "S3OriginConfig": {
+                "OriginAccessIdentity": {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "origin-access-identity/cloudfront/",
+                      {
+                        "Ref": "OriginAccessIdentityDF1E3CAC"
+                      }
+                    ]
+                  ]
+                }
+              }
+            }
+          ]
+        }
+      }
+    }
+  }
+}
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.ts b/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.ts
new file mode 100644
index 0000000000000..d7331a160abcd
--- /dev/null
+++ b/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.ts
@@ -0,0 +1,18 @@
+import * as cloudfront from '@aws-cdk/aws-cloudfront';
+import * as s3 from '@aws-cdk/aws-s3';
+import * as cdk from '@aws-cdk/core';
+import * as origins from '../lib';
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'cloudfront-s3-origin-oai');
+
+const bucket = new s3.Bucket(stack, 'Bucket');
+const originAccessIdentity = new cloudfront.OriginAccessIdentity(stack, 'OriginAccessIdentity', {
+  comment: 'Identity for bucket provided by test',
+});
+new cloudfront.Distribution(stack, 'Distribution', {
+  defaultBehavior: { origin: new origins.S3Origin(bucket, { originAccessIdentity }) },
+});
+
+app.synth();
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts b/packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts
index 1d99534652d23..bfa9716f8a773 100644
--- a/packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts
+++ b/packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts
@@ -30,7 +30,7 @@ describe('With bucket', () => {
     });
   });
 
-  test('can customize properties', () => {
+  test('can customize originPath property', () => {
     const bucket = new s3.Bucket(stack, 'Bucket');
 
     const origin = new S3Origin(bucket, { originPath: '/assets' });
@@ -46,6 +46,23 @@ describe('With bucket', () => {
     });
   });
 
+  test('can customize OriginAccessIdentity property', () => {
+    const bucket = new s3.Bucket(stack, 'Bucket');
+
+    const originAccessIdentity = new cloudfront.OriginAccessIdentity(stack, 'OriginAccessIdentity', {
+      comment: 'Identity for bucket provided by test',
+    });
+
+    const origin = new S3Origin(bucket, { originAccessIdentity });
+    new cloudfront.Distribution(stack, 'Dist', { defaultBehavior: { origin } });
+
+    expect(stack).toHaveResourceLike('AWS::CloudFront::CloudFrontOriginAccessIdentity', {
+      CloudFrontOriginAccessIdentityConfig: {
+        Comment: 'Identity for bucket provided by test',
+      },
+    });
+  });
+
   test('creates an OriginAccessIdentity and grants read permissions on the bucket', () => {
     const bucket = new s3.Bucket(stack, 'Bucket');