diff --git a/clients/client-cloudfront/src/CloudFront.ts b/clients/client-cloudfront/src/CloudFront.ts
index 5af65808d8f2..13d60df2ff66 100644
--- a/clients/client-cloudfront/src/CloudFront.ts
+++ b/clients/client-cloudfront/src/CloudFront.ts
@@ -2246,7 +2246,7 @@ export class CloudFront extends CloudFrontClient {
   }
 
   /**
-   * <p>Gets a CloudFront origin access control.</p>
+   * <p>Gets a CloudFront origin access control, including its unique identifier.</p>
    */
   public getOriginAccessControl(
     args: GetOriginAccessControlCommandInput,
@@ -2278,7 +2278,7 @@ export class CloudFront extends CloudFrontClient {
   }
 
   /**
-   * <p>Gets a CloudFront origin access control.</p>
+   * <p>Gets a CloudFront origin access control configuration.</p>
    */
   public getOriginAccessControlConfig(
     args: GetOriginAccessControlConfigCommandInput,
diff --git a/clients/client-cloudfront/src/commands/GetOriginAccessControlCommand.ts b/clients/client-cloudfront/src/commands/GetOriginAccessControlCommand.ts
index 0c3d2a1d780f..4c0a9a7fb050 100644
--- a/clients/client-cloudfront/src/commands/GetOriginAccessControlCommand.ts
+++ b/clients/client-cloudfront/src/commands/GetOriginAccessControlCommand.ts
@@ -28,7 +28,7 @@ export interface GetOriginAccessControlCommandInput extends GetOriginAccessContr
 export interface GetOriginAccessControlCommandOutput extends GetOriginAccessControlResult, __MetadataBearer {}
 
 /**
- * <p>Gets a CloudFront origin access control.</p>
+ * <p>Gets a CloudFront origin access control, including its unique identifier.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
diff --git a/clients/client-cloudfront/src/commands/GetOriginAccessControlConfigCommand.ts b/clients/client-cloudfront/src/commands/GetOriginAccessControlConfigCommand.ts
index 97ce2db453c1..21e50381dfff 100644
--- a/clients/client-cloudfront/src/commands/GetOriginAccessControlConfigCommand.ts
+++ b/clients/client-cloudfront/src/commands/GetOriginAccessControlConfigCommand.ts
@@ -30,7 +30,7 @@ export interface GetOriginAccessControlConfigCommandOutput
     __MetadataBearer {}
 
 /**
- * <p>Gets a CloudFront origin access control.</p>
+ * <p>Gets a CloudFront origin access control configuration.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
diff --git a/clients/client-cloudfront/src/models/models_0.ts b/clients/client-cloudfront/src/models/models_0.ts
index 9df8371163b6..f211ece5cc5f 100644
--- a/clients/client-cloudfront/src/models/models_0.ts
+++ b/clients/client-cloudfront/src/models/models_0.ts
@@ -5657,7 +5657,7 @@ export enum OriginAccessControlSigningProtocols {
 }
 
 /**
- * <p>A CloudFront origin access control.</p>
+ * <p>A CloudFront origin access control configuration.</p>
  */
 export interface OriginAccessControlConfig {
   /**
@@ -5701,8 +5701,8 @@ export interface OriginAccessControlConfig {
    * 					sign the origin request and instead passes along the <code>Authorization</code>
    * 					header from the viewer request. <b>WARNING: To pass along the
    * 					<code>Authorization</code> header from the viewer request, you
-   * 					<i>must</i> add the <code>Authorization</code> header to an <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html">origin request policy</a> for all cache behaviors that
-   * 					use origins associated with this origin access control.</b>
+   * 					<i>must</i> add the <code>Authorization</code> header to a <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html">cache policy</a> for all cache behaviors that use
+   * 					origins associated with this origin access control.</b>
    *                </p>
    * 			         </li>
    *          </ul>
@@ -5724,7 +5724,7 @@ export interface CreateOriginAccessControlRequest {
 }
 
 /**
- * <p>A CloudFront origin access control.</p>
+ * <p>A CloudFront origin access control, including its unique identifier.</p>
  */
 export interface OriginAccessControl {
   /**
diff --git a/clients/client-cloudfront/src/models/models_1.ts b/clients/client-cloudfront/src/models/models_1.ts
index bf527f4e9d3a..227968a3dd67 100644
--- a/clients/client-cloudfront/src/models/models_1.ts
+++ b/clients/client-cloudfront/src/models/models_1.ts
@@ -1062,7 +1062,7 @@ export interface GetOriginAccessControlRequest {
 
 export interface GetOriginAccessControlResult {
   /**
-   * <p>Contains an origin access control.</p>
+   * <p>Contains an origin access control, including its unique identifier.</p>
    */
   OriginAccessControl?: OriginAccessControl;
 
@@ -1081,7 +1081,7 @@ export interface GetOriginAccessControlConfigRequest {
 
 export interface GetOriginAccessControlConfigResult {
   /**
-   * <p>Contains an origin access control.</p>
+   * <p>Contains an origin access control configuration.</p>
    */
   OriginAccessControlConfig?: OriginAccessControlConfig;
 
diff --git a/codegen/sdk-codegen/aws-models/cloudfront.json b/codegen/sdk-codegen/aws-models/cloudfront.json
index 792d417b2fd7..db836235950d 100644
--- a/codegen/sdk-codegen/aws-models/cloudfront.json
+++ b/codegen/sdk-codegen/aws-models/cloudfront.json
@@ -6663,7 +6663,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Gets a CloudFront origin access control.</p>",
+        "smithy.api#documentation": "<p>Gets a CloudFront origin access control, including its unique identifier.</p>",
         "smithy.api#http": {
           "method": "GET",
           "uri": "/2020-05-31/origin-access-control/{Id}",
@@ -6688,7 +6688,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Gets a CloudFront origin access control.</p>",
+        "smithy.api#documentation": "<p>Gets a CloudFront origin access control configuration.</p>",
         "smithy.api#http": {
           "method": "GET",
           "uri": "/2020-05-31/origin-access-control/{Id}/config",
@@ -6715,7 +6715,7 @@
         "OriginAccessControlConfig": {
           "target": "com.amazonaws.cloudfront#OriginAccessControlConfig",
           "traits": {
-            "smithy.api#documentation": "<p>Contains an origin access control.</p>",
+            "smithy.api#documentation": "<p>Contains an origin access control configuration.</p>",
             "smithy.api#httpPayload": {}
           }
         },
@@ -6747,7 +6747,7 @@
         "OriginAccessControl": {
           "target": "com.amazonaws.cloudfront#OriginAccessControl",
           "traits": {
-            "smithy.api#documentation": "<p>Contains an origin access control.</p>",
+            "smithy.api#documentation": "<p>Contains an origin access control, including its unique identifier.</p>",
             "smithy.api#httpPayload": {}
           }
         },
@@ -10056,7 +10056,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A CloudFront origin access control.</p>"
+        "smithy.api#documentation": "<p>A CloudFront origin access control, including its unique identifier.</p>"
       }
     },
     "com.amazonaws.cloudfront#OriginAccessControlAlreadyExists": {
@@ -10099,7 +10099,7 @@
         "SigningBehavior": {
           "target": "com.amazonaws.cloudfront#OriginAccessControlSigningBehaviors",
           "traits": {
-            "smithy.api#documentation": "<p>Specifies which requests CloudFront signs (adds authentication information to). Specify\n\t\t\t<code>always</code> for the most common use case. For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#oac-advanced-settings\">origin access control advanced settings</a> in the\n\t\t\t<i>Amazon CloudFront Developer Guide</i>.</p>\n\t\t       <p>This field can have one of the following values:</p>\n\t\t       <ul>\n            <li>\n\t\t\t\t           <p>\n                  <code>always</code> – CloudFront signs all origin requests, overwriting the\n\t\t\t\t\t<code>Authorization</code> header from the viewer request if one exists.</p>\n\t\t\t         </li>\n            <li>\n\t\t\t\t           <p>\n                  <code>never</code> – CloudFront doesn't sign any origin requests. This value turns off origin\n\t\t\t\t\taccess control for all origins in all distributions that use this origin access\n\t\t\t\t\tcontrol.</p>\n\t\t\t         </li>\n            <li>\n\t\t\t\t           <p>\n                  <code>no-override</code> – If the viewer request doesn't contain the\n\t\t\t\t\t<code>Authorization</code> header, then CloudFront signs the origin request. If the\n\t\t\t\t\tviewer request contains the <code>Authorization</code> header, then CloudFront doesn't\n\t\t\t\t\tsign the origin request and instead passes along the <code>Authorization</code>\n\t\t\t\t\theader from the viewer request. <b>WARNING: To pass along the\n\t\t\t\t\t<code>Authorization</code> header from the viewer request, you\n\t\t\t\t\t<i>must</i> add the <code>Authorization</code> header to an <a href=\"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html\">origin request policy</a> for all cache behaviors that\n\t\t\t\t\tuse origins associated with this origin access control.</b>\n               </p>\n\t\t\t         </li>\n         </ul>",
+            "smithy.api#documentation": "<p>Specifies which requests CloudFront signs (adds authentication information to). Specify\n\t\t\t<code>always</code> for the most common use case. For more information, see <a href=\"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#oac-advanced-settings\">origin access control advanced settings</a> in the\n\t\t\t<i>Amazon CloudFront Developer Guide</i>.</p>\n\t\t       <p>This field can have one of the following values:</p>\n\t\t       <ul>\n            <li>\n\t\t\t\t           <p>\n                  <code>always</code> – CloudFront signs all origin requests, overwriting the\n\t\t\t\t\t<code>Authorization</code> header from the viewer request if one exists.</p>\n\t\t\t         </li>\n            <li>\n\t\t\t\t           <p>\n                  <code>never</code> – CloudFront doesn't sign any origin requests. This value turns off origin\n\t\t\t\t\taccess control for all origins in all distributions that use this origin access\n\t\t\t\t\tcontrol.</p>\n\t\t\t         </li>\n            <li>\n\t\t\t\t           <p>\n                  <code>no-override</code> – If the viewer request doesn't contain the\n\t\t\t\t\t<code>Authorization</code> header, then CloudFront signs the origin request. If the\n\t\t\t\t\tviewer request contains the <code>Authorization</code> header, then CloudFront doesn't\n\t\t\t\t\tsign the origin request and instead passes along the <code>Authorization</code>\n\t\t\t\t\theader from the viewer request. <b>WARNING: To pass along the\n\t\t\t\t\t<code>Authorization</code> header from the viewer request, you\n\t\t\t\t\t<i>must</i> add the <code>Authorization</code> header to a <a href=\"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html\">cache policy</a> for all cache behaviors that use\n\t\t\t\t\torigins associated with this origin access control.</b>\n               </p>\n\t\t\t         </li>\n         </ul>",
             "smithy.api#required": {}
           }
         },
@@ -10112,7 +10112,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A CloudFront origin access control.</p>"
+        "smithy.api#documentation": "<p>A CloudFront origin access control configuration.</p>"
       }
     },
     "com.amazonaws.cloudfront#OriginAccessControlInUse": {