diff --git a/docs/terraform.md b/docs/terraform.md
index 4e9c4cbe..b699fe52 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -88,7 +88,7 @@
 | <a name="input_cors_max_age_seconds"></a> [cors\_max\_age\_seconds](#input\_cors\_max\_age\_seconds) | Time in seconds that browser can cache the response for S3 bucket | `number` | `3600` | no |
 | <a name="input_custom_error_response"></a> [custom\_error\_response](#input\_custom\_error\_response) | List of one or more custom error response element maps | <pre>list(object({<br>    error_caching_min_ttl = string<br>    error_code            = string<br>    response_code         = string<br>    response_page_path    = string<br>  }))</pre> | `[]` | no |
 | <a name="input_custom_origin_headers"></a> [custom\_origin\_headers](#input\_custom\_origin\_headers) | A list of origin header parameters that will be sent to origin | `list(object({ name = string, value = string }))` | `[]` | no |
-| <a name="input_custom_origins"></a> [custom\_origins](#input\_custom\_origins) | A list of additional custom website [origins](https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#origin-arguments) for this distribution. | <pre>list(object({<br>    domain_name = string<br>    origin_id   = string<br>    origin_path = string<br>    custom_headers = list(object({<br>      name  = string<br>      value = string<br>    }))<br>    custom_origin_config = object({<br>      http_port                = number<br>      https_port               = number<br>      origin_protocol_policy   = string<br>      origin_ssl_protocols     = list(string)<br>      origin_keepalive_timeout = number<br>      origin_read_timeout      = number<br>    })<br>  }))</pre> | `[]` | no |
+| <a name="input_custom_origins"></a> [custom\_origins](#input\_custom\_origins) | A list of additional custom website [origins](https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#origin-arguments) for this distribution. | <pre>list(object({<br>    domain_name = string<br>    origin_id   = string<br>    origin_path = string<br> origin_access_control_id = string<br>    custom_headers = list(object({<br>      name  = string<br>      value = string<br>    }))<br>    custom_origin_config = object({<br>      http_port                = number<br>      https_port               = number<br>      origin_protocol_policy   = string<br>      origin_ssl_protocols     = list(string)<br>      origin_keepalive_timeout = number<br>      origin_read_timeout      = number<br>    })<br>  }))</pre> | `[]` | no |
 | <a name="input_default_root_object"></a> [default\_root\_object](#input\_default\_root\_object) | Object that CloudFront return when requests the root URL | `string` | `"index.html"` | no |
 | <a name="input_default_ttl"></a> [default\_ttl](#input\_default\_ttl) | Default amount of time (in seconds) that an object is in a CloudFront cache | `number` | `60` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
diff --git a/examples/complete/custom-origins.tf b/examples/complete/custom-origins.tf
index 2bbeb5d5..f4bfe032 100644
--- a/examples/complete/custom-origins.tf
+++ b/examples/complete/custom-origins.tf
@@ -1,10 +1,13 @@
 locals {
   additional_custom_origins_enabled = local.enabled && var.additional_custom_origins_enabled
   default_custom_origin_configuration = {
-    domain_name    = null
-    origin_id      = null
-    origin_path    = null
-    custom_headers = []
+    domain_name = null
+    origin_id   = null
+    origin_path = null
+    # Example configuration with Origin Access Control for Lambda@Edge:
+    # origin_access_control_id = aws_cloudfront_origin_access_control.example.id
+    origin_access_control_id = null
+    custom_headers           = []
     custom_origin_config = {
       http_port                = 80
       https_port               = 443
diff --git a/main.tf b/main.tf
index 6a7cee4a..12d80708 100644
--- a/main.tf
+++ b/main.tf
@@ -551,9 +551,10 @@ resource "aws_cloudfront_distribution" "default" {
   dynamic "origin" {
     for_each = var.custom_origins
     content {
-      domain_name = origin.value.domain_name
-      origin_id   = origin.value.origin_id
-      origin_path = lookup(origin.value, "origin_path", "")
+      domain_name              = origin.value.domain_name
+      origin_id                = origin.value.origin_id
+      origin_path              = lookup(origin.value, "origin_path", "")
+      origin_access_control_id = lookup(origin.value, "origin_access_control_id", null)
       dynamic "custom_header" {
         for_each = lookup(origin.value, "custom_headers", [])
         content {
diff --git a/variables.tf b/variables.tf
index 0e5bf1a5..f0380952 100644
--- a/variables.tf
+++ b/variables.tf
@@ -446,9 +446,10 @@ variable "ordered_cache" {
 
 variable "custom_origins" {
   type = list(object({
-    domain_name = string
-    origin_id   = string
-    origin_path = string
+    domain_name              = string
+    origin_id                = string
+    origin_path              = string
+    origin_access_control_id = optional(string)
     custom_headers = list(object({
       name  = string
       value = string
@@ -465,6 +466,8 @@ variable "custom_origins" {
   default     = []
   description = <<-EOT
     A list of additional custom website [origins](https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#origin-arguments) for this distribution.
+    The `origin_access_control_id` field specifies the Origin Access Control configuration to use for this origin.
+    This is used to configure secure access between CloudFront and the origin.
     EOT
 }