diff --git a/main.tf b/main.tf
index 77706f4..c8c6f25 100644
--- a/main.tf
+++ b/main.tf
@@ -8,6 +8,37 @@ locals {
   override_origin_policy = var.override_s3_origin_policy && var.s3_origin_name != ""
 
   function_association = { for type, func in var.cf_functions : type => { function_arn = aws_cloudfront_function.functions[type].arn } if func.assign }
+
+  origin_access_identities = var.create_origin_access_identity ? {
+    s3_bucket = "Access identity for CDN (${var.r53_hostname})"
+  } : {}
+
+  oac_key = "${var.r53_hostname}-origin-access-control"
+
+  origin_access_control = var.create_origin_access_control ? {
+    (local.oac_key) = {
+      description      = "Origin access control for s3 bucket ${data.aws_s3_bucket.s3_origin[0].id}"
+      origin_type      = "s3"
+      signing_behavior = "always"
+      signing_protocol = "sigv4"
+    }
+  } : {}
+
+  origin_oai = var.create_origin_access_identity ? tomap({
+    s3_origin = {
+      domain_name = local.origin_hostname
+      s3_origin_config = {
+        origin_access_identity = "s3_bucket"
+      }
+    }
+  }) : tomap({})
+  origin_oac = var.create_origin_access_control ? tomap({
+    s3_origin = {
+      domain_name           = data.aws_s3_bucket.s3_origin[0].bucket_domain_name
+      origin_access_control = local.oac_key
+    }
+  }) : tomap({})
+
 }
 
 # Workaround for the input variable validation
@@ -26,11 +57,12 @@ data "aws_s3_bucket" "s3_origin" {
 }
 
 module "certificate" {
-  source = "github.com/terraform-aws-modules/terraform-aws-acm?ref=v3.2.0"
+  source = "github.com/terraform-aws-modules/terraform-aws-acm?ref=v5.0.0"
   tags   = var.tags
 
-  domain_name = var.r53_hostname
-  zone_id     = var.r53_zone_id
+  domain_name       = var.r53_hostname
+  zone_id           = var.r53_zone_id
+  validation_method = "DNS"
 
   providers = {
     aws = aws.us-east-1
@@ -38,7 +70,7 @@ module "certificate" {
 }
 
 module "cloudfront" {
-  source  = "github.com/terraform-aws-modules/terraform-aws-cloudfront?ref=v2.7.0"
+  source  = "github.com/terraform-aws-modules/terraform-aws-cloudfront?ref=v3.2.1"
   tags    = var.tags
   aliases = [var.r53_hostname]
 
@@ -50,10 +82,11 @@ module "cloudfront" {
 
   default_root_object = var.default_root_object
 
-  create_origin_access_identity = true
-  origin_access_identities = {
-    s3_bucket = "Access identity for CDN (${var.r53_hostname})"
-  }
+  create_origin_access_identity = var.create_origin_access_identity
+  origin_access_identities      = local.origin_access_identities
+
+  create_origin_access_control = var.create_origin_access_control
+  origin_access_control        = local.origin_access_control
 
   logging_config = var.s3_logging_hostname == "" ? {} : {
     bucket          = var.s3_logging_hostname
@@ -61,15 +94,7 @@ module "cloudfront" {
     prefix          = var.cdn_logging
   }
 
-  origin = {
-    s3_origin = {
-      domain_name = local.origin_hostname
-      s3_origin_config = {
-        origin_access_identity = "s3_bucket"
-      }
-    }
-  }
-
+  origin = merge(local.origin_oai, local.origin_oac)
   default_cache_behavior = {
     target_origin_id       = "s3_origin"
     viewer_protocol_policy = "redirect-to-https"
@@ -89,7 +114,7 @@ module "cloudfront" {
 }
 
 data "aws_iam_policy_document" "oai_policy" {
-  count = local.override_origin_policy ? 1 : 0
+  count = local.override_origin_policy && var.create_origin_access_identity ? 1 : 0
 
   statement {
     actions   = ["s3:GetObject"]
@@ -102,11 +127,31 @@ data "aws_iam_policy_document" "oai_policy" {
   }
 }
 
+data "aws_iam_policy_document" "oac_policy" {
+  count = local.override_origin_policy && var.create_origin_access_control ? 1 : 0
+
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["${data.aws_s3_bucket.s3_origin[0].arn}${var.s3_origin_policy_restrict_access}"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudfront.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      values   = [module.cloudfront.cloudfront_distribution_arn]
+      variable = "AWS:SourceArn"
+    }
+  }
+}
+
 resource "aws_s3_bucket_policy" "s3_origin_policy" {
   count = local.override_origin_policy ? 1 : 0
 
   bucket = data.aws_s3_bucket.s3_origin[0].id
-  policy = data.aws_iam_policy_document.oai_policy[0].json
+  policy = var.create_origin_access_identity ? data.aws_iam_policy_document.oai_policy[0].json : data.aws_iam_policy_document.oac_policy[0].json
 }
 
 resource "aws_route53_record" "this" {
diff --git a/variables.tf b/variables.tf
index 64aea89..09275e8 100644
--- a/variables.tf
+++ b/variables.tf
@@ -85,3 +85,15 @@ variable "default_root_object" {
   type        = string
   default     = null
 }
+
+variable "create_origin_access_identity" {
+  description = "Controls if CloudFront origin access identity should be created"
+  type        = bool
+  default     = true
+}
+
+variable "create_origin_access_control" {
+  description = "Controls if CloudFront origin access control should be created"
+  type        = bool
+  default     = false
+}
diff --git a/versions.tf b/versions.tf
index 0a7e256..890deaf 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,7 +1,7 @@
 terraform {
-  required_version = ">= 0.12.26"
+  required_version = ">= 0.13.1"
 
   required_providers {
-    aws = ">= 3"
+    aws = ">= 4.29"
   }
 }