diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/origin.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/origin.ts
index 12b97e5274cbe..041f296d20fef 100644
--- a/packages/aws-cdk-lib/aws-cloudfront/lib/origin.ts
+++ b/packages/aws-cdk-lib/aws-cloudfront/lib/origin.ts
@@ -149,6 +149,7 @@ export abstract class OriginBase implements IOrigin {
   private readonly originShieldRegion?: string;
   private readonly originShieldEnabled: boolean;
   private readonly originId?: string;
+  private readonly originAccessControlId?: string;
 
   protected constructor(domainName: string, props: OriginProps = {}) {
     validateIntInRangeOrUndefined('connectionTimeout', 1, 10, props.connectionTimeout?.toSeconds());
@@ -163,6 +164,7 @@ export abstract class OriginBase implements IOrigin {
     this.originShieldRegion = props.originShieldRegion;
     this.originId = props.originId;
     this.originShieldEnabled = props.originShieldEnabled ?? true;
+    this.originAccessControlId = props.originAccessControlId;
   }
 
   /**
@@ -187,6 +189,7 @@ export abstract class OriginBase implements IOrigin {
         s3OriginConfig,
         customOriginConfig,
         originShield: this.renderOriginShield(this.originShieldEnabled, this.originShieldRegion),
+        originAccessControlId: this.originAccessControlId,
       },
     };
   }
diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
index a6dc892975c0d..ec8c36adf721b 100644
--- a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
+++ b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
@@ -1,4 +1,4 @@
-import { defaultOrigin, defaultOriginGroup } from './test-origin';
+import { defaultOrigin, defaultOriginGroup, defaultOriginWithOriginAccessControl } from './test-origin';
 import { Annotations, Match, Template } from '../../assertions';
 import * as acm from '../../aws-certificatemanager';
 import * as cloudwatch from '../../aws-cloudwatch';
@@ -1282,6 +1282,36 @@ test('with publish additional metrics', () => {
   });
 });
 
+test('with origin access control id', () => {
+  const origin = defaultOriginWithOriginAccessControl();
+  new Distribution(stack, 'MyDist', {
+    defaultBehavior: { origin },
+    publishAdditionalMetrics: true,
+  });
+
+  Template.fromStack(stack).hasResourceProperties('AWS::CloudFront::Distribution', {
+    DistributionConfig: {
+      DefaultCacheBehavior: {
+        CachePolicyId: '658327ea-f89d-4fab-a63d-7e88639e58f6',
+        Compress: true,
+        TargetOriginId: 'StackMyDistOrigin1D6D5E535',
+        ViewerProtocolPolicy: 'allow-all',
+      },
+      Enabled: true,
+      HttpVersion: 'http2',
+      IPV6Enabled: true,
+      Origins: [{
+        DomainName: 'www.example.com',
+        Id: 'StackMyDistOrigin1D6D5E535',
+        CustomOriginConfig: {
+          OriginProtocolPolicy: 'https-only',
+        },
+        OriginAccessControlId: 'test-origin-access-control-id',
+      }],
+    },
+  });
+});
+
 describe('Distribution metrics tests', () => {
   const additionalMetrics = [
     { name: 'OriginLatency', method: 'metricOriginLatency', statistic: 'Average', additionalMetricsRequired: true, errorMetricName: 'Origin latency' },
diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/test-origin.ts b/packages/aws-cdk-lib/aws-cloudfront/test/test-origin.ts
index 8763187e09c9a..89136213a3928 100644
--- a/packages/aws-cdk-lib/aws-cloudfront/test/test-origin.ts
+++ b/packages/aws-cdk-lib/aws-cloudfront/test/test-origin.ts
@@ -1,16 +1,31 @@
 import { Construct } from 'constructs';
-import { CfnDistribution, IOrigin, OriginBase, OriginBindConfig, OriginBindOptions, OriginProps, OriginProtocolPolicy } from '../lib';
+import {
+  CfnDistribution,
+  IOrigin,
+  OriginBase,
+  OriginBindConfig,
+  OriginBindOptions,
+  OriginProps,
+  OriginProtocolPolicy,
+} from '../lib';
 
 /** Used for testing common Origin functionality */
 export class TestOrigin extends OriginBase {
-  constructor(domainName: string, props: OriginProps = {}) { super(domainName, props); }
-  protected renderCustomOriginConfig(): CfnDistribution.CustomOriginConfigProperty | undefined {
+  constructor(domainName: string, props: OriginProps = {}) {
+    super(domainName, props);
+  }
+  protected renderCustomOriginConfig():
+  | CfnDistribution.CustomOriginConfigProperty
+  | undefined {
     return { originProtocolPolicy: OriginProtocolPolicy.HTTPS_ONLY };
   }
 }
 
 export class TestOriginGroup implements IOrigin {
-  constructor(private readonly primaryDomainName: string, private readonly secondaryDomainName: string) { }
+  constructor(
+    private readonly primaryDomainName: string,
+    private readonly secondaryDomainName: string,
+  ) {}
   /* eslint-disable @cdklabs/no-core-construct */
   public bind(scope: Construct, options: OriginBindOptions): OriginBindConfig {
     const primaryOrigin = new TestOrigin(this.primaryDomainName);
@@ -35,3 +50,15 @@ export function defaultOrigin(domainName?: string, originId?: string): IOrigin {
 export function defaultOriginGroup(): IOrigin {
   return new TestOriginGroup('www.example.com', 'foo.example.com');
 }
+
+export function defaultOriginWithOriginAccessControl(
+  domainName?: string,
+  originId?: string,
+  originAccessControlId?: string,
+): IOrigin {
+  return new TestOrigin(domainName ?? 'www.example.com', {
+    originId,
+    originAccessControlId:
+      originAccessControlId ?? 'test-origin-access-control-id',
+  });
+}