diff --git a/cloudfront.tf b/cloudfront.tf
index 63fc726..22eb685 100644
--- a/cloudfront.tf
+++ b/cloudfront.tf
@@ -25,7 +25,7 @@ module "cdn" {
     origin_access_control = {
       domain_name           = module.s3.s3_bucket_bucket_regional_domain_name
       origin_path           = ""
-      origin_access_control = "s3" # key in `origin_access_control`
+      origin_access_control = var.s3_origin_access_control_key # key in `origin_access_control`
       origin_shield = {
         enabled              = true
         origin_shield_region = data.aws_region.current.name
diff --git a/variables.tf b/variables.tf
index befd086..d3983b9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -173,6 +173,12 @@ variable "origin_access_control" {
   }
 }
 
+variable "s3_origin_access_control_key" {
+  description = "Key in `origin_access_control` to use for S3 origin access control"
+  type        = string
+  default     = "s3"
+}
+
 variable "origin" {
   description = "One or more origins for this distribution (multiples allowed)."
   type        = any