--- title: CloudFront Origin Access Control description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > DDSQL Reference > Data Directory > CloudFront Origin Access Control --- # CloudFront Origin Access Control CloudFront Origin Access Control is an AWS feature that manages secure access between CloudFront distributions and their origins. It allows you to enforce that only CloudFront can access your origin, using signed requests with AWS Signature Version 4. This improves security by preventing direct access to the origin and provides more flexibility and control compared to legacy origin access identities. ``` aws.cloudfront_origin_access_control ``` ## Fields | Title | ID | Type | Data Type | Description | | ------------------------------------ | ---- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | | _key | core | string | | account_id | core | string | | cloudfront_origin_access_control_arn | core | string | | description | core | string | A description of the origin access control. | | id | core | string | The unique identifier of the origin access control. | | name | core | string | A unique name that identifies the origin access control. | | origin_access_control_origin_type | core | string | The type of origin that this origin access control is for. | | signing_behavior | core | string | A value that specifies which requests CloudFront signs (adds authentication information to). This field can have one of the following values: never – CloudFront doesn't sign any origin requests. always – CloudFront signs all origin requests, overwriting the Authorization header from the viewer request if necessary. no-override – If the viewer request doesn't contain the Authorization header, CloudFront signs the origin request. If the viewer request contains the Authorization header, CloudFront doesn't sign the origin request, but instead passes along the Authorization header that it received in the viewer request. | | signing_protocol | core | string | The signing protocol of the origin access control. The signing protocol determines how CloudFront signs (authenticates) requests. The only valid value is sigv4. | | tags | core | hstore_csv |