diff --git a/main.tf b/main.tf
index 35203474..4fc29027 100644
--- a/main.tf
+++ b/main.tf
@@ -9,7 +9,7 @@ locals {
   s3_access_logging_enabled = local.enabled && (var.s3_access_logging_enabled == null ? length(var.s3_access_log_bucket_name) > 0 : var.s3_access_logging_enabled)
   create_cf_log_bucket      = local.cloudfront_access_logging_enabled && local.cloudfront_access_log_create_bucket
 
-  create_cloudfront_origin_access_identity = local.enabled && length(compact([var.cloudfront_origin_access_identity_iam_arn])) == 0 # "" or null
+  create_cloudfront_origin_access_identity = local.enabled && var.create_cloudfront_origin_access_identity
 
   origin_id   = module.this.id
   origin_path = coalesce(var.origin_path, "/")
diff --git a/variables.tf b/variables.tf
index 32003c71..cbf7efc1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -492,13 +492,13 @@ variable "deployment_actions" {
 variable "cloudfront_origin_access_identity_iam_arn" {
   type        = string
   default     = ""
-  description = "Existing cloudfront origin access identity iam arn that is supplied in the s3 bucket policy"
+  description = "Existing cloudfront origin access identity iam arn that is supplied in the s3 bucket policy. If you set this, you must also set `cloudfront_origin_access_identity_path` and disable `create_cloudfront_origin_access_identity`"
 }
 
 variable "cloudfront_origin_access_identity_path" {
   type        = string
   default     = ""
-  description = "Existing cloudfront origin access identity path used in the cloudfront distribution's s3_origin_config content"
+  description = "Existing cloudfront origin access identity path used in the cloudfront distribution's s3_origin_config content. If you set this, you must also set `cloudfront_origin_access_identity_iam_arn` and disable `create_cloudfront_origin_access_identity`"
 }
 
 variable "custom_origin_headers" {
@@ -662,3 +662,9 @@ variable "allow_ssl_requests_only" {
   default     = true
   description = "Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests"
 }
+
+variable "create_cloudfront_origin_access_identity" {
+  type = bool
+  default = true
+  description = "Set to `true` to create a CloudFront Origin Access Identity. You should disable this if you set `cloudfront_origin_access_identity_iam_arn` and `cloudfront_origin_access_identity_path`"
+}