Adding guidance for Amazon CloudFront OAI

Author: tatyatsk

resource_control_policies/README.md

@@ -44,9 +44,10 @@ Example data access patterns:
 * *Elastic Load Balancing (ELB) access logging*. In some AWS Regions, [Classic Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy) and [Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy) use AWS account credentials that belong to an AWS service to publish logs to your Amazon S3 buckets. The `aws:PrincipalAccount` condition key in the resource control policy should contain the ELB account ID if access logging is enabled.
 * *Amazon FinSpace data encryption*. To encrypt data at rest, [Amazon FinSpace](https://aws.amazon.com/finspace/) uses AWS account credentials that belong to the service to access your [AWS Key Management Service (AWS KMS)](https://aws.amazon.com/kms/) customer managed key. The `aws:PrincipalAccount` condition key in the resource control policy should contain the [FinSpace environment infrastructure account](https://docs.aws.amazon.com/finspace/latest/userguide/data-sharing-lake-formation.html). You can find the ID of the infrastructure account that's dedicated to your FinSpace environment on the environment page of the FinSpace console.
 
-Note that the `aws:PrincipalOrgID` condition key is included in the request context only if the calling principal is a member of an organization. This is not the case with federated users; therefore, `sts:AssumeRoleWithSAML` and `sts:AssumeRoleWithWebIdentity` are not listed in the `Action` element of the policy statement `"Sid": "EnforceOrgIdentities"`. `sts:SetSourceIdentity` and `sts:TagSession` are also not included to prevent impact on `sts:AssumeRoleWithSAML` and `sts:AssumeRoleWithWebIdentity` that [set a source identity]( https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html#id_credentials_temp_control-access_monitor-setup) or [pass session tags]( https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_operations). We recommend using the `"Sid":"EnforceTrustedOIDCProviders"` and `"Sid":"EnforceTrustedOIDCTenants` statements to help prevent requests from untrusted OpenID Connect (OIDC) tenants. To help ensure that only your trusted identity providers can be used for SAML federation, limit your principals’ ability to make configuration changes to the IAM SAML identity providers (see`"Sid":"PreventIdPTrustModifications"` in the [restrict_idp_configurations_scp](../service_control_policies/service_specific_controls/restrict_idp_configurations_scp.json)). 
+Additional considerations:
+* The `aws:PrincipalOrgID` condition key is included in the request context only if the calling principal is a member of an organization. This is not the case with federated users; therefore, `sts:AssumeRoleWithSAML` and `sts:AssumeRoleWithWebIdentity` are not listed in the `Action` element of the policy statement `"Sid": "EnforceOrgIdentities"`. `sts:SetSourceIdentity` and `sts:TagSession` are also not included to prevent impact on `sts:AssumeRoleWithSAML` and `sts:AssumeRoleWithWebIdentity` that [set a source identity]( https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html#id_credentials_temp_control-access_monitor-setup) or [pass session tags]( https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_operations). We recommend using the `"Sid":"EnforceTrustedOIDCProviders"` and `"Sid":"EnforceTrustedOIDCTenants` statements to help prevent requests from untrusted OpenID Connect (OIDC) tenants. To help ensure that only your trusted identity providers can be used for SAML federation, limit your principals’ ability to make configuration changes to the IAM SAML identity providers (see`"Sid":"PreventIdPTrustModifications"` in the [restrict_idp_configurations_scp](../service_control_policies/service_specific_controls/restrict_idp_configurations_scp.json)).<br /><br /> Another STS action, `sts:GetCallerIdentity`, is not included in this statement because [no permissions are required to perform this operation](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html). 
 
-Another STS action, `sts:GetCallerIdentity`, is not included in this statement because [no permissions are required to perform this operation](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html). 
+* If you have [Amazon CloudFront](https://aws.amazon.com/cloudfront/) distributions configured to use origin access identity (OAI) to send requests to an Amazon S3 origin, this statement will prevent CloudFront from communicating with the origin. We recommend [migrating from origin access identity (OAI) to origin access control (OAC)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#migrate-from-oai-to-oac). If you need to maintain OAI support during the migration, you can implement an exception using the `aws:PrincipalArn` condition key, setting the unique OAI user ARNs from your distributions as the value (`arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <my-origin-access-identity-ID>`).
 
 ### "Sid":"EnforceTrustedOIDCProviders"