diff --git a/CLOUDFRONT.md b/CLOUDFRONT.md
index a42a8d01..d09d58c6 100644
--- a/CLOUDFRONT.md
+++ b/CLOUDFRONT.md
@@ -1,3 +1,39 @@
+## Implementing CloudFront CDN in-front of ObjectFS S3 Bucket
+The following steps outline how to create an S3 bucket for ObjectFS, configure moodle to use this, 
+and then how to implement the CloudFront CDN (Content Delivery Network) to securely sit infront of the 
+S3 Bucket, so that content delivery maybe off-loaded from the moodle servers to the CDN.  This will 
+typically result in faster access for users to content due do caching by the CDN, and less load on the
+moodle servers.
+
+The following steps implement the following high level objectives:
+1. Grant the Cloudfront Distribution access to the S3 bucket for ObjectFS
+ 
+  - existing steps in document are for "Legacy access identies"
+	Console text: "Use a CloudFront origin access identity (OAI) to access the S3 Bucket"
+
+  - use "Origin access control settings (recommended)" 
+    Console text: "Bucket can restrict acess to only CloudFront."
+    This configuration has been tested, and also works. This blog post outlines the advantages of the newer option:
+    https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/
+
+  - Update S3 Bucket Policy (this step is required for either legacy OAI or Origin access control.
+	"Policy must allow access to CloudFront IAM service principle role". (policy auto generated)
+
+
+2. Restrict viewer access (CloudFront Distribution) to signed requests (Trusted Key Groups)
+
+   This is access control is independant of the access granted in step 1.  The HTTP headers associated with this are 
+   not required, and should not be forwarded from Cloudfront to S3.
+
+	- [Generate key pair & configure Trusted Key Groups in Cloudfront using public key](#generate-cloudfront-keys)
+	- [Restrict view access in Cloudfront](#create-cloudfront-distribution) (step 8.)
+	- [Configure Moodle to generate signed URLs using private key)](#configure-cloudfront-signing-method-in-objectfs)
+
+3. Setup CORS security (response header policy) for the Cloudfront distribution
+
+
+## Detailed Instructions
+
 ### Create AWS bucket
 1. Login to AWS console https://aws.amazon.com/console/
 2. Navigate to _Services -> S3_.
@@ -119,7 +155,9 @@ cat public_key.pem
 2. Click on _Create a CloudFront distribution_.
 3. Choose your Amazon S3 bucket from _Origin domain_ dropdown menu.
 4. _S3 bucket access_: Choose _Yes use OAI (bucket can restrict access to only CloudFront)_ and click _Create new OAI_.
+    Alternative: choose _Origin access control settings (recommended)_
 5. _S3 bucket access -> Bucket policy_: Choose _Yes, update the bucket policy_.
+    If _Origin access control_ was selected in step 4, you may need to manually add the supplied policy to the S3 Bucket.
 6. _Viewer protocol policy_: Choose _Redirect HTTP to HTTPS_.
 7. _Allowed HTTP methods_: Choose _GET, HEAD, OPTIONS_ and tick _OPTIONS_ under _Cache HTTP methods_.
 8. _Restrict viewer access_: Choose _Yes -> Trusted key groups (recommended)_.