diff --git a/examples/complete/custom-origins.tf b/examples/complete/custom-origins.tf
index 2a961dd5..f4bfe032 100644
--- a/examples/complete/custom-origins.tf
+++ b/examples/complete/custom-origins.tf
@@ -1,9 +1,11 @@
 locals {
   additional_custom_origins_enabled = local.enabled && var.additional_custom_origins_enabled
   default_custom_origin_configuration = {
-    domain_name              = null
-    origin_id                = null
-    origin_path              = null
+    domain_name = null
+    origin_id   = null
+    origin_path = null
+    # Example configuration with Origin Access Control for Lambda@Edge:
+    # origin_access_control_id = aws_cloudfront_origin_access_control.example.id
     origin_access_control_id = null
     custom_headers           = []
     custom_origin_config = {
diff --git a/variables.tf b/variables.tf
index 13a75770..f0380952 100644
--- a/variables.tf
+++ b/variables.tf
@@ -449,7 +449,7 @@ variable "custom_origins" {
     domain_name              = string
     origin_id                = string
     origin_path              = string
-    origin_access_control_id = string
+    origin_access_control_id = optional(string)
     custom_headers = list(object({
       name  = string
       value = string
@@ -466,6 +466,8 @@ variable "custom_origins" {
   default     = []
   description = <<-EOT
     A list of additional custom website [origins](https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#origin-arguments) for this distribution.
+    The `origin_access_control_id` field specifies the Origin Access Control configuration to use for this origin.
+    This is used to configure secure access between CloudFront and the origin.
     EOT
 }