diff --git a/builtin/providers/aws/cloudfront_distribution_configuration_structure.go b/builtin/providers/aws/cloudfront_distribution_configuration_structure.go
index dfd86e2118..45338e7f41 100644
--- a/builtin/providers/aws/cloudfront_distribution_configuration_structure.go
+++ b/builtin/providers/aws/cloudfront_distribution_configuration_structure.go
@@ -527,6 +527,15 @@ func expandOrigin(m map[string]interface{}) *cloudfront.Origin {
 			origin.S3OriginConfig = expandS3OriginConfig(s[0].(map[string]interface{}))
 		}
 	}
+
+	// if both custom and s3 origin are missing, add an empty s3 origin
+	// One or the other must be specified, but the S3 origin can be "empty"
+	if origin.S3OriginConfig == nil && origin.CustomOriginConfig == nil {
+		origin.S3OriginConfig = &cloudfront.S3OriginConfig{
+			OriginAccessIdentity: aws.String(""),
+		}
+	}
+
 	return origin
 }
 
@@ -544,7 +553,9 @@ func flattenOrigin(or *cloudfront.Origin) map[string]interface{} {
 		m["origin_path"] = *or.OriginPath
 	}
 	if or.S3OriginConfig != nil {
-		m["s3_origin_config"] = schema.NewSet(s3OriginConfigHash, []interface{}{flattenS3OriginConfig(or.S3OriginConfig)})
+		if or.S3OriginConfig.OriginAccessIdentity != nil && *or.S3OriginConfig.OriginAccessIdentity != "" {
+			m["s3_origin_config"] = schema.NewSet(s3OriginConfigHash, []interface{}{flattenS3OriginConfig(or.S3OriginConfig)})
+		}
 	}
 	return m
 }
diff --git a/builtin/providers/aws/resource_aws_cloudfront_distribution_test.go b/builtin/providers/aws/resource_aws_cloudfront_distribution_test.go
index 477a92115b..b60ebeb57d 100644
--- a/builtin/providers/aws/resource_aws_cloudfront_distribution_test.go
+++ b/builtin/providers/aws/resource_aws_cloudfront_distribution_test.go
@@ -195,7 +195,6 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
 	origin {
 		domain_name = "${aws_s3_bucket.s3_bucket.id}"
 		origin_id = "myS3Origin"
-		s3_origin_config {}
 	}
 	enabled = true
 	default_root_object = "index.html"
@@ -303,7 +302,6 @@ resource "aws_cloudfront_distribution" "multi_origin_distribution" {
 	origin {
 		domain_name = "${aws_s3_bucket.s3_bucket.id}"
 		origin_id = "myS3Origin"
-		s3_origin_config {}
 	}
 	origin {
 		domain_name = "www.example.com"