diff --git a/docs/storage-drivers/s3.md b/docs/storage-drivers/s3.md
index 16b5279f0..b6ace9cda 100644
--- a/docs/storage-drivers/s3.md
+++ b/docs/storage-drivers/s3.md
@@ -238,9 +238,13 @@ Defaults can be kept in most areas except:
 
 ### Origin:
 
-The CloudFront distribution must be created such that the `Origin Path` is set
-to the directory level of the root "docker" key in S3. If your registry exists
-on the root of the bucket, this path should be left blank.
+  - The CloudFront distribution must be created such that the `Origin Path` is set
+    to the directory level of the root "docker" key in S3. If your registry exists
+    on the root of the bucket, this path should be left blank.
+
+  - For private S3 buckets, you must set `Restrict Bucket Access` to `Yes`. See
+    the [CloudFront documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html).
+
 
 ### Behaviors:
 
@@ -277,5 +281,5 @@ middleware:
 ## CloudFront Key-Pair
 
 A CloudFront key-pair is required for all AWS accounts needing access to your
-CloudFront distribution. For information, please see [Creating CloudFront Key
+CloudFront distribution. You must have access to your AWS account's root credentials to create the required Cloudfront keypair. For information, please see [Creating CloudFront Key
 Pairs](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs).