diff --git a/README.txt b/README.txt
index 60ec84a..39714c9 100644
--- a/README.txt
+++ b/README.txt
@@ -218,6 +218,7 @@ $conf['s3fs_bucket'] = 'YOUR BUCKET NAME';
 $conf['s3fs_region'] = 'YOUR REGION'';
 $conf['s3fs_use_cname'] = TRUE or FALSE;
 $conf['s3fs_domain'] = 'cdn.example.com';
+$conf['s3fs_domain_s3_private'] = TRUE or FALSE;
 $conf['s3fs_use_customhost'] = TRUE or FALSE;
 $conf['s3fs_hostname'] = 'host.example.com';
 $conf['s3fs_cache_control_header'] = 'public, max-age=300';
diff --git a/S3fsStreamWrapper.inc b/S3fsStreamWrapper.inc
index ce29a1d..728ea03 100644
--- a/S3fsStreamWrapper.inc
+++ b/S3fsStreamWrapper.inc
@@ -532,7 +532,14 @@ class S3fsStreamWrapper extends StreamWrapper implements DrupalStreamWrapperInte
 
     $options[$this->protocol]['ContentType'] = $this->getMimeType($this->uri);
 
-    if (file_uri_scheme($this->uri) != 'private') {
+    // All non-private files uploaded to S3 must be set to public-read, or
+    // users' browsers will get PermissionDenied errors, and torrent URLs won't
+    // work. The one exception to this is when all content is being routed
+    // through an edge service and access via S3 should be blocked.
+    if (!empty($this->config['use_cname']) && !empty($this->config['domain']) && !empty($this->config['domain_s3_private'])) {
+      $options[$this->protocol]['ALC'] = 'private';
+    }
+    elseif (file_uri_scheme($this->uri) != 'private') {
       // All non-private files uploaded to S3 must be set to public-read, or users' browsers
       // will get PermissionDenied errors, and torrent URLs won't work.
       $options[$this->protocol]['ACL'] = 'public-read';
diff --git a/s3fs.admin.inc b/s3fs.admin.inc
index 46d98ce..a8f8147 100644
--- a/s3fs.admin.inc
+++ b/s3fs.admin.inc
@@ -143,6 +143,17 @@ function s3fs_settings() {
         "You will need to configure a DNS CNAME that maps from this domain to your bucket's URL."
       ),
     ),
+    's3fs_domain_s3_private' => array(
+      '#type'          => 'checkbox',
+      '#title'         => t('Remove access to files via S3 URL'),
+      '#default_value' => _s3fs_get_setting('domain_s3_private'),
+      '#description'   => t("If using a domain name to serve files, there is usually no need to provide " .
+        "access to the URLs shown on S3 objects. This can also be a cost concern, since accessing files from S3 " .
+        "is more expensive than edge services such as Cloudfront. Select this checkbox to remove access to files " .
+        "using the S3 URL. Users attempting to reach the S3 URL will receive an \"Access Denied\" message. Note: " .
+        "This option has no impact on previously uploaded files."
+      ),
+    ),
   );
 
   $form['advanced']['s3fs_use_customhost'] = array(