Correct process for configuring S3 bucket so ONLY Cloudfront can access?

Hi...

I've recently received a standard email security warning "We’re writing to notify you that your AWS account .... has one or more S3 buckets that allow read or write access from any user on the Internet. By default, S3 buckets allow only the account owner to access the contents of a bucket; however, customers can configure S3 buckets to permit public access".

I have only one S3 bucket and it's used only as the origin for Cloudfront. It does not need to permit direct access for anyone, even me. Currently , the items in the bucket permit public read access to anyone, including Cloudfront, so that Cloudfront can access them. Is that or is it not correct? This must be a fairly standard configuration but I can't find it documented anywhere. If it's not correct to give Public access in this case, what is the recommended way to secure access to an S3 bucket so that only Cloudfront and no-one else can access it, please?

There is no easy and obvious way of doing this in S3 --> Buckets --> Permissions --> Access Control Lists unless it is possible to specify Cloudfront under "Access for other AWS accounts"?

Thanks for any help.