Serve static content from S3 with CloudFront and Origin Access Identity

How to restrict access to an S3 bucket so that your html, css, and images, are only accessible through CloudFront.