How can I access S3 via cloudfront when public access is set false?

Question

I have S3 and cluodfront

It makes one bucket and one cloudfront

Then I can access to the file in S3 via cloudfront domain.

However I set publicReadAccess: false, access is impossible.

In my understanding via cloud front I can still access from cloudfront.

I want to access the file in S3 with public access = false

Am I wrong? or somewhere else setting is wrong?

const up_bk = new s3.Bucket(this, 'up-bk', { 
  bucketName: s3_up_name,
  removalPolicy: RemovalPolicy.DESTROY,
  autoDeleteObjects: true,
  publicReadAccess: true, // if I changed here it can not be accessed.
  encryption: s3.BucketEncryption.S3_MANAGED,
  versioned:true,
  cors: [{
      allowedMethods: [
        s3.HttpMethods.GET,
        s3.HttpMethods.POST,
        s3.HttpMethods.PUT,
      ],
      allowedHeaders: ["*"],
      allowedOrigins: ["*"],
      exposedHeaders: ["ETag"],
      maxAge: 3000
    }]
});


const oai = new cloudfront.OriginAccessIdentity(this, "my-oai",{
  comment:"access cluod front"
});

const cf = new cloudfront.CloudFrontWebDistribution(this, "WebsiteDistribution", {
  comment:"CF for resource S3",
  viewerCertificate: {
    aliases: [],
    props: {
      cloudFrontDefaultCertificate: true,
    },
  },
  priceClass: cloudfront.PriceClass.PRICE_CLASS_ALL,
  originConfigs: [
    {
      s3OriginSource: {
        s3BucketSource: up_bk,
        originAccessIdentity: oai,
      },
      behaviors: [
        {
          isDefaultBehavior: true,
          minTtl: Duration.seconds(0),
          maxTtl: Duration.days(365),
          defaultTtl: Duration.days(1),
          pathPattern: "*",
        },
      ],
    },
  ],
  errorConfigurations: [
    {
      errorCode: 403,
      responsePagePath: "/index.html",
      responseCode: 200,
      errorCachingMinTtl: 0,
    },
    {
      errorCode: 404,
      responsePagePath: "/index.html",
      responseCode: 200,
      errorCachingMinTtl: 0,
    },
  ],
});