diff --git a/packages/@aws-cdk/aws-s3-deployment/lib/bucket-deployment.ts b/packages/@aws-cdk/aws-s3-deployment/lib/bucket-deployment.ts
index 3a73b950792bf..990a1ec359d0b 100644
--- a/packages/@aws-cdk/aws-s3-deployment/lib/bucket-deployment.ts
+++ b/packages/@aws-cdk/aws-s3-deployment/lib/bucket-deployment.ts
@@ -196,8 +196,15 @@ export class BucketDeployment extends CoreConstruct {
   constructor(scope: Construct, id: string, props: BucketDeploymentProps) {
     super(scope, id);
 
-    if (props.distributionPaths && !props.distribution) {
-      throw new Error('Distribution must be specified if distribution paths are specified');
+    if (props.distributionPaths) {
+      if (!props.distribution) {
+        throw new Error('Distribution must be specified if distribution paths are specified');
+      }
+      if (!cdk.Token.isUnresolved(props.distributionPaths)) {
+        if (!props.distributionPaths.every(distributionPath => cdk.Token.isUnresolved(distributionPath) || distributionPath.startsWith('/'))) {
+          throw new Error('Distribution paths must start with "/"');
+        }
+      }
     }
 
     const handler = new lambda.SingletonFunction(this, 'CustomResourceHandler', {
diff --git a/packages/@aws-cdk/aws-s3-deployment/test/bucket-deployment.test.ts b/packages/@aws-cdk/aws-s3-deployment/test/bucket-deployment.test.ts
index 2bbe5e34a41a6..893c5ae03b35f 100644
--- a/packages/@aws-cdk/aws-s3-deployment/test/bucket-deployment.test.ts
+++ b/packages/@aws-cdk/aws-s3-deployment/test/bucket-deployment.test.ts
@@ -491,6 +491,30 @@ test('fails if distribution paths provided but not distribution ID', () => {
 
 });
 
+test('fails if distribution paths don\'t start with "/"', () => {
+  // GIVEN
+  const stack = new cdk.Stack();
+  const bucket = new s3.Bucket(stack, 'Dest');
+  const distribution = new cloudfront.CloudFrontWebDistribution(stack, 'Distribution', {
+    originConfigs: [
+      {
+        s3OriginSource: {
+          s3BucketSource: bucket,
+        },
+        behaviors: [{ isDefaultBehavior: true }],
+      },
+    ],
+  });
+
+  // THEN
+  expect(() => new s3deploy.BucketDeployment(stack, 'Deploy', {
+    sources: [s3deploy.Source.asset(path.join(__dirname, 'my-website.zip'))],
+    destinationBucket: bucket,
+    distribution,
+    distributionPaths: ['images/*'],
+  })).toThrow(/Distribution paths must start with "\/"/);
+});
+
 testFutureBehavior('lambda execution role gets permissions to read from the source bucket and read/write in destination', s3GrantWriteCtx, cdk.App, (app) => {
   // GIVEN
   const stack = new cdk.Stack(app);