AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2025-07-19 · Security-related medium

File: AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-cachepolicy-cachepolicyconfig.md

Summary

Added important note about CloudFront caching behavior when minimum TTL > 0 overriding Cache-Control: no-cache/no-store/private headers

Security assessment

The change documents that CloudFront will override security-related Cache-Control directives when minimum TTL is set, which could lead to unintended caching of sensitive content if misconfigured. This directly relates to security headers and cache control implications.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-cachepolicy-cachepolicyconfig.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-cachepolicy-cachepolicyconfig.md
index b6547739b..dbcf4cfbf 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-cachepolicy-cachepolicyconfig.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-cachepolicy-cachepolicyconfig.md
@@ -16,0 +17,4 @@ This configuration determines the following:
+###### Important
+
+If your minimum TTL is greater than 0, CloudFront will cache content for at least the duration specified in the cache policy's minimum TTL, even if the `Cache-Control: no-cache`, `no-store`, or `private` directives are present in the origin headers.
+