AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2025-07-19 · Security-related medium

File: AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-defaultcachebehavior.md

Summary

Added important note about CloudFront caching behavior when minimum TTL > 0 overriding Cache-Control: no-cache/no-store/private headers

Security assessment

Documents security-relevant behavior where default cache settings could bypass origin security headers, crucial for preventing accidental exposure of private content through caching.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-defaultcachebehavior.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-defaultcachebehavior.md
index 9ead016a1..411a19143 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-defaultcachebehavior.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-defaultcachebehavior.md
@@ -10,0 +11,4 @@ A complex type that describes the default cache behavior if you don't specify a
+###### Important
+
+If your minimum TTL is greater than 0, CloudFront will cache content for at least the duration specified in the cache policy's minimum TTL, even if the `Cache-Control: no-cache`, `no-store`, or `private` directives are present in the origin headers.
+