AWS Security ChangesHomeSearch

AWS AmazonCloudFront medium security documentation change

Service: AmazonCloudFront · 2025-07-19 · Security-related medium

File: AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.md

Summary

Added warnings about cache policies with minimum TTL >0 overriding origin Cache-Control directives

Security assessment

The warnings highlight that CloudFront may cache sensitive content despite 'no-cache'/'no-store' headers, which could lead to unintended data exposure. This addresses a potential misconfiguration risk.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.md b/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.md
index 87c3fe5d2..549166f76 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.md
@@ -72,0 +73,4 @@ The normalized `Accept-Encoding` header is also included because the cache compr
+###### Warning
+
+Because this policy has a minimum TTL greater than 0, CloudFront will cache content for at least the duration specified in the cache policy's minimum TTL, even if the `Cache-Control: no-cache`, `no-store`, or `private` directives are present in the origin headers.
+
@@ -151,0 +156,4 @@ This policy has the following settings:
+###### Warning
+
+Because this policy has a minimum TTL greater than 0, CloudFront will cache content for at least the duration specified in the cache policy's minimum TTL, even if the `Cache-Control: no-cache`, `no-store`, or `private` directives are present in the origin headers.
+
@@ -180,0 +189,4 @@ This policy has the following settings:
+###### Warning
+
+Because this policy has a minimum TTL greater than 0, CloudFront will cache content for at least the duration specified in the cache policy's minimum TTL, even if the `Cache-Control: no-cache`, `no-store`, or `private` directives are present in the origin headers.
+