AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2025-08-22 · Documentation low

File: AmazonCloudFront/latest/DeveloperGuide/Expiration.md

Summary

Clarified caching behavior and added note about HTTP 501 responses from S3 origins

Security assessment

Changes improve documentation about cache TTL behavior but don't address security issues. Added note about HTTP 501 handling is operational guidance, not security-related.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/Expiration.md b/AmazonCloudFront/latest/DeveloperGuide/Expiration.md
index 0a447f108..59c3d69fc 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/Expiration.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/Expiration.md
@@ -215 +215 @@ Origin headers | Minimum TTL = 0 | Minimum TTL > 0
-If your minimum TTL is greater than 0, CloudFront uses the cache policy’s minimum TTL, even if the `Cache-Control: no-cache`, `no-store`, and/or `private` directives are present in the origin headers.
+  * If your minimum TTL is greater than 0, CloudFront uses the cache policy’s minimum TTL, even if the `Cache-Control: no-cache`, `no-store`, and/or `private` directives are present in the origin headers.
@@ -217 +217 @@ If your minimum TTL is greater than 0, CloudFront uses the cache policy’s mini
-If the origin is reachable, CloudFront gets the object from the origin and returns it to the viewer.
+    * If the origin is reachable, CloudFront gets the object from the origin and returns it to the viewer.
@@ -219 +219 @@ If the origin is reachable, CloudFront gets the object from the origin and retur
-If the origin is unreachable and the minimum _or_ maximum TTL value is greater than 0, CloudFront will serve the object that it got from the origin previously.
+    * If the origin is unreachable and the minimum _or_ maximum TTL value is greater than 0, CloudFront will serve the object that it got from the origin previously.
@@ -222,0 +223,5 @@ To avoid this behavior, include the `Cache-Control: stale-if-error=0` directive
+  * CloudFront doesn't cache the HTTP 501 status code (Not Implemented) from an S3 origin when the origin headers include the `Cache-Control: no-cache`, `no-store`, and/or `private` directives. This is the default behavior for an S3 origin, even if your [minimum TTL](./DownloadDistValuesCacheBehavior.html#DownloadDistValuesMinTTL) setting is greater than 0.
+
+
+
+