Cache Behavior and Restrictions with CloudFront

Learn about cache behavior and restrictions with CloudFront.

We'll cover the following

Cache behavior

Cache behavior allows you to configure a variety of CloudFront functionality for a given URL path pattern.

For each cache behavior, you can configure the following functionality:

  • The path pattern (e.g. /images/.jpg, /images.php)
  • The origin to forward requests to (if there are multiple origins)
  • Whether to forward query strings
  • Whether to require signed URLs
  • Allowed HTTP methods
  • Minimum amount of time to retain the files in the CloudFront cache (regardless of the values of any cache-control headers)

The default cache behavior only allows a path pattern of /*. Additional cache behaviors need to be defined to change the path pattern following the creation of the distribution.

You can restrict access to content using the following methods:

  • Restrict access to content by using signed cookies or signed URLs.
  • Restrict access to objects in your S3 bucket.

A special type of user called an Origin Access Identity (OAI) can be used to restrict access to content in an Amazon S3 bucket. By using an OAI, you can restrict users so they are unable to access the content directly using the S3 URL; they must instead connect via CloudFront.

You can define the viewer protocol policy.

  • HTTP and HTTPS
  • Redirect HTTP to HTTPS
  • HTTPS only

You can define the following allowed HTTP Methods:


For web distributions, you can configure CloudFront to require that viewers use HTTPS.

Level up your interview prep. Join Educative to access 80+ hands-on prep courses.