Build CloudFront cache behavior configurations with path patterns, cache policies, and function associations in CloudFormation and Terraform.
Last verified: May 2026
No function associations configured. Add CloudFront Functions or Lambda@Edge triggers.
Path: /static/* Origin: S3-static-assets Protocol: redirect-to-https Methods: GET, HEAD Cache Policy: CachingOptimized (Recommended) Compress: Yes
# CloudFront Cache Behavior Configuration
# Add this under Distribution > DistributionConfig > CacheBehaviors
- PathPattern: "/static/*"
TargetOriginId: "S3-static-assets"
ViewerProtocolPolicy: redirect-to-https
AllowedMethods:
- GET
- HEAD
CachedMethods:
- GET
- HEAD
Compress: true
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6AWS recommends using managed cache policies (like CachingOptimized) instead of legacy forwarded values. Cache policies are reusable, easier to manage, and support newer features. Use custom TTLs only when you need fine-grained control over caching duration that managed policies do not provide.
Custom TTL settings are useful when your origin does not send Cache-Control headers, or when you need to override origin headers. MinTTL sets the floor, DefaultTTL applies when the origin has no cache headers, and MaxTTL caps how long objects stay cached regardless of origin headers.
CloudFront Functions run at 225+ edge locations, are limited to viewer events, and are ideal for lightweight transformations (URL rewrites, header manipulation). Lambda@Edge runs at regional edge caches, supports all four event types, and handles heavier processing (authentication, origin selection, image transformation).
The CloudFront Cache Behavior Builder helps you configure path-based caching rules for Amazon CloudFront distributions. Cache behaviors control how CloudFront handles requests matching specific URL path patterns, including which origin to forward to, cache key composition, TTL settings, viewer protocol policies, and Lambda@Edge or CloudFront Functions associations. This tool generates valid CloudFormation and Terraform configuration blocks.
Your single-page app serves static assets from /assets/* and uses /api/* for backend calls. Both currently route through CloudFront with the default behavior (no caching, all headers forwarded), so your cache hit ratio is 0% and your S3 origin is melting under load. You use the builder to create two new behaviors: '/assets/*' with CachingOptimized policy (1-day TTL, no headers) and '/api/*' with CachingDisabled (no caching, AllViewer headers). After deploy, your asset hit ratio jumps to 95% and S3 request volume drops 20x. Origin is happy, users see faster page loads.
Cache behavior order is everything. CloudFront evaluates path patterns in the order you list them, so '/api/*' must come BEFORE '/api/public/*' if you want the more specific behavior to win — wait, actually CloudFront uses longest-match, but only within a behavior. Always test with realistic URLs before deploying, because the matching rules surprise even experienced engineers.
Use managed cache policies (CachingOptimized, CachingDisabled, CachingOptimizedForUncompressedObjects) rather than custom policies whenever possible. Custom cache policies are easy to misconfigure in ways that destroy your cache hit ratio — the most common mistake is forwarding all headers, which makes every request unique.
For dynamic content (/api/*) you usually want the CachingDisabled cache policy and AllViewer origin request policy. This forwards everything to the origin without caching, but still gives you CloudFront's edge TLS termination, bot detection, and DDoS protection — not just for static assets.
The builder generates AWS::CloudFront::Distribution.CacheBehavior blocks for CloudFormation and aws_cloudfront_distribution.ordered_cache_behavior blocks for Terraform. It validates path pattern syntax, ensures TargetOriginId references exist, and applies AWS-recommended defaults for managed policies vs custom configurations. Each generated behavior includes the CachePolicyId, OriginRequestPolicyId, and ResponseHeadersPolicyId that match your settings.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.