Changed caching

[dylanratcliffe]

No description provided.

[github-actions]

Open in Overmind ↗

---

model|risks_v6
✨Encryption Key State Risk ✨KMS Key Creation

🔴 Change Signals

Policies 🔴 ▃▂▁ Multiple policy violations detected, including S3 bucket 'aws_s3_bucket.terraform-example-state-bucket' lacking server-side encryption and required tags, and security group allowing SSH access from anywhere, which is unusual compared to typical patterns.
Routine ⚪ Building baseline for default_cache_behavior (first observation)

View signals ↗

---

🔥 Risks

Tip

✔ All risks disproven

We investigated 1 potential risk across 13 resources and verified each was safe. See the investigation details below.

---

🧠 Reasoning · ✖ 1 · ✔ 0

CloudFront cache and origin request policy changes affecting request forwarding and caching behaviour

Observations 2

Hypothesis

CloudFront distribution caching and origin request behaviour has been modified by switching to explicit cache_policy_id and origin_request_policy_id, setting min_ttl from 1 to 0, and removing forwarded_values for cookies and query_string. For distribution E2K9BRXH072ZBK, these changes alter which headers, cookies, and query parameters are forwarded to the origin and how responses are cached at the edge. This can change responses served via the distribution’s DNS/IPs, impact cache hit rates, and cause functional regressions or break Lambda@Edge/origin integrations that rely on previous forwarding or TTL behaviour. Risk severity: Medium (network/edge configuration and reliability – SEC05-BP03, REL02-BP01).

Investigation

I loaded our AWS network/edge best-practice guidance and then verified the exact diffs and live state. The distribution E2K9BRXH072ZBK currently uses legacy ForwardedValues with cookies:none and query_string:false and Min/Default/Max TTL all 1s. The change switches the default cache behavior to use a cache policy (e029a2a5…) and an origin request policy (30f587ad…). I queried those policies: the cache policy “loom-replication-static-cache” sets Min/Default/Max TTL to 1s and includes no cookies/headers/query strings in the cache key; the origin request policy “loom-replication-forward-all” forwards all cookies but no headers or query strings. This matches the diffs. Using CloudFront policies is the modern replacement for ForwardedValues; per AWS/Terraform, ForwardedValues cannot be used when a cache policy is attached, so its removal is expected, not a risk. (github.com)

Critically, when a cache policy is attached it controls TTLs; the per‑behavior min_ttl setting is legacy and the effective TTLs come from the cache policy. The attached cache policy keeps MinTTL at 1s, so the hypothesized change “min_ttl from 1 to 0” does not actually take effect. AWS docs also clarify how cache and origin request policies interact: values included in the cache key (cache policy) are automatically forwarded to the origin, and any additional values specified in the origin request policy are forwarded but are not part of the cache key. (docs.aws.amazon.com)

The only substantive behavior change is that cookies will now be forwarded to the Lambda URL origin, while the cache key still ignores cookies. That can cause incorrect caching only if the origin varies responses by cookie and does not set appropriate caching headers; we have no evidence of such behavior here. There are also no Lambda@Edge associations on the distribution, so the hypothesis’ claim about breaking Lambda@Edge integrations is not applicable to the current setup. Given the lack of concrete evidence of a definite failure mechanism, this reads as a generic warning rather than a verified risk.

✖ Hypothesis disproven

---

💥 Blast Radius

Items 13

Edges 13

[github-actions]

✅ Auto-Approved

---

🟢 Decision

Auto-approved: All safety checks passed

---

📊 Signals Summary

Routine ⚪ +0

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 13 · Edges 13

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

Routine ⚪ +0

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 13 · Edges 13

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

View full analysis in Overmind ↗

[github-actions]

⛔ Auto-Blocked

---

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

---

📊 Signals Summary

Policies 🔴 -3

Routine ⚪ +0

---

🔥 Risks Summary

High 0 · Medium 0 · Low 0

---

💥 Blast Radius

Items 13 · Edges 13

---

View full analysis in Overmind ↗