Don't interact with AWS products directly

Never expose the AWS products you use in your system. Your users should not know if you are using S3, CloudFront, or an AWS API Gateway.

I've learnt this lesson the hard way, and we're still paying for it years later.

The Problem

Consider this scenario: you have resourceds hosted on AWS CloudFront, and you provide clients with direct access through the CloudFront distribution ID (e.g. dab2sjqfpsmyzq.cloudfront.net.)

This works brilliantly for many years, until you want to make changes. You realize you have hundreds of clients that hardcoded your CloudFront distribution ID into their code, creating tight coupling. You cannot make changes without breaking your clients—yikes!

And you may want to change this CloudFront for many reasons including:

1. Cost savings - You want to move to a cheaper CDN providers for your use-case, e.g. Google CDN or Fastly.
2. Fallbacks - You want to add a fallback in case CloudFront is down, routing requests to a different CDN.
3. Accidental resource deletes - If this CloudFront is deleted, you cannot recover it with the same distribution ID.

This issue also applies to S3 buckets, API Gateways, and anything else that points directly to an AWS resource.

The solution

Put these resources behind a DNS. Instead of calling dab2sjqfpsmyzq.cloudfront.net, you really should be calling mycdn.mydomainname.com.If anything needs changing, you simply change the underlying resource, while keeping the same domain name.