That’s a great point. Especially around OAC and cache strategy.
Right now the focus was on getting the full request flow and architecture in place end-to-end, but tightening S3 access using OAC and moving towards a proper caching strategy is definitely the next step.
The immutable assets + content hashing approach makes a lot of sense, especially when combined with more controlled cache invalidation for index.html.
Also agree on WAF. I wanted to include it early just to get familiar with how it fits into the request path rather than treating it as an afterthought.
Appreciate the insight. I’ll be iterating on this setup further.
Archit Mittal
I Automate Chaos — AI workflows, n8n, Claude, and open-source automation for businesses. Turning repetitive work into one-click systems.
Nice first deployment walkthrough! One thing worth adding to this stack: set up an OAI (Origin Access Identity) or the newer OAC (Origin Access Control) so your S3 bucket stays fully private and only CloudFront can read from it. Without that, the bucket is publicly accessible even though CloudFront is in front. Also, consider adding a Cache-Control header strategy — setting immutable assets to max-age=31536000 with content hashing in filenames, and your index.html to no-cache so CloudFront always checks for the latest version. WAF is a solid move this early — most people skip it until they get hit with bot traffic.