Patterns from this design

Global image delivery with CloudFront and edge-side transformation

caching

When: Any CDN where clients shape responses via query params (size, format, locale) and junk params (utm, session) would otherwise mint infinite cache objects.
AWS: CloudFront cache policy allowlisting only the params that change the bytes, plus a CloudFront Function on viewer-request that sorts, lowercases, and clamps them to a fixed breakpoint set in ~1 ms.
Trade-off: You quantize the request space - arbitrary widths snap to the nearest breakpoint - giving up pixel-exact requests for a bounded, high-hit-ratio cache.

caching

When: Cold-object spikes (launches) cause thundering-herd misses AND the per-miss origin work is expensive (transform, re-encode). Not worth it for cheap static origins.
AWS: CloudFront Origin Shield as a single regional collapse point so concurrent edge misses for one key become one origin fetch.
Trade-off: Adds a cache hop and a per-request fee on the miss path; for a plain S3 origin it can cost more than the GETs it saves, so it must be justified by transform cost, not GET savings.

media-cdn

When: Edge logic mixes cheap per-request string work (key rewrite, auth check) with expensive per-miss byte work (image transform).
AWS: CloudFront Functions (1 ms, no cold start) on viewer-request for normalization and signed-URL validation; Lambda at edge on origin-request for the transform, running on misses only.
Trade-off: Two runtimes to test and deploy, with Lambda at edge replication lag on every change - in exchange for a roughly 7x cheaper viewer layer.

caching

When: Content changes you control (re-uploads, catalogue refreshes) need fresh bytes without racing the cache or burning CloudFront's 3000-path / 15-wildcard-per-sec quota.
AWS: Embed a version in the path (img/v3/id.jpg) backed by a DynamoDB version map; bump the version to mint a guaranteed-fresh key. Reserve wildcard invalidation plus short TTL for legal takedowns only.
Trade-off: URL generators must know the current version (a lookup), coupling the app to a version table instead of treating URLs as static.

media-cdn

When: The set of derivatives is small and predictable (catalogue with fixed breakpoints), making on-the-fly transform the dominant variable cost.
AWS: S3 upload event triggers Step Functions to render all standard variants to S3 as static objects; on-the-fly Lambda at edge transform remains only as the long-tail fallback.
Trade-off: You store variants that may never be requested and must re-render the catalogue on a schema change - only wins when the variant set is small and known.

media-cdn

When: Multi-tenant delivery where one tenant must never serve another's content and signing keys must rotate without downtime.
AWS: CloudFront Trusted Key Groups per tenant (up to 5 keys for overlap rotation) validated in the viewer Function, plus IAM and bucket-policy prefix scoping of the transform role; S3 keys derived server-side to eliminate SSRF.
Trade-off: Config grows with tenant count against CloudFront's behaviors-per-distribution cap, forcing tenant sharding across distributions past a few hundred large tenants.