[throwaway2016a]

I addressed that partially with.

> Only downside is if your traffic spikes you have no control over the cost. There is no upper bounds. With that said, it would take a tremendous amount of traffic to balloon the costs to anything worth worrying about. And at least you can be sure your website will actually stay up.

However, proper use of cache headers can help with that since Cloudfront respects them and won't hit S3 again if the header isn't expired. So at least that helps.

The scenario you described is my nightmare scenario.

Also, Cloudfront now has a WAF (Web Application Firewall) that can help with this. Although it too has some costs.

Edit:

Another alternative that is pretty straight forward although non-zero work is to set up a CloudWatch alarm on your monthly bill and when it gets to high make an API call to shut off the cloudfront distribution (cloudwatch can trigger SNS which can trigger Lambda which can make the API call).

It's a PITA but worth it to save hundreds.