As a background, please review Out with HPKP, in with CAA? to re-familiarize yourself with HTTP Public Key Pinning (HPKP) and Certificate Authority Authorization (CAA).
Today, I saw How to Prepare for AWS’s Move to Its Own Certificate Authority | AWS Security Blog and saw this comment about Certificate Pinning:
AWS recommends against using certificate pinning because it introduces a potential availability risk. If the certificate to which you pin is replaced, your application will fail to connect. If your use case requires pinning, we recommend that you pin to a CA rather than to an individual certificate. If you are pinning to an Amazon Trust Services CA, you should pin to all CAs shown in the table earlier in this post.
It Seems like we don’t want to pin one’s hopes on HPKP.