How do I know if I'm using an older CloudFront API version?

Lesedauer: 2 Minute
0

I want to know if I'm using an older Amazon CloudFront API version that doesn't support CloudFront's alternate domain name (CNAME) validation process. I want to update my applications that invoke those APIs.

Resolution

Use AWS CloudTrail logs and Amazon Athena queries to determine if you're using an older CloudFront API version that doesn't support the CNAME validation process:

1.    Turn on CloudTrail logging for your account in the US East (N. Virginia) Region (us-east-1).

Note: If you already have CloudTrail logging turned on for the US East (N. Virginia) Region and you don't have a log rotation set up, then you can copy a subset of your current logs into a new prefix. This lets you run an Athena query on a subset of the logs instead of the entire dataset. Athena queries are billed based on each GB of data scanned. This means that it's a best practice to review only the last 30 days of logs to reduce cost.

2.    After the CloudTrail logs are being written to an Amazon Simple Storage Service (Amazon S3) bucket, create a table for the logs.

3.    Open the Athena console, add the following query to the New query 1 box, and choose Run query:

Important: Replace $databaseName.$tableName with the names of your database and table.

SELECT apiversion, count() AS Total
FROM "default"."cloudtrail_logs_cloudtrail_awslogs_317431709534_6l2vpmtr_isengard_do_not_delete"
WHERE eventsource = 'cloudfront.amazonaws.com'
AND parse_datetime(apiversion, 'yyyy_MM_dd') < parse_datetime('2020_05_31', 'yyyy_MM_dd')
GROUP BY apiversion
ORDER BY Total Desc;

The query returns a count of the API calls that use earlier CloudFront API versions. If the query returns no results, then your account isn't using an earlier API version.

If the previous query did return results, then run this additional query to get more information about each individual API call:

Important: Replace $databaseName.$tableName with the names of your database and table.

SELECT useridentity.arn, sourceipaddress, eventname, useragent,eventtime
FROM "default"."cloudtrail_logs_cloudtrail_awslogs_317431709534_6l2vpmtr_isengard_do_not_delete"
WHERE eventsource = 'cloudfront.amazonaws.com'
AND parse_datetime(apiversion, 'yyyy_MM_dd') < parse_datetime('2020_05_31', 'yyyy_MM_dd');

This query returns the AWS Identity and Access Management (IAM) identity, source IP address, API call (event), and user agent associated with the API calls. Use this information to determine which applications you want to update with the new CloudFront API versions.


AWS OFFICIAL
AWS OFFICIALAktualisiert vor 3 Monaten