How do I know if I'm using an older CloudFront API version?

2 minute read

I want to know if I'm using an older Amazon CloudFront API version that doesn't support CloudFront's alternate domain name (CNAME) validation process. I want to update my applications that invoke those APIs.

Resolution

Use AWS CloudTrail logs and Amazon Athena queries to determine if you're using an older CloudFront API version that doesn't support the CNAME validation process:

1. Turn on CloudTrail logging for your account in the US East (N. Virginia) Region (us-east-1).

Note: If you already have CloudTrail logging turned on for the US East (N. Virginia) Region and you don't have a log rotation set up, then you can copy a subset of your current logs into a new prefix. This lets you run an Athena query on a subset of the logs instead of the entire dataset. Athena queries are billed based on each GB of data scanned. This means that it's a best practice to review only the last 30 days of logs to reduce cost.

2. After the CloudTrail logs are being written to an Amazon Simple Storage Service (Amazon S3) bucket, create a table for the logs.

3. Open the Athena console, add the following query to the New query 1 box, and choose Run query:

Important: Replace $databaseName.$tableName with the names of your database and table.

SELECT apiversion, count() AS Total
FROM "default"."cloudtrail_logs_cloudtrail_awslogs_317431709534_6l2vpmtr_isengard_do_not_delete"
WHERE eventsource = 'cloudfront.amazonaws.com'
AND parse_datetime(apiversion, 'yyyy_MM_dd') < parse_datetime('2020_05_31', 'yyyy_MM_dd')
GROUP BY apiversion
ORDER BY Total Desc;

The query returns a count of the API calls that use earlier CloudFront API versions. If the query returns no results, then your account isn't using an earlier API version.

If the previous query did return results, then run this additional query to get more information about each individual API call:

Important: Replace $databaseName.$tableName with the names of your database and table.

SELECT useridentity.arn, sourceipaddress, eventname, useragent,eventtime
FROM "default"."cloudtrail_logs_cloudtrail_awslogs_317431709534_6l2vpmtr_isengard_do_not_delete"
WHERE eventsource = 'cloudfront.amazonaws.com'
AND parse_datetime(apiversion, 'yyyy_MM_dd') < parse_datetime('2020_05_31', 'yyyy_MM_dd');

This query returns the AWS Identity and Access Management (IAM) identity, source IP address, API call (event), and user agent associated with the API calls. Use this information to determine which applications you want to update with the new CloudFront API versions.

Topics

Networking & Content Delivery

Relevant content

Unable to find the older version of aws cloud watch agent.
Muhammad Ahmad
asked a month ago
How to read older S3 logs
AnujG
asked 4 months ago
Can we disable the older versions of TLS when using API Gateway?
Akshata
asked a year ago
S3 Transfer Acceleration + older TLS versions
Accepted Answer
sonny
asked 6 months ago
Customer would like to know if it is possible to cache API requests in Amazon CloudFront if the app cannot set cache-control headers
Accepted Answer
AWS-User-7026455
asked 4 years ago
How do I use AWS CloudTrail to track API calls to my Amazon EC2 instances?
AWS OFFICIALUpdated 2 years ago
How do I analyze the Amazon VPC flow logs using Amazon Athena?
AWS OFFICIALUpdated a year ago
How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs?
AWS OFFICIALUpdated 2 years ago
I’m using an S3 REST API endpoint as the origin of my CloudFront distribution. Why am I getting 403 Access Denied errors?
AWS OFFICIALUpdated a year ago
How to Analyze your AWS IoT Logs with Standard SQL queries
EXPERT
Charlyscott237
published a month ago