How do I check if my CloudFront API uses an earlier version?

Resolution

Use an AWS CloudTrail trail and Amazon Athena queries to determine if you use an earlier CloudFront API version that doesn't support the CNAME validation process.

To create a CloudTrail log and run an Athena query, complete the following steps:

1. Create a trail for your AWS account in the US East (N. Virginia) AWS Region (us-east-1).

2. After the CloudTrail log files write to an Amazon Simple Storage Service (Amazon S3) bucket, create a table for the log files.

3. Open the Athena console, and then add the following query to the New Query 1 editor box:

   SELECT apiversion, count() AS Total
   FROM $databaseName.$tableName
   WHERE eventsource = 'cloudfront.amazonaws.com'
   AND parse_datetime(apiversion, 'yyyy_MM_dd') < parse_datetime('2020_05_31', 'yyyy_MM_dd')
   GROUP BY apiversion
   ORDER BY Total Desc;

   Note: Replace $databaseName.$tableName with the names of your database and table.

4. Choose Run.
   Note: The query returns the number of the API calls that use earlier CloudFront API versions. If the query returns no results, then your account doesn't use an earlier API version.

5. (Optional) If the previous query returned results, then run the following query to get more information about each API call:

   SELECT useridentity.arn, sourceipaddress, eventname, useragent,eventtime
   FROM $databaseName.$tableName
   WHERE eventsource = 'cloudfront.amazonaws.com'
   AND parse_datetime(apiversion, 'yyyy_MM_dd') < parse_datetime('2020_05_31', 'yyyy_MM_dd');

   Note: Replace $databaseName.$tableName with the names of your database and table.
   The preceding query returns the AWS Identity and Access Management (IAM) identity, source IP address, API call, and user agent that's associated with the API call. Use this information to determine the applications that you want to update with the latest CloudFront API version.