How do I check if my CloudFront API uses an earlier version?

2 minute read
0

I want to know how to determine whether my Amazon CloudFront API is an earlier version that doesn't support the CloudFront alternate domain name (CNAME) validation process. I also want to update my applications that invoke the API.

Resolution

Use an AWS CloudTrail trail and Amazon Athena queries to determine if you use an earlier CloudFront API version that doesn't support the CNAME validation process.

To create a CloudTrail log and run an Athena query, complete the following steps:

  1. Create a trail for your AWS account in the US East (N. Virginia) AWS Region (us-east-1).

  2. After the CloudTrail log files write to an Amazon Simple Storage Service (Amazon S3) bucket, create a table for the log files.

  3. Open the Athena console, and then add the following query to the New Query 1 editor box:

    SELECT apiversion, count() AS Total
    FROM $databaseName.$tableName
    WHERE eventsource = 'cloudfront.amazonaws.com'
    AND parse_datetime(apiversion, 'yyyy_MM_dd') < parse_datetime('2020_05_31', 'yyyy_MM_dd')
    GROUP BY apiversion
    ORDER BY Total Desc;

    Note: Replace $databaseName.$tableName with the names of your database and table.

  4. Choose Run.
    Note: The query returns the number of the API calls that use earlier CloudFront API versions. If the query returns no results, then your account doesn't use an earlier API version.

  5. (Optional) If the previous query returned results, then run the following query to get more information about each API call:

    SELECT useridentity.arn, sourceipaddress, eventname, useragent,eventtime
    FROM $databaseName.$tableName
    WHERE eventsource = 'cloudfront.amazonaws.com'
    AND parse_datetime(apiversion, 'yyyy_MM_dd') < parse_datetime('2020_05_31', 'yyyy_MM_dd');

    Note: Replace $databaseName.$tableName with the names of your database and table.
    The preceding query returns the AWS Identity and Access Management (IAM) identity, source IP address, API call, and user agent that's associated with the API call. Use this information to determine the applications that you want to update with the latest CloudFront API version.

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago