How do I know if I'm using an older CloudFront API version?

Last updated: 2019-04-23

I want to know if I'm using an older Amazon CloudFront API version that doesn't support CloudFront's alternate domain name (CNAME) validation process. I want to proactively update my applications that invoke those APIs.

Resolution

Use AWS CloudTrail logs and Amazon Athena queries to determine if you're using an older CloudFront API version:

1.    Enable CloudTrail logging for your account in the US East (N. Virginia) Region (us-east-1).

Tip: If you already have CloudTrail logging enabled in the US East (N. Virginia) Region and you don't have a log rotation set up, you can copy a subset of your current logs into a new prefix. This allows you to run an Athena query on a subset of the logs instead of the entire data set. Athena queries are billed based on each GB of data scanned, so we recommend that you review only the last 30 days of logs to save on costs.

2.    After the CloudTrail logs are being written to an Amazon Simple Storage Service (Amazon S3) bucket, create a table for the logs.

3.    Open the Athena console, add the following query to the New query 1 box, and choose Run query:

Important: Replace $databaseName.$tableName with the names of your database and table.

SELECT apiversion, count() AS Total 
FROM $databaseName.$tableName
WHERE eventsource = 'cloudfront.amazonaws.com'
AND parse_datetime(apiversion, 'yyyy_MM_dd') <= parse_datetime('2015_12_22', 'yyyy_MM_dd')
GROUP BY apiversion
ORDER BY Total Desc;

The query returns a count of the API calls that use the older CloudFront API versions. If the query returns no results, then your account isn't using an older API version.

If the previous query did return results, run this additional query to get more information about each individual API call:

Important: Replace $databaseName.$tableName with the names of your database and table.

SELECT useridentity.arn, sourceipaddress, eventname, useragent
FROM $databaseName.$tableName
WHERE eventsource = 'cloudfront.amazonaws.com'
AND parse_datetime(apiversion, 'yyyy_MM_dd') <= parse_datetime('2015_12_22', 'yyyy_MM_dd');

This query returns the AWS Identity and Access Management (IAM) identity, source IP address, API call (event), and user agent associated with the API calls. Use this information to determine which applications you want to update with new CloudFront API versions.


Did this article help you?

Anything we could improve?


Need more help?