How to check the API Version currently used in Amazon CloudFront

Tadashi Shigeoka ·  Sat, April 27, 2019

I’ll introduce how to check the API Version being used in Amazon CloudFront.

AWS | Amazon Web Services

Prerequisites

The content of the email from AWS is as follows:

Subject: Amazon CloudFront - Update on Older API Versions [AWS Account: xxxx]

Body: Hello,

We recently sent a followup notification to an April 9, 2019 forum announcement[1] notifying customers of an upcoming deprecation of specific versions (2015 or older) of the CloudFront APIs. Since this announcement we’ve received feedback from customers and we’d like to provide an update.

We want to reassure customers that the planned deprecation does not reduce functionality in any way and no CloudFront features are being disabled.

Recently, CloudFront has made improvements to CNAME validation[2] and to the minimum versions of TLS/SSL that are enabled by default. TLS/SSL Certificates have now been widely available for free, from Amazon Certificate Manager, LetsEncrypt, and others, for several years. Requiring that every customer using CloudFront with a custom domain to present a valid certificate proving domain ownership improves security for our customers because only legitimate domain owners can use those domains with CloudFront. Customers have also told us that they would prefer if new CloudFront distributions do not support the older, legacy versions of TLS/SSL. Unfortunately, these features are not compatible with the older versions of our APIs, which were designed and released prior to the availability of our SNI and TLS version features. By using the older API versions, there’s a risk that customers can be left unable to configure a distribution, or possibly even misconfigure and break it by removing security critical settings.

While only a very small percentage of API calls are made using the older versions and the current APIs are backwards compatible with those we planned to deprecate, we’ve been alerted to a few cases where customers may have work migrating. Therefore, we have decided to extend the time to migrate to 12 months. The API versions 2015 or older will now be supported until at least April 30, 2020. We will also be notifying the small subset of customers who seem to still use the old versions of these APIs with more information about their usage.

We apologize for the confusion this may have caused. Please reach out to AWS Support[3] if you have questions.

[1] https://forums.aws.amazon.com/ann.jspa?annID=6697 [2] https://aws.amazon.com/blogs/networking-and-content-delivery/continually-enhancing-domain-security-on-amazon-cloudfront/ [3] https://aws.amazon.com/support

Sincerely, Amazon Web Services

Prerequisites

  • jq command installed

How to Check CloudFront API Version

Since it mentions an upcoming deprecation of specific versions (2015 or older) of the CloudFront APIs., I referred to the following article for the procedure to check the CloudFront API Version:

Please be careful if there are apiVersions from 2015-12-22 or earlier, as those would be problematic.

Download CloudFront Event History JSON

Download the CloudFront event history as a JSON file from the CloudTrail Management Console.

https://us-west-1.console.aws.amazon.com/cloudtrail/home?region=us-west-1#/events?EventSource=cloudfront.amazonaws.com&StartTime=2019-01-31T15:00:00.000Z&EndTime=2019-04-30T15:00:00.000Z

Check CloudFront API Version

Check the CloudFront API Version using the following shell script with the jq command.

Shell script to check apiVersion

for year in 2015 2016 2017 2018 2019
do
    echo $year
    cat event_history.json | jq ".Records[].apiVersion" | grep $year | wc -l
    echo "----------"
done

Here are the execution results:

2015
       0
----------
2016
       0
----------
2017
     258
----------
2018
    2796
----------
2019
       0
----------

Since there are only apiVersions from 2017 and 2018, it looks fine.

That’s all from the Gemba, where we want to check the API Version being used in CloudFront.