Amazon CloudFront で利用中の API Version を確認する方法

Amazon CloudFront で利用している API Version を確認する方法をご紹介します。

AWS | Amazon Web Services

前提条件

AWS からのメールの内容は以下のとおりです。

件名:
Amazon CloudFront – Update on Older API Versions [AWS Account: xxxx]

本文:
Hello,

We recently sent a followup notification to an April 9, 2019 forum announcement[1] notifying customers of an upcoming deprecation of specific versions (2015 or older) of the CloudFront APIs. Since this announcement we’ve received feedback from customers and we’d like to provide an update.

We want to reassure customers that the planned deprecation does not reduce functionality in any way and no CloudFront features are being disabled.

Recently, CloudFront has made improvements to CNAME validation[2] and to the minimum versions of TLS/SSL that are enabled by default. TLS/SSL Certificates have now been widely available for free, from Amazon Certificate Manager, LetsEncrypt, and others, for several years. Requiring that every customer using CloudFront with a custom domain to present a valid certificate proving domain ownership improves security for our customers because only legitimate domain owners can use those domains with CloudFront. Customers have also told us that they would prefer if new CloudFront distributions do not support the older, legacy versions of TLS/SSL. Unfortunately, these features are not compatible with the older versions of our APIs, which were designed and released prior to the availability of our SNI and TLS version features. By using the older API versions, there’s a risk that customers can be left unable to configure a distribution, or possibly even misconfigure and break it by removing security critical settings.

While only a very small percentage of API calls are made using the older versions and the current APIs are backwards compatible with those we planned to deprecate, we’ve been alerted to a few cases where customers may have work migrating. Therefore, we have decided to extend the time to migrate to 12 months. The API versions 2015 or older will now be supported until at least April 30, 2020. We will also be notifying the small subset of customers who seem to still use the old versions of these APIs with more information about their usage.

We apologize for the confusion this may have caused. Please reach out to AWS Support[3] if you have questions.

[1] https://forums.aws.amazon.com/ann.jspa?annID=6697
[2] https://aws.amazon.com/blogs/networking-and-content-delivery/continually-enhancing-domain-security-on-amazon-cloudfront/
[3] https://aws.amazon.com/support

Sincerely,
Amazon Web Services

事前準備

  • jq command をインストール済み

CloudFront API Version 確認方法

an upcoming deprecation of specific versions (2015 or older) of the CloudFront APIs.

ということなので、CloudFront の API Version を確認する手順は、以下の記事を参考にしました。

apiVersionが2015-12-22以前のものがあったらアウトになるので気をつけて下さい。

CloudFront のイベント履歴 JSON ダウンロード

CloudTrail Management Console から CloudFront のイベント履歴を JSON ファイルでダウンロードします。

https://us-west-1.console.aws.amazon.com/cloudtrail/home?region=us-west-1#/events?EventSource=cloudfront.amazonaws.com&StartTime=2019-01-31T15:00:00.000Z&EndTime=2019-04-30T15:00:00.000Z

CloudFront API Version 確認

CloudFront API Version を jq コマンドを利用した以下のようなシェルスクリプトで確認します。

apiVersion を確認するシェルスクリプト

for year in 2015 2016 2017 2018 2019
do
    echo $year
    cat event_history.json | jq ".Records[].apiVersion" | grep $year | wc -l
    echo "----------"
done

以下、実行結果です。

2015
       0
----------
2016
       0
----------
2017
     258
----------
2018
    2796
----------
2019
       0
----------

apiVersion が 2017, 2018 年のものしか無いので大丈夫そうでした。

以上、CloudFront で利用している API Version を確認したい、現場からお送りしました。