Amazon CloudFront で利用している API Version を確認する方法をご紹介します。
 
AWS からのメールの内容は以下のとおりです。
件名: Amazon CloudFront - Update on Older API Versions [AWS Account: xxxx]本文: Hello,
We recently sent a followup notification to an April 9, 2019 forum announcement[1] notifying customers of an upcoming deprecation of specific versions (2015 or older) of the CloudFront APIs. Since this announcement we’ve received feedback from customers and we’d like to provide an update.
We want to reassure customers that the planned deprecation does not reduce functionality in any way and no CloudFront features are being disabled.
Recently, CloudFront has made improvements to CNAME validation[2] and to the minimum versions of TLS/SSL that are enabled by default. TLS/SSL Certificates have now been widely available for free, from Amazon Certificate Manager, LetsEncrypt, and others, for several years. Requiring that every customer using CloudFront with a custom domain to present a valid certificate proving domain ownership improves security for our customers because only legitimate domain owners can use those domains with CloudFront. Customers have also told us that they would prefer if new CloudFront distributions do not support the older, legacy versions of TLS/SSL. Unfortunately, these features are not compatible with the older versions of our APIs, which were designed and released prior to the availability of our SNI and TLS version features. By using the older API versions, there’s a risk that customers can be left unable to configure a distribution, or possibly even misconfigure and break it by removing security critical settings.
While only a very small percentage of API calls are made using the older versions and the current APIs are backwards compatible with those we planned to deprecate, we’ve been alerted to a few cases where customers may have work migrating. Therefore, we have decided to extend the time to migrate to 12 months. The API versions 2015 or older will now be supported until at least April 30, 2020. We will also be notifying the small subset of customers who seem to still use the old versions of these APIs with more information about their usage.
We apologize for the confusion this may have caused. Please reach out to AWS Support[3] if you have questions.
[1] https://forums.aws.amazon.com/ann.jspa?annID=6697 [2] https://aws.amazon.com/blogs/networking-and-content-delivery/continually-enhancing-domain-security-on-amazon-cloudfront/ [3] https://aws.amazon.com/support
Sincerely, Amazon Web Services
an upcoming deprecation of specific versions (2015 or older) of the CloudFront APIs.
ということなので、CloudFront の API Version を確認する手順は、以下の記事を参考にしました。
apiVersionが2015-12-22以前のものがあったらアウトになるので気をつけて下さい。
CloudTrail Management Console から CloudFront のイベント履歴を JSON ファイルでダウンロードします。
https://us-west-1.console.aws.amazon.com/cloudtrail/home?region=us-west-1#/events?EventSource=cloudfront.amazonaws.com&StartTime=2019-01-31T15:00:00.000Z&EndTime=2019-04-30T15:00:00.000Z
CloudFront API Version を jq コマンドを利用した以下のようなシェルスクリプトで確認します。
apiVersion を確認するシェルスクリプト
for year in 2015 2016 2017 2018 2019
do
    echo $year
    cat event_history.json | jq ".Records[].apiVersion" | grep $year | wc -l
    echo "----------"
done
以下、実行結果です。
2015
       0
----------
2016
       0
----------
2017
     258
----------
2018
    2796
----------
2019
       0
----------
apiVersion が 2017, 2018 年のものしか無いので大丈夫そうでした。
以上、CloudFront で利用している API Version を確認したい、現場からお送りしました。