こんにちは。HACKNOTEのohnoです。
2019年4月23日追記有り。最下部まで見て下さい。
きっかけ
AWSよりこんなメールを頂きました。
Amazon CloudFront Announces API Version Deprecations
On April 4, we announced via a Developer Forum post, that CloudFront will deprecate the oldest versions of the CloudFront API, specifically those dated prior to 2016, on Thursday, June 6, 2019. As CloudFront has evolved, new features and concepts (such as origin groups and support for SNI certificates) have been introduced that can't be represented in the older APIs. To improve overall support and consistency for CloudFront developers we're reducing the number of API versions we need to maintain. Beginning on June 6, 2019 the listed versions of the CloudFront APIs will stop working and will instead return a “410: Gone” response code. To prevent disruption to any calling applications, we recommend that you upgrade applications that invoke these APIs as quickly as possible. If you have questions about this notice, please contact AWS Support. For information about the current CloudFront API, see the CloudFront API Reference: https://docs.aws.amazon.com/cloudfront/latest/APIReference/Welcome.html Full list of versions to be deprecated on June 6, 2019: 2008-06-30, 2009-04-02, 2009-09-09, 2009-12-01, 2010-03-01, 2010-05-01, 2010-06-01, 2010-07-15, 2010-08-01, 2010-11-01, 2012-03-15, 2012-05-05, 2012-07-01, 2013-05-12, 2013-08-26, 2013-09-27, 2013-11-11, 2013-11-22, 2014-01-31, 2014-05-31, 2014-08-31, 2014-10-21, 2014-11-06, 2015-04-17, 2015-07-27, 2015-09-17, 2015-12-22 For more information regarding this deprecation and the actions you should take, refer to our Developer Forum post here: https://forums.aws.amazon.com/ann.jspa?annID=6697
詳しく見てみると、2019年6月6日に古いバージョンのAPI(2015-12-22以前)を使ってたら410を返すからな。とのこと。
CloudFrontを使ってたら無条件で連絡が来るのか、古いバージョンを使っているのを検知したらメールしているのか、全アカウントに送っているのかは謎ですが、とりあえず、まずは使ってないかなーと調べることに。
調べ方。
Cloudtrailを設定してリクエスト履歴をしっかりと残していればいいですが、設定し忘れているアカウントもあるはず。
証跡→Athenaで見る方法は記事が出てきましたが設定してなかったらどうすりゃいいんだ!って方へ。
なので証跡を取っている人はここからさきのをやらずにAthenaとかで見たほうが早いです
Cloudtrailでは、デフォルトで過去90日間のイベント履歴を残しています。まずはそこから見てみましょう。
コンソール画面で見てみる。
Cloudtrail→イベント履歴クリック。フィルターにイベントソースを選び、下記を入力
cloudfront.amazonaws.com
これでCloudFrontのAPIリクエストの履歴が見えます。
イベントの詳細を押したらこんな表示かと思います。
{
"eventVersion": "1.05",
"userIdentity": {
"type": "Root",
"principalId": "XXXXXXXXXXXXXXXXXXXXXX",
"arn": "XXXXXXXXXXXXXXXXXXXXXX",
"accountId": "XXXXXXXXXXXXXXXXXXXXXX",
"accessKeyId": "XXXXXXXXXXXXXXXXXXXXXX",
"userName": "XXXXXXXXXXXXXXXXXXXXXX",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2019-04-19T02:23:02Z"
}
},
"invokedBy": "XXXXXXXXXXXXXXXXXXXXXX"
},
"eventTime": "2019-04-19T02:23:11Z",
"eventSource": "cloudfront.amazonaws.com",
"eventName": "ListStreamingDistributions",
"awsRegion": "us-east-1",
"sourceIPAddress": "XXXXXXXXXXXXXXXXXXXXXX",
"userAgent": "signin.amazonaws.com",
"requestParameters": {
"maxItems": "100"
},
"responseElements": null,
"requestID": "XXXXXXXXXXXXXXXXXXXXXX",
"eventID": "XXXXXXXXXXXXXXXXXXXXXX",
"eventType": "AwsApiCall",
"apiVersion": "2018_11_05",
"recipientAccountId": "XXXXXXXXXXXXXXXXXXXXXX"
}
apiVersionが2015-12-22以前のものがあったらアウトになるので気をつけて下さい。
json形式でDLできるので、うまい具合に検索かければ90日間で使用しているかどうかを確認できます。
AWS CLIから検索
次はCLIで取得する方法。
aws cloudtrail lookup-events --lookup-attributes AttributeKey="EventSource",AttributeValue="cloudfront.amazonaws.com" --max-results 50
こちらのコマンドで先程の詳細と同じデータが取れますのでそこから調べることが可能かと。
また、これだと50までが限界なので、
aws cloudtrail lookup-events --lookup-attributes AttributeKey="EventSource",AttributeValue="cloudfront.amazonaws.com" --max-results 50 --next-token=<token>
返り値のトークンから次の行を取得する必要があります。
どっちみち面倒なので超急ぎでなければ、Cloudtrailを設定してしばらく寝かせてAthenaのほうが楽そう・・・。
まぁ、軽くあるかなと見るときには。
追記
本日こんなメールが追加で届きました。
Amazon CloudFront – Update on Older API Version
We recently sent a followup notification to an April 9, 2019 forum announcement[1] notifying customers of an upcoming deprecation of specific versions (2015 or older) of the CloudFront APIs. Since this announcement we've received feedback from customers and we'd like to provide an update. We want to reassure customers that the planned deprecation does not reduce functionality in any way and no CloudFront features are being disabled. Recently, CloudFront has made improvements to CNAME validation[2] and to the minimum versions of TLS/SSL that are enabled by default. TLS/SSL Certificates have now been widely available for free, from Amazon Certificate Manager, LetsEncrypt, and others, for several years. Requiring that every customer using CloudFront with a custom domain to present a valid certificate proving domain ownership improves security for our customers because only legitimate domain owners can use those domains with CloudFront. Customers have also told us that they would prefer if new CloudFront distributions do not support the older, legacy versions of TLS/SSL. Unfortunately, these features are not compatible with the older versions of our APIs, which were designed and released prior to the availability of our SNI and TLS version features. By using the older API versions, there’s a risk that customers can be left unable to configure a distribution, or possibly even misconfigure and break it by removing security critical settings. While only a very small percentage of API calls are made using the older versions and the current APIs are backwards compatible with those we planned to deprecate, we’ve been alerted to a few cases where customers may have work migrating. Therefore, we have decided to extend the time to migrate to 12 months. The API versions 2015 or older will now be supported until at least April 30, 2020. We will also be notifying the small subset of customers who seem to still use the old versions of these APIs with more information about their usage. We apologize for the confusion this may have caused. Please reach out to AWS Support[3] if you have questions.
2020年4月終わりまでは延期だそうで。
