Finding S3 API requests from previous versions of the AWS CLI and SDKs
Earlier this year the S3 team announced that S3 will stop accepting API requests signed using AWS Signature Version 2 after June 24th, 2019. Customers will need to update their SDKs, CLIs, and custom implementations to make use of AWS Signature Version 4 to avoid impact after this date. It might be difficult to find older applications or instances using outdated versions of the AWS CLI or SDKs that need to be updated, the purpose of this post is to explain how AWS CloudTrail data events and Amazon Athena can be used to help identify applications that may need to be updated. We will cover the setup of the CloudTrail data events, the Athena table creation, and some Athena queries to filter and refine the results to help with this process.
Update (January/February 2019)
Setting up CloudTrail data events in the AWS console
Setting up CloudTrail data events using the AWS CLI
A word on cost
Creating the Athena table
Analysing the data events with Athena
AWS Client
|
SigV4 default version
|
User Agent String
|
Version comparator
|
Java
|
1.11.x
|
aws-sdk-java
|
10110000
|
.NET
|
3.1.10.0
|
aws-sdk-dotnet
|
30010010
|
Node.js
|
2.68.0
|
aws-sdk-nodejs
|
20680000
|
PHP
|
3
|
aws-sdk-php
|
30000000
|
Python Botocore
|
1.5.71
|
Botocore
|
10050071
|
Python Boto3
|
1.4.6
|
Boto3
|
10040006
|
Ruby
|
2.2.0
|
aws-sdk-ruby
|
20020000
|
AWS CLI
|
1.11.108
|
aws-cli
|
10110108
|
Powershell
|
3.1.10.0
|
AWSPowerShell
|
30010010
|
Additional Note:
There is no need to look at the client version number for new events which will automatically include the SignatureVersion.