KMS Network Port

0

Hello!

On a EC2 instance I installed a IPTables firewall for additional security. I opened port 22 for SSH and one port of my application. All other ports are blocked. If I do this, the "String" example of the AWS Encryption SDK throws an error (Error on encrypt: Unexpected failure from KMS).

I searched for the correct ports to open, I found 443 and 1688 on different web sites, but opening these ports brings the same error again.

So my question is, what are the correct port numbers (TCP, UDP?) to open for AWS KMS to work?

Thank you and best regards
Christian

질문됨 4년 전668회 조회
2개 답변
1

Hi Benjamin!

Thank you for your answer! I should have mentioned, that the "string" example works perfectly when all iptables rules are flushed.

I had to add a Output rule for destination port 443:
iptables -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Now it works!

For added security one could add the destination address, but I fear the endpoint address might change over time.

Thank you again and greetings from Austria,
Christian

Edited by: ChristianAUT on Apr 21, 2020 1:19 AM

답변함 4년 전
0

Hi ChristianAUT!

KMS listens over port TCP/443 (HTTPS) on the endpoints listed at https://docs.aws.amazon.com/general/latest/gr/kms.html (though the SDK should be able to automatically select the correct endpoint for you just by setting the region).

From the sound of the error message, I think you might be pointing the SDK at your EC2 instance rather than the KMS endpoints.

Also note that when allowing access for your EC2 instance to call KMS, this is OUTGOING traffic (from your instance, to the KMS endpoint), and not incoming.

Hope this helps!
Benjamin
AWS KMS Team

AWS
답변함 4년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠