By using AWS re:Post, you agree to the Terms of Use

KMS Network Port



On a EC2 instance I installed a IPTables firewall for additional security. I opened port 22 for SSH and one port of my application. All other ports are blocked. If I do this, the "String" example of the AWS Encryption SDK throws an error (Error on encrypt: Unexpected failure from KMS).

I searched for the correct ports to open, I found 443 and 1688 on different web sites, but opening these ports brings the same error again.

So my question is, what are the correct port numbers (TCP, UDP?) to open for AWS KMS to work?

Thank you and best regards

2 Answers

Hi Benjamin!

Thank you for your answer! I should have mentioned, that the "string" example works perfectly when all iptables rules are flushed.

I had to add a Output rule for destination port 443:
iptables -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Now it works!

For added security one could add the destination address, but I fear the endpoint address might change over time.

Thank you again and greetings from Austria,

Edited by: ChristianAUT on Apr 21, 2020 1:19 AM

answered 2 years ago

Hi ChristianAUT!

KMS listens over port TCP/443 (HTTPS) on the endpoints listed at (though the SDK should be able to automatically select the correct endpoint for you just by setting the region).

From the sound of the error message, I think you might be pointing the SDK at your EC2 instance rather than the KMS endpoints.

Also note that when allowing access for your EC2 instance to call KMS, this is OUTGOING traffic (from your instance, to the KMS endpoint), and not incoming.

Hope this helps!

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions