- Newest
- Most votes
- Most comments
Hi Benjamin!
Thank you for your answer! I should have mentioned, that the "string" example works perfectly when all iptables rules are flushed.
I had to add a Output rule for destination port 443:
iptables -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Now it works!
For added security one could add the destination address, but I fear the endpoint address might change over time.
Thank you again and greetings from Austria,
Christian
Edited by: ChristianAUT on Apr 21, 2020 1:19 AM
Hi ChristianAUT!
KMS listens over port TCP/443 (HTTPS) on the endpoints listed at https://docs.aws.amazon.com/general/latest/gr/kms.html (though the SDK should be able to automatically select the correct endpoint for you just by setting the region).
From the sound of the error message, I think you might be pointing the SDK at your EC2 instance rather than the KMS endpoints.
Also note that when allowing access for your EC2 instance to call KMS, this is OUTGOING traffic (from your instance, to the KMS endpoint), and not incoming.
Hope this helps!
Benjamin
AWS KMS Team
Relevant content
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago