KMS Network Port

Question

Hello!  
  
On a EC2 instance I installed a IPTables firewall for additional security. I opened port 22 for SSH and one port of my application. All other ports are blocked. If I do this, the "String" example of the AWS Encryption SDK throws an error (Error on encrypt: Unexpected failure from KMS).   
  
I searched for the correct ports to open, I found 443 and 1688 on different web sites, but opening these ports brings the same error again.  
  
So my question is, what are the correct port numbers (TCP, UDP?) to open for AWS KMS to work?  
  
Thank you and best regards  
Christian

Answer

Hi Benjamin!  
  
Thank you for your answer! I should have mentioned, that the "string" example works perfectly when all iptables rules are flushed.   
  
I had to add a Output rule for destination port 443:  
iptables -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT  
  
Now it works!  
  
For added security one could add the destination address, but I fear the endpoint address might change over time.  
  
Thank you again and greetings from Austria,  
Christian  
  
Edited by: ChristianAUT on Apr 21, 2020 1:19 AM

Answer

Hi  ChristianAUT!  
  
KMS listens over port TCP/443 (HTTPS) on the endpoints listed at https://docs.aws.amazon.com/general/latest/gr/kms.html (though the SDK should be able to automatically select the correct endpoint for you just by setting the region).  
  
From the sound of the error message, I think you might be pointing the SDK at your EC2 instance rather than the KMS endpoints.   
  
Also note that when allowing access for your EC2 instance to call KMS, this is OUTGOING traffic (from your instance, to the KMS endpoint), and not incoming.   
  
Hope this helps!  
Benjamin  
AWS KMS Team

KMS Network Port

Relevant content