Why does my AWS CLI hang when I try to do any operation in my new Amazon Linux instance?

Question

I have provisioned a new EC2 instance using CloudFormation, and have set up the network ACL with the following rules:

  INBOUND
  100  HTTP (80)        TCP (6)  80          0.0.0.0/0  ALLOW
  102  SSH (22)         TCP (6)  22          0.0.0.0/0  ALLOW
  104  Custom TCP Rule  TCP (6)  1024-65535  0.0.0.0/0  ALLOW
  *    ALL Traffic      ALL      ALL         0.0.0.0/0  DENY

  OUTBOUND
  100  HTTP (80)        TCP (6)  80          0.0.0.0/0  ALLOW
  102  Custom TCP Rule  TCP (6)  1024-65535  0.0.0.0/0  ALLOW
  *    ALL Traffic      ALL      ALL         0.0.0.0/0  DENY

I have assigned an IAM role with following policy to the instance:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1427889375000",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

When the instance starts, I can SSH in to it but when i run the following:

aws s3 ls s3://my-bucket

it just hangs. When I press CTRL+C I get the following stack trace:

Traceback (most recent call last):
  File "/usr/bin/aws", line 27, in <module>
    sys.exit(main())
  File "/usr/bin/aws", line 23, in main
    return awscli.clidriver.main()
  File "/usr/lib/python2.7/dist-packages/awscli/clidriver.py", line 50, in main
    return driver.main()
  File "/usr/lib/python2.7/dist-packages/awscli/clidriver.py", line 197, in main
    return command_table[parsed_args.command](remaining, parsed_args)
  File "/usr/lib/python2.7/dist-packages/awscli/customizations/commands.py", line 185, in __call__
    parsed_globals)
  File "/usr/lib/python2.7/dist-packages/awscli/customizations/commands.py", line 182, in __call__
    return self._run_main(parsed_args, parsed_globals)
  File "/usr/lib/python2.7/dist-packages/awscli/customizations/s3/subcommands.py", line 330, in _run_main
    self._list_all_objects(bucket, key, parsed_args.page_size)
  File "/usr/lib/python2.7/dist-packages/awscli/customizations/s3/subcommands.py", line 352, in _list_all_objects
    for response_data in iterator:
  File "/usr/lib/python2.7/dist-packages/botocore/paginate.py", line 70, in __iter__
    response = self._make_request(current_kwargs)
  File "/usr/lib/python2.7/dist-packages/botocore/paginate.py", line 116, in _make_request
    return self._method(**current_kwargs)
  File "/usr/lib/python2.7/dist-packages/botocore/client.py", line 187, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/lib/python2.7/dist-packages/botocore/client.py", line 231, in _make_api_call
    operation_model, request_dict)
  File "/usr/lib/python2.7/dist-packages/botocore/endpoint.py", line 173, in make_request
    return self._send_request(request_dict, operation_model)
  File "/usr/lib/python2.7/dist-packages/botocore/endpoint.py", line 201, in _send_request
    request, operation_model, attempts)
  File "/usr/lib/python2.7/dist-packages/botocore/endpoint.py", line 231, in _get_response
    proxies=self.proxies, timeout=self.timeout)
  File "/usr/lib/python2.7/dist-packages/botocore/vendored/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/dist-packages/botocore/vendored/requests/adapters.py", line 370, in send
    timeout=timeout
  File "/usr/lib/python2.7/dist-packages/botocore/vendored/requests/packages/urllib3/connectionpool.py", line 518, in urlopen
    body=body, headers=headers)
  File "/usr/lib/python2.7/dist-packages/botocore/vendored/requests/packages/urllib3/connectionpool.py", line 322, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python2.7/dist-packages/botocore/vendored/requests/packages/urllib3/connectionpool.py", line 727, in _validate_conn
    conn.connect()
  File "/usr/lib/python2.7/dist-packages/botocore/vendored/requests/packages/urllib3/connection.py", line 204, in connect
    conn = self._new_conn()
  File "/usr/lib/python2.7/dist-packages/botocore/vendored/requests/packages/urllib3/connection.py", line 134, in _new_conn
    (self.host, self.port), self.timeout, **extra_kw)
  File "/usr/lib/python2.7/dist-packages/botocore/vendored/requests/packages/urllib3/util/connection.py", line 78, in create_connection
    sock.connect(sa)
  File "/usr/lib64/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
KeyboardInterrupt

It looks like a network issue but I'm not sure what.

I can access the internet from the instance, which I confirmed with

[ec2-user@ip-10-1-1-100 aws-bootstrapping]$ curl -I www.google.com
HTTP/1.1 302 Found
Location: http://www.google.ie/?gws_rd=cr&ei=-eEbVc_ZIobm7gaW7YC4Bw
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=679f042abd7bfd64:FF=0:TM=1427890681:LM=1427890681:S=cJBdhGCXJhkFNjOk; expires=Fri, 31-Mar-2017 12:18:01 GMT; path=/; domain=.google.com
Set-Cookie: NID=67=KgZ3BLHR3Nu08xwiXhQHX4n3hnj1ME4tXzHe8OGH0h6d1sPJwK1VVHi9soPkB_JY9PqAiuRvDQ1_7PA3wd5tYPATrwP5dCoCcqsInoxT-tbGWo37qcWl7aUHZNvCA0Cp; expires=Thu, 01-Oct-2015 12:18:01 GMT; path=/; domain=.google.com; HttpOnly
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Wed, 01 Apr 2015 12:18:01 GMT
Server: gws
Content-Length: 258
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=0.5

Answer 1

It looks like you don't allow SSL (443) traffic out. By default the AWS CLI connects to the AWS services via their SSL endpoints.