How can I troubleshoot the "Could not connect to the endpoint URL" error when I run the sync command on my Amazon S3 bucket?

Last updated: 2019-12-17

I'm trying to run the cp or sync command on my Amazon Simple Storage Service (Amazon S3) bucket. However, I'm getting the "Could not connect to the endpoint URL" error message. How can I troubleshoot this? 

Short Description

To run the cp or sync commands using the AWS Command Line Interface (AWS CLI), your machine must be able to connect to the Amazon S3 Regional endpoints https://s3.amazonaws.com or https://s3.us-region.amazonaws.com. Otherwise, you get the "Could not connect to the endpoint URL" error message.

To troubleshoot this error, check the following:

  • Verify that your network can connect to those Amazon S3 endpoints on port 443.
  • Verify that your DNS can resolve to those Amazon S3 endpoints.
  • If you're seeing this error on an Amazon Elastic Compute Cloud (Amazon EC2) instance, then check the Amazon Virtual Private Cloud (VPC) configuration.

Resolution

Verify that your network can connect to the S3 endpoints on port 443

Check your network's firewall settings to confirm that it allows traffic to the Amazon S3 endpoints on port 443. You can test the connection by running a command such as telnet:

telnet s3.amazonaws.com 443

Verify that your DNS can resolve to the S3 endpoints

To confirm that your DNS can resolve to the Amazon S3 endpoints, you can use a DNS query tool like nlookup or ping. The following example uses nslookup:

nslookup s3.amazonaws.com

If the DNS doesn't resolve to the endpoint, the response is similar to the following:

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 9.9.9.9

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

If the DNS does resolve to the endpoint, the response is similar to the following:

Server: freeip.amazon.com
Address: 10.106.151.100

Non-authoritative answer:
Name: s3.us-east-1.amazonaws.com
Address: 52.216.113.165
Aliases: s3.amazonaws.com
s3-1.amazonaws.com

The following example uses ping to confirm that the DNS resolves to the S3 endpoint:

ping s3.amazonaws.com

If the DNS doesn't resolve to the endpoint, the response is similar to the following:

Ping request could not find host s3.amazonaws.com. Please check the name and try again.

If the DNS does resolve to the endpoint, the response is similar to the following:

Pinging s3.us-east-1.amazonaws.com [52.217.37.78] with 32 bytes of data:
Reply from 52.217.37.78: bytes=32 time=32ms TTL=38
Reply from 52.217.37.78: bytes=32 time=37ms TTL=38
Reply from 52.217.37.78: bytes=32 time=32ms TTL=38
Reply from 52.217.37.78: bytes=32 time=32ms TTL=38

Ping statistics for 52.217.37.78:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 32ms, Maximum = 37ms, Average = 33ms

If you're seeing this error on an EC2 instance, check the VPC configuration

If the EC2 instance is in a public subnet:

If the EC2 instance is in a private subnet:

  • Check if there is a network address translation (NAT) gateway associated with the route table of the subnet. The NAT gateway provisions an internet path to reach the Amazon S3 endpoint.
  • If you're using a VPC endpoint for Amazon S3, then verify that the correct Region is set in the AWS CLI config file. VPC endpoints for Amazon S3 are Region-specific. For example, if the VPC and VPC endpoint are in the us-east-1 Region, and you run a sync command with the parameter --region us-west-1, then the AWS CLI tries to contact https://s3.us-west-1.amazonaws.com. This results in the "Could not connect to the endpoint URL" error.

Did this article help you?

Anything we could improve?


Need more help?