How can I troubleshoot the "Could not connect to the endpoint URL" error when I run the sync command on my Amazon S3 bucket?
Last updated: 2020-12-23
I'm trying to run the cp or sync command on my Amazon Simple Storage Service (Amazon S3) bucket. However, I'm getting the "Could not connect to the endpoint URL" error message. How can I troubleshoot this?
To run the cp or sync commands using the AWS Command Line Interface (AWS CLI), your machine must connect to the correct Amazon S3 endpoints. Otherwise, you get the "Could not connect to the endpoint URL" error message.
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.
To troubleshoot this error, check the following:
- Confirm that you're using the correct AWS Region and Amazon S3 endpoint.
- Verify that your network can connect to those Amazon S3 endpoints.
- Verify that your DNS can resolve to those Amazon S3 endpoints.
- If you're seeing this error on an Amazon Elastic Compute Cloud (Amazon EC2) instance, then check the Amazon Virtual Private Cloud (Amazon VPC) configuration.
Confirm that you're using the correct AWS Region and Amazon S3 endpoint
When you run a command using the AWS CLI, API requests are sent to the default AWS Region's S3 endpoint. Or, API requests are sent to a Region-specific S3 endpoint when the Region is specified in the command. Then, the AWS CLI can redirect the request to the bucket's Regional S3 endpoint.
You can get the "Could not connect to the endpoint URL" error if there's a typo or error in the specified Region or endpoint.
For example, the following command results in the error because there's an extra "e" in the endpoint name:
aws s3 cp filename s3://DOC-EXAMPLE-BUCKET/ --endpoint-url https://s3-acceleratee.amazonaws.com
Note: If you're using Amazon S3 Transfer Acceleration, see Getting started with Amazon S3 Transfer Acceleration for the endpoint name.
Verify that your network can connect to the S3 endpoints
Confirm that your network's firewall allows traffic to the Amazon S3 endpoints on the port that you're using for Amazon S3 traffic.
For example, the following telnet command tests the connection to the ap-southeast-2 Regional S3 endpoint on port 443:
Note: Be sure to replace the Regional endpoint and the port (443 or 80) with the values associated with your use case.
telnet s3.ap-southeast-2.amazonaws.com 443
Verify that your DNS can resolve to the S3 endpoints
To confirm that your DNS can resolve to the Amazon S3 endpoints, you can use a DNS query tool such as nslookup or ping. The following example uses nslookup:
The following example uses ping to confirm that the DNS resolves to the S3 endpoint:
If your DNS can't resolve to the S3 endpoints, then you must troubleshoot your DNS configuration. If Amazon Route 53 is your DNS provider, then see Troubleshooting Amazon Route 53.
If you're seeing this error on an EC2 instance, check the VPC configuration
If the EC2 instance is in a public subnet:
- Check the network access control list (ACL) of the Amazon VPC that your instance is in. In the network ACL, check the outbound rule for port 443. If the outbound rule is DENY, then change it to ALLOW.
- If the network ACL restricts access to only a specific region of Amazon S3 IP address ranges, then check the config file of the AWS CLI. The config file must specify the correct AWS Region.
If the EC2 instance is in a private subnet:
- Check if there is a network address translation (NAT) gateway associated with the route table of the subnet. The NAT gateway provisions an internet path to reach the Amazon S3 endpoint.
- If you're using a VPC endpoint for Amazon S3, then verify that the correct Region is set in the AWS CLI config file. VPC endpoints for Amazon S3 are Region-specific. If you run a sync command using --region us-west-1 when the VPC endpoint is in a different Region, then the CLI contacts https://s3.us-west-1.amazonaws.com. This results in the "Could not connect to the endpoint URL" error.