There are many different causes which could produce this error message and many of them are described in the documentation or forums. An incorrect security group configuration is of them and it seems so simple and obvious that nobody talks about it.
If you don’t want or your company policy does not allow to open every port for outbound trafic, you have to select the right ones.
When performing the “describe ressource” task, cfn-init calls Cloud Formation API to request the instance meta-data. Just like every AWS API, Cloud Formation API uses https and therefore requires port 443 to be open.
Port 80 is still required to install yum packages and should not removed.
Therefore, to install packages using cfn-init, security group for outbound traffic should be at least :
MyEC2SecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: Security group allowing cfn-init to run
GroupName: “MyEC2sg”
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 1.2.3.4/32
Hope this help someone. As evident and simple as it is, I did lose quite a bit of time to figure out what I was wrong in my configuration…