EC2 discovery (AWS-Cloud) not working for one account, working for the other one

ES 0.90.3, aws-cloud 1.15

I'm using security groups for discovery. Everything works just fine when
running under my dev account and deploying using Cloudformation and a role
with ec2:Describe* permission.
It doesn't work and I had to fall back to unicast discovery in Production.

Any ideas on what to check to try to figure out what's different?

Errors...

[2013-09-18 16:05:46,597][TRACE][discovery ] [Perun] waiting
for 30s for the initial state to be set by the discovery
[2013-09-18 16:06:16,597][WARN ][discovery ] [Perun] waited
for 30s and no initial state was set by the discovery
[2013-09-18 16:06:16,597][INFO ][discovery ] [Perun]
Cabin/yaxw464asdfgZSvrtYJg
[2013-09-18 16:06:16,632][INFO ][http ] [Perun]
bound_address {inet[/0.0.0.0:9200]}, publish_address
{inet[/xxx.xxx.xxx.xxx:9200]}
[2013-09-18 16:06:16,632][INFO ][node ] [Perun] started
[2013-09-18 16:09:11,102][INFO ][discovery.ec2 ] [Perun]
Exception while retrieving instance list from AWS API: Unable to execute
HTTP request: Connect to
ec2.us-west-1.amazonaws.com/ec2.us-west-1.amazonaws.com/204.246.160.140
timed out
[2013-09-18 16:09:11,103][DEBUG][discovery.ec2 ] [Perun] Full
exception:
com.amazonaws.AmazonClientException: Unable to execute HTTP request:
Connect to
ec2.us-west-1.amazonaws.com/ec2.us-west-1.amazonaws.com/204.246.160.140
timed out
at
com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:328)
at
com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:165)
at
com.amazonaws.services.ec2.AmazonEC2Client.invoke(AmazonEC2Client.java:6047)

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.