Service Quotas

User Guide
 Service Quotas User Guide

Service Quotas: User Guide

Copyright © 2020 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not
Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or
discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may
or may not be affiliated with, connected to, or sponsored by Amazon.
 Service Quotas User Guide

Table of Contents
What is Service Quotas? ..................................................................................................................... 1
Features .................................................................................................................................... 1
Terms ....................................................................................................................................... 1
Accessing Service Quotas ............................................................................................................ 2
Getting started .................................................................................................................................. 3
Viewing service quotas ....................................................................................................................... 4
Requesting a quota increase ................................................................................................................ 5
Using CloudWatch alarms ................................................................................................................... 6
Using request templates ..................................................................................................................... 7
Security ............................................................................................................................................ 9
Data protection .......................................................................................................................... 9
Identity and access management ............................................................................................... 10
Grant permissions using IAM policies .................................................................................. 10
API actions for Service Quotas ........................................................................................... 11
Service Quotas resources ................................................................................................... 11
Resource-level permissions for Service Quotas ..................................................................... 12
Condition keys for Service Quotas ...................................................................................... 12
Predefined AWS managed policies for Service Quotas ........................................................... 12
Compliance validation ............................................................................................................... 12
Resilience ................................................................................................................................ 13
Infrastructure security ............................................................................................................... 13
Service quotas ................................................................................................................................. 14
Document history ............................................................................................................................. 16

iii
 Service Quotas User Guide
Features

What is Service Quotas?

Service Quotas enables you to view and manage your quotas for AWS services from a central location.
Quotas, also referred to as limits in AWS, are the maximum values for the resources, actions, and items in
your AWS account. Each AWS service defines its quotas and establishes default values for those quotas.
Depending on your business needs, you might need to increase your service quota values. Service Quotas
makes it easy to look up your service quotas and to request increases.

Contents
• Features (p. 1)
• Terms (p. 1)
• Accessing Service Quotas (p. 2)

Features
The following features are available.

View your service quotas

The Service Quotas console provides quick access to the AWS default quota values for your account,
across all commercial Regions. When you select a service in the Service Quotas console, you'll see
the quotas and whether the quota is adjustable. Applied quotas are overrides, or increases for a
particular quota, over the AWS default value.
Request a service quota increase

For any adjustable service quotas, you can use Service Quotas to request a quota increase. To
request a quota increase, in the console simply select the service and the specific quota, and choose
Request quota increase. You can also use the API or command line interface (CLI) tools to request
service quota increases.
View current utilization

After your account has been active a while, you can view a graph of your resource utilization.

Terms
The following terms are important for understanding Service Quotas and how it works.

service quota

The maximum number of service resources or operations that apply to an account or a Region.
The number of IAM roles per account is an example of account-based quota. The number of virtual
private clouds (VPCs) per Region is an example of a Region-based quota. Check the description of a
service quota to determine whether it is Region-specific.
adjustable value

A quota value that can be increased.

applied value

The new quota value after a quota increase.

1
 Service Quotas User Guide
Accessing Service Quotas

default value

The initial quota value established by AWS.

global quota

A service quota applied at an account level. Global quotas are available in all Regions. You can
request an increase to a global quota from any Region, and can track the status of the increase from
the Region where you requested the increase. If you request a quota increase for a global you can't
request an increase for the same quota from a different Region until the first request is complete.
After the initial request is completed, the applied quota value is visible in all Regions where applied
quotas are available.
usage

The number of resources or operations in use for a service quota.

utilization

The percentage of a service quota in use. For example, if the quota value is 200 resources and 150
resources are in use, the utilization is 75%.

Accessing Service Quotas

You can work with Service Quotas in the following ways:

AWS Management Console

The Service Quotas console is a browser-based interface that you can use to view and manage
your service quotas. You can perform almost any task that's related to your service quotas by using
the console. You can access Service Quotas from any AWS console page by choosing on the top
navigation bar, or by searching for Service Quotas in the AWS Management Console.
AWS Command Line Tools

The AWS command line tools let you issue commands at your system's command line to perform
Service Quotas and other AWS tasks. This can be faster and more convenient than using the console.
The command line tools also are useful if you want to build scripts that perform AWS tasks.

AWS provides two sets of command line tools: the AWS Command Line Interface (AWS CLI) and the
AWS Tools for Windows PowerShell. For information about installing and using the AWS CLI, see
the AWS Command Line Interface User Guide. For information about installing and using the Tools
for Windows PowerShell, see the AWS Tools for Windows PowerShell User Guide.
AWS SDKs

The AWS SDKs consist of libraries and sample code for various programming languages and
platforms (for example, Java, Python, Ruby, .NET, iOS and Android, and others). The SDKs
include tasks such as cryptographically signing requests, managing errors, and retrying requests
automatically. For more information about the AWS SDKs, including how to download and install
them, see Tools for Amazon Web Services.

2
 Service Quotas User Guide

Getting started with Service Quotas

When you open the Service Quotas console, the dashboard displays cards for up to nine services. Each
card lists the number of service quotas for the service. Choosing a card opens a page that displays the
quotas for the service. You can choose which services appear on the dashboard.

To modify the dashboard service cards

1. Open the Service Quotas console at https://console.aws.amazon.com/servicequotas/.

2. On the dashboard, choose Modify dashboard cards.
3. The services that are currently selected appear on the right. If you have selected nine services, you
must remove a service before you can add a different service. For each service that you don't need
on the dashboard, choose Remove.
4. To add a service to the dashboard, select it from Choose services.
5. When you have finished adding and removing services, choose Save.

Next steps

• Viewing service quotas (p. 4)

• Requesting a quota increase (p. 5)

3
 Service Quotas User Guide

Viewing service quotas

Service Quotas makes it easy to look up the value of a particular quota, also referred to as a limit. You
can also look up all quotas for a particular service.

To view the quotas for a service

1. Open the Service Quotas console at https://console.aws.amazon.com/servicequotas/.

2. In the navigation pane, choose AWS services.
3. Select a service from the list, or type the name of the service in the search field. For each quota, the
console displays its name, applied value, default value, and whether the quota is adjustable. If the
applied value is not available, the console displays "Not available".
4. To view additional information about a quota, such as its description and Amazon Resource Name
(ARN), choose the quota name.

4
 Service Quotas User Guide

Requesting a quota increase

For adjustable quotas, you can request a quota increase. Smaller increases are automatically approved,
and larger requests are submitted to AWS Support. You can track your request case in the AWS Support
console. Requests to increase service quotas do not receive priority support. If you have an urgent
request, contact AWS Support.

To request a service quota increase

1. Open the Service Quotas console at https://console.aws.amazon.com/servicequotas/.

2. In the navigation pane, choose AWS services.
3. Choose a service from the list, or type the name of the service in the search box.
4. If the quota is adjustable, you can choose its button or its name, and then choose Request quota
increase.
5. For Change quota value, enter the new value. The new value must be greater than the current
value.
6. Choose Request. After the request is resolved, the Applied quota value for the quota is set to the
new value.
7. To view any pending or recently resolved requests, choose Dashboard from the navigation pane. For
pending requests, choose the status of the request to open the request receipt. The initial status of
a request is Pending. After the status changes to Quota requested, you'll see the case number with
AWS Support. Choose the case number to open the ticket for your request.

5
 Service Quotas User Guide

Service Quotas and Amazon

CloudWatch alarms
You can create Amazon CloudWatch alarms on the Service Quotas console to notify you when you're
close to a quota value threshold. Setting an alarm can help you know if you need to request a quota
increase.

To create a CloudWatch alarm for a quota

1. Open the Service Quotas console at https://console.aws.amazon.com/servicequotas/.

2. In the navigation pane, choose AWS services and then select a service.
3. Select a quota that supports CloudWatch alarms.

If you have utilization, it appears beneath the quota description. The CloudWatch alarms section
appears at the bottom of the page.
4. In Amazon CloudWatch alarms, choose Create.
5. For Alarm threshold, choose a threshold.
6. For Alarm name, enter a name for the alarm. This name must be unique within the AWS account.
7. Choose Create.
8. To add a notification to the CloudWatch alarm, see Creating a CloudWatch Alarm Based on a
CloudWatch Metric in the Amazon CloudWatch User Guide.

To delete a CloudWatch alarm

1. Choose the service quota that has the alarm.

2. Select the alarm.
3. Choose Delete.

6
 Service Quotas User Guide

Using Service Quotas request

templates
A quota request template helps you save time when customizing quotas for new accounts in your
organization. To use a template, configure the desired service quota increases for new accounts. Then,
associate the template with your organization. Whenever new accounts are created in your organization,
the template automatically requests quota increases for you.
Important
A request template can include up to 10 quota increases.

To use a request template, you must use AWS Organizations and the new accounts must be created in
the same organization. Your organization must use the features set, all features. If you use consolidated
billing features, you can't use quota request templates.

You can update the request template by adding or deleting service quotas. You can also increase the
values for any adjustable quotas. As soon as you adjust the template, those service quota values are
requested for new accounts. Updating a request template does not update quota values for existing
accounts.

To configure a request template

Use the following steps to configure the quotas request template.

1. Open the Service Quotas console at https://console.aws.amazon.com/servicequotas/.

2. In the navigation pane, choose Quota request template. If the Quota request template isn't visible,
choose Organization to open it.
3. On the console, choose a Region, service, quota, and quota value, and then choose Add.

To add more quota increase requests to the template, choose Repeat the previous step.
4. To associate the template with your organization, choose Associate.

To disassociate a request template from an organization

If you disassociate the template from the organization, new accounts receive the AWS default quota
values for all quotas. Disassociating the template from the organization doesn't delete the service quota
requests from the template. You can edit the service quotas in the template.

1. Open the Service Quotas console at https://console.aws.amazon.com/servicequotas/.

2. In the navigation pane, choose Quota request template. If the Quota request template isn't visible,
choose Organization to open it.
3. To disassociate the template from the organization, choose Disassociate.

To delete a quota increase request from a request template

You can remove, or delete, service quota requests from the template whether the template is associated
with an organization, or not. If you reach the maximum number of service quota requests, it may be
necessary to delete some service quota requests.

1. Open the Service Quotas console at https://console.aws.amazon.com/servicequotas/.

7
 Service Quotas User Guide

2. In the navigation pane, choose Quota request template.

3. Select the radio button for a quota increase request.
4. Choose Remove.

8
 Service Quotas User Guide
Data protection

Security in Service Quotas

Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and
network architecture that is built to meet the requirements of the most security-sensitive organizations.

Security is a shared responsibility between AWS and you. The shared responsibility model describes this
as security of the cloud and security in the cloud:

• Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in
the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors
regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs.
To learn about the compliance programs that apply to Service Quotas, see AWS Services in Scope by
Compliance Program.
• Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also
responsible for other factors including the sensitivity of your data, your company’s requirements, and
applicable laws and regulations.

This documentation helps you understand how to apply the shared responsibility model when using
Service Quotas. The following topics show you how to configure Service Quotas to meet your security
and compliance objectives. You also learn how to use other AWS services that help you to monitor and
secure your Service Quotas resources.

Contents
• Data protection in AWS Service Quotas (p. 9)
• Identity and access management for Service Quotas (p. 10)
• Compliance validation for AWS Service Quotas (p. 12)
• Resilience in AWS Service Quotas (p. 13)
• Infrastructure security in AWS Service Quotas (p. 13)

Data protection in AWS Service Quotas

AWS Service Quotas conforms to the AWS shared responsibility model, which includes regulations and
guidelines for data protection. AWS is responsible for protecting the global infrastructure that runs all
the AWS services. AWS maintains control over data hosted on this infrastructure, including the security
configuration controls for handling customer content and personal data. AWS customers and APN
partners, acting either as data controllers or data processors, are responsible for any personal data that
they put in the AWS Cloud.

For data protection purposes, we recommend that you protect AWS account credentials and set up
individual user accounts with AWS Identity and Access Management (IAM), so that each user is given only
the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the
following ways:

• Use multi-factor authentication (MFA) with each account.

• Use SSL/TLS to communicate with AWS resources.

• Set up API and user activity logging with AWS CloudTrail.

9
 Service Quotas User Guide
Identity and access management

• Use AWS encryption solutions, along with all default security controls within AWS services.
• Use advanced managed security services such as Amazon Macie, which assists in discovering and
securing personal data that is stored in Amazon S3.

We strongly recommend that you never put sensitive identifying information, such as your customers'
account numbers, into free-form fields such as a Name field. This includes when you work with Service
Quotas or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into
Service Quotas or other services might get picked up for inclusion in diagnostic logs. When you provide
a URL to an external server, don't include credentials information in the URL to validate your request to
that server.

For more information about data protection, see the AWS Shared Responsibility Model and GDPR blog
post on the AWS Security Blog.

Identity and access management for Service

Quotas
AWS uses security credentials to identify you and to grant you access to your AWS resources. You can use
features of AWS Identity and Access Management (IAM) to allow other users, services, and applications
to use your AWS resources fully or in a limited way. You can do this without sharing your security
credentials.

By default, IAM users don't have permission to create, view, or modify AWS resources. To allow an IAM
user to access resources such as a load balancer, and to perform tasks, you:

1. Create an IAM policy that grants the IAM user permission to use the specific resources and API actions
they need.
2. Attach the policy to the IAM user or the group that the IAM user belongs to.

When you attach a policy to a user or group of users, it allows or denies the users permission to perform
the specified tasks on the specified resources.

For example, you can use IAM to create users and groups under your AWS account. An IAM user can be
a person, a system, or an application. Then you grant permissions to the users and groups to perform
specific actions on the specified resources using an IAM policy.

Grant permissions using IAM policies

When you attach a policy to a user or group of users, it allows or denies the users permission to perform
the specified tasks on the specified resources.

An IAM policy is a JSON document that consists of one or more statements. Each statement is structured
as shown in the following example.

{
"Version": "2012-10-17",
"Statement":[{
"Effect": "effect",
"Action": "action",
"Resource": "resource-arn",
"Condition": {
"condition": {
"key":"value"

10
 Service Quotas User Guide
API actions for Service Quotas

}
}
}]
}

• Effect— The effect can be Allow or Deny. By default, IAM users don't have permission to use resources
and API actions, so all requests are denied. An explicit allow overrides the default. An explicit deny
overrides any allows.
• Action— The action is the specific API action for which you are granting or denying permission. For
more information about specifying action, see API actions for Service Quotas (p. 11).
• Resource— The resource that's affected by the action. With some Service Quotas API actions, you can
restrict the permissions granted or denied to a specific quota. To do so, specify its Amazon Resource
Name (ARN) in this statement. Otherwise, you can use the * wildcard to specify all Service Quotas
resources. For more information, see Service Quotas resources (p. 11).
• Condition— You can optionally use conditions to control when your policy is in effect. For more
information, see Condition keys for Service Quotas (p. 12).

For more information, see the IAM User Guide.

API actions for Service Quotas

In the Action element of your IAM policy statement, you can specify any API action that Service Quotas
offers. You must prefix the action name with the lowercase string servicequotas:, as shown in the
following example.

"Action": "servicequotas:GetServiceQuota"

To specify multiple actions in a single statement, enclose them in square brackets and separate them
with a comma, as shown in the following example.

"Action": [
"servicequotas:ListRequestedServiceQuotaChangeHistory",
"servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota"
]

You can also specify multiple actions using the * wildcard. The following example specifies all API action
names for Service Quotas that start with Get.

"Action": "servicequotas:Get*"

To specify all API actions for Service Quotas, use the * wildcard, as shown in the following example.

"Action": "servicequotas:*"

For the list of API actions for Service Quotas, see Service Quotas Actions.

Service Quotas resources

Resource-level permissions refers to the ability to specify which resources users are allowed to perform
actions on. For API actions that support resource-level permissions, you can control the resources that
users are allowed to use with the action. To specify a resource in a policy statement, you must use its
Amazon Resource Name (ARN).

11
 Service Quotas User Guide
Resource-level permissions for Service Quotas

The ARN for a quota has the format shown in the following example.

arn:aws:servicequotas:region-code:account-id:service-code/quota-code

For API actions that don't support resource-level permissions, you must specify the resource statement
shown in the following example.

"Resource": "*"

Resource-level permissions for Service Quotas

The following Service Quotas actions support resource-level permissions:

• PutServiceQuotaIncreaseRequestIntoTemplate
• RequestServiceQuotaIncrease

For more information, see Actions Defined by Service Quotas in the IAM User Guide.

Condition keys for Service Quotas

When you create a policy, you can specify the conditions that control when the policy is in effect. Each
condition contains one or more key-value pairs. There are global condition keys and service-specific
condition keys.

The servicequotas:service key is specific to Service Quotas. The following Service Quotas API
actions support this key:

• PutServiceQuotaIncreaseRequestIntoTemplate
• RequestServiceQuotaIncrease

For more information about global condition keys, see AWS Global Condition Context Keys in the IAM
User Guide.

Predefined AWS managed policies for Service Quotas

The managed policies created by AWS grant the required permissions for common use cases. You can
attach these policies to your IAM users, based on the access to Service Quotas that they require:

• ServiceQuotasFullAccess — Grants full access required to use Service Quotas features.

• ServiceQuotasReadOnlyAccess — Grants read-only access to Service Quotas features.

Compliance validation for AWS Service Quotas

Third-party auditors assess the security and compliance of AWS Service Quotas as part of multiple AWS
compliance programs. These include SOC, PCI, FedRAMP, HIPAA, and others.

For a list of AWS services in scope of specific compliance programs, see AWS Services in Scope by
Compliance Program. For general information, see AWS Compliance Programs.

You can download third-party audit reports using AWS Artifact. For more information, see Downloading
Reports in AWS Artifact.

12
 Service Quotas User Guide
Resilience

Your compliance responsibility when using Service Quotas is determined by the sensitivity of your data,
your company's compliance objectives, and applicable laws and regulations. AWS provides the following
resources to help with compliance:

• Security and Compliance Quick Start Guides – These deployment guides discuss architectural
considerations and provide steps for deploying security- and compliance-focused baseline
environments on AWS.
• Architecting for HIPAA Security and Compliance Whitepaper – This whitepaper describes how
companies can use AWS to create HIPAA-compliant applications.
• AWS Compliance Resources – This collection of workbooks and guides might apply to your industry
and location.
• Evaluating Resources with Rules in the AWS Config Developer Guide – The AWS Config service assesses
how well your resource configurations comply with internal practices, industry guidelines, and
regulations.
• AWS Security Hub – This AWS service provides a comprehensive view of your security state within AWS
that helps you check your compliance with security industry standards and best practices.

Resilience in AWS Service Quotas

The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide
multiple physically separated and isolated Availability Zones, which are connected with low-latency,
high-throughput, and highly redundant networking. With Availability Zones, you can design and operate
applications and databases that automatically fail over between zones without interruption. Availability
Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data
center infrastructures.

For more information about AWS Regions and Availability Zones, see AWS Global Infrastructure.

Infrastructure security in AWS Service Quotas

As a managed service, AWS Service Quotas is protected by the AWS global network security procedures
that are described in the Amazon Web Services: Overview of Security Processes whitepaper.

You use AWS published API calls to access Service Quotas through the network. Clients must support
Transport Layer Security (TLS) 1.0 or later. We recommend TLS 1.2 or later. Clients must also support
cipher suites with perfect forward secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve
Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.

Additionally, requests must be signed by using an access key ID and a secret access key that is associated
with an IAM principal. Or you can use the AWS Security Token Service (AWS STS) to generate temporary
security credentials to sign requests.

13
 Service Quotas User Guide

Service quotas for Service Quotas

This table lists the default maximum values for Service Quotas resources for your AWS account. These
quota values are per Region, unless noted otherwise. You can't adjust these quota values.

Increase requests

Quota Default

Active service quota increase requests per account 20

Active service quota increase requests per Region 2

Active service quota increase requests per quota 1

API request rates

Quota Default

GetAWSDefaultServiceQuota requests per second 5

Additional GetAWSDefaultServiceQuota requests per second sent in one 5

burst

GetRequestedServiceQuotaChange requests per second 5

Additional GetRequestedServiceQuotaChange requests per second sent 5

in one burst

GetServiceQuota requests per second 5

Additional GetServiceQuota requests per second sent in one burst 5

ListAWSDefaultServiceQuotas requests per second 10

Additional ListAWSDefaultServiceQuotas requests per second sent in 10

one burst

ListRequestedServiceQuotaChangeHistory requests per second 5

Additional ListRequestedServiceQuotaChangeHistory requests per 5

second sent in one burst

ListRequestedServiceQuotaChangeHistoryByQuota requests per 5

second

Additional ListRequestedServiceQuotaChangeHistoryByQuota 5
requests per second sent in one burst

ListServiceQuotas requests per second 10

Additional ListServiceQuotas requests per second sent in one burst 10

ListServices requests per second 10

Additional ListServices requests per second sent in one burst 10

14
 Service Quotas User Guide

Quota Default

RequestServiceQuotaIncrease requests per second 3

Additional RequestServiceQuotaIncrease requests per second sent in 3

one burst

Quota request template API request rates

Quota Default

AssociateQuotaTemplate requests per second 1

Additional AssociateQuotaTemplate requests per second sent in one 1

burst

DeleteServiceQuotaIncreaseRequestFromTemplate requests per 2

second

Additional DeleteServiceQuotaIncreaseRequestFromTemplate 1
requests per second sent in one burst

DisassociateQuotaTemplate requests per second 1

Additional DisassociateQuotaTemplate requests per second sent in one 1

burst

GetAssociationForQuotaTemplate requests per second 2

Additional GetAssociationForQuotaTemplate requests per second sent 2

in one burst

GetServiceQuotaIncreaseRequestFromTemplate requests per second 2

Additional GetServiceQuotaIncreaseRequestFromTemplate requests 1

per second sent in one burst

ListServiceQuotaIncreaseRequestsInTemplate requests per second 2

Additional ListServiceQuotaIncreaseRequestsInTemplate requests 1

per second sent in one burst

PutServiceQuotaIncreaseRequestIntoTemplate requests per second 1

Additional PutServiceQuotaIncreaseRequestIntoTemplate per 1

second sent in one burst

15
 Service Quotas User Guide

Document history for Service Quotas

The following table describes the releases for Service Quotas.

Change Description Date

Initial release This release introduces Service June 24, 2019

Quotas

16