Movatterモバイル変換


[0]ホーム

URL:


Quotas and service limits for AWS Organizations - AWS Organizations
DocumentationAWS OrganizationsUser Guide
Naming guidelinesConsiderationsMaximum and minimum valuesExpiration times for handshakesNumber of policies that you can attach to an entityThrottling limits

Quotas and service limits for AWS Organizations

This topic describes quotas and service limits for AWS Organizations.

Naming guidelines

The following are guidelines for names that you create in AWS Organizations, including names of accounts, organizational units (OUs), roots, and policies:

Considerations

Service quota codes might change over time due to updates. This does not impact the quota values or names. To find the quota code for a specific quota, use theListServiceQuotas operation, and look for theQuotaCode response in the output for the quota you want.

Maximum and minimum values

The following are thedefault maximums for entities in AWS Organizations.

Consider the following information about AWS Organizations quotas:

  • You can request increases for some of these values by using theService Quotas console.

  • AWS Organizations limits apply at the organization level, unless otherwise specified. Many quotas apply only to actions performed from the AWS Organizations management account.

  • AWS Organizations is a global service that is physically hosted in the US East (N. Virginia) Region (us-east-1). Therefore, you must useus-east-1 to access these quotas when using the Service Quotas console, the AWS CLI, or an AWS SDK.

DescriptionLimit

Default maximum number of accounts

10 — The default maximum number of accounts allowed in an organization. This quota is adjustable, and can be increased by using theService Quotas console.

Note: Only the Management account of an organization can submit this quota increase request. Limit increases can be granted up to 10,000 accounts based on customer qualifications and requirements. Newly created accounts and organizations might experience a quota below the default of 10 accounts.

An invitation sent to an account counts against this quota. The count is returned if the invited account declines, the management account cancels the invitation, or the invitation expires.

When an account is closed it does not stop counting against this quota until it is permanently closed. For more information on when an account is permanently closed, seePost-closure period in theAWS Account Management Reference Guide.

Some services have account limits separate from the maximum number of accounts allowed in an organization. For more information, seeLimits by AWS service.

Minimum age for removal of created accounts

Each supported Region: 7 — The minimum number of days a created account must exist before you can remove it from the organization.

Number of roots in an organization

1

Number of OUs in an organization

2000

Number of policies of each type in an organization

Service control policies: 10,000

Resource control policies: 1000

Declarative policies: 1000

Backup policies: 1000

Tag policies: 1000

Chat applications policies: 1000

AI services opt-out policies: 1000

Security Hub policies: 1000

Maximum size of a policy document

Service control policies: 5120 characters

Resource control policies: 5120 characters

Declarative policies: 10,000 characters

Backup policies: 10,000 characters

Chat applications policies: 10,000 characters

AI services opt-out policies: 2500 characters

Tag policies: 10,000 characters

Security Hub policies: 10,000 characters

Note: If you save the policy by using the AWS Management Console, extra white space (such as spaces and line breaks) between JSON elements and outside of quotation marks, is removed and not counted. If you save the policy using an SDK operation or the AWS CLI, then the policy is saved exactly as you provided and no automatic removal of characters occurs.

OU maximum nesting in a root

Five levels of OUs deep under a root.

Maximum number of invitation attempts you can perform in a 24-hour period

Either 20 or the maximum number of accounts allowed in your organization, whichever is greater. Accepted invitations don't count against this quota. As soon as one invitation is accepted, you can send another invitation that same day.

If the maximum number of accounts allowed in your organization is less than 20, then you get an "account limit exceeded" exception if you attempt to invite more accounts than your organization can contain. However, you can cancel invitations and send new ones up to the maximum of 20 attempts in one day.

Number of member accounts you can create concurrently

5 — As soon as one finishes, you can start another, but only five can be in progress at a time.

Number of accounts you can close within a 30-day period

10% of member accounts in an organization, with a maximum of 1000. This quota is not adjustable.

  • < 100 accounts – You can close up to 10 member accounts

  • 100 - 10,000 accounts – You can close up to 10% of your member accounts

  • > 10,000 accounts – You can close up to 1000 member accounts

After you reach this quota, you can close additional accounts or wait until your quota resets. For more information, seeClose an AWS account in theAWS Account Management Guide.

Number of member accounts you can close concurrently3 — Only three account closures can be in progress at the same time. As soon as one finishes, you can close another account.

Number of entities to which you can attach a policy

Unlimited

Number of tags that you can attach to a root, OU, or account

50

Maximum size of the resource-based delegation policy 40,000 characters

Limits by AWS service

Most AWS services support the stated maximum number of accounts that you can have in an organization. However, some services have account limits separate from the maximum number of accounts allowed in an organization.

The following tables shows services with separate account limits.

AWS serviceLimitCan be increased
AWS IAM Identity Center3000Yes
AWS Application Migration Service5000No
AWS Directory Service250Yes

For more information, seeAWS IAM Identity Center quotas in theIAM Identity Center User Guide andAWS MGN service quota limits in theApplication Migration Service User Guide.

Expiration times for handshakes

The following are the timeouts for handshakes in AWS Organizations.

DescriptionLimit

Invitation to join an organization

15 days

Request to enable all features in an organization

90 days

Handshake is deleted and no longer appears in lists

30 days after the handshake is completed

Number of policies that you can attach to an entity

The minimum and maximum depend on the policy type and the entity that you're attaching the policy to. The following table shows each policy type and the number of entities that you can attach each type to.

Policy typeMinimum attached to an entityMaximum attached to rootMaximum attached per OUMaximum attached per account
Service control policy1 — Every entity must haveat least one SCP attached at all times when you enable SCPs. You can't remove the last SCP from an entity.555
Resource control policy1 — TheRCPFullAWSAccess policy is automatically attached to the root, every OU, and every account in your organization when you enable RCPs. You cannot detach this policy and it counts towards the 5 policies quota.555
Declarative policy0101010
Backup policy0101010
Tag policy0101010
Chat applications policy0555
AI services opt-out policy0555
Security Hub policy0101010

Throttling limits

The following tables lists the AWS Organizations APIs by management category, and shows their respective throttle rates at the account and organizational level.

AWS Organizations uses thetoken bucket algorithm to implement API throttling. With this algorithm, your account has abucket that holds a specific number oftokens. The number of tokens in the bucket represents your throttling quota at any given second.

Rate is the fixed pace that tokens are added to the token bucket per second.

Burst is the maximum number of token that can be added and the maximum number of token that can be used per second.

For example, theDescribeAccount API is limited for a single AWS account to 20 requests per second as the baseline rate and to 30 requests per second as the burst rate. The burst rate of 30 requests per second allows you to temporarily exceed the baseline rate of 20 requests per second.

You can makes 20 requests in the first second, which is the baseline rate. In the next second, you can make 30 requests, exceeding the baseline but staying within the burst rate of 30. However, in the third second, if your try to make more than 20 requests, you will be throttled since you have exceeded the baseline rate and the burst capacity has been used.

The burst rate allows you to handle temporary spikes in traffic without getting throttled, as long as the average requests per second stay within the baseline limit over time.

Account management limits

The following table lists the AWS Organizations APIs for account management.

AWS Organizations APIPer account limit (rate, burst)Per organization limit (rate, burst)
CloseAccount.05, 1
CreateAccount, CreateGovCloudAccount0.1, 3
DescribeAccount20, 3024, 36
DescribeCreateAccountStatus2, 22, 3
LeaveOrganization1, 1
ListCreateAccountStatus5, 86, 10

Handshake management limits

The following table lists the AWS Organizations APIs for account handshake.

AWS Organizations APIPer account limit (rate, burst)Per organization limit (rate, burst)
AcceptHandshake1, 25, 5
DescribeHandshake1, 26, 10
CancelHandshake2, 3
DeclineHandshake1, 15, 5
InviteAccountToOrganization3, 5
ListHandshakesForAccount, ListHandshakesForOrganization5, 86, 10

Organization management limits

The following table lists the AWS Organizations APIs for organization management.

AWS Organizations APIPer account limit (rate, burst)Per organization limit (rate, burst)
CreateOrganization, DeleteOrganization, EnableFullControl1, 1
CreateOrganizationalUnit, DescribeOrganization1, 2
MoveAccount, UpdateOrganizationalUnit, DeleteOrganizationalUnit2, 3
DescribeOrganizationalUnit2, 22, 3
ListAccounts8, 129, 15
ListChildren6, 107, 12
ListParents, ListAccountsForParent, ListOrganizationalUnitsForParent5, 86, 10
ListRoots1, 21, 3
ListTagsForResource10, 1512, 18
RemoveAccountFromOrganization2, 2
TagResource, UntagResource4, 6

Policy management limits

The following table lists the AWS Organizations APIs for policy management.

AWS Organizations APIPer account limit (rate, burst)Per organization limit (rate, burst)
CreatePolicy, DeletePolicy, AttachPolicy, DetachPolicy2, 3
DescribePolicy2, 22, 3
DisablePolicyType, EnablePolicyType1, 1
ListPolicies, ListPoliciesForTarget, ListTargetsForPolicy5, 86, 10
UpdatePolicy2, 3

Service management limits

The following table lists the AWS Organizations APIs for service management.

AWS Organizations APIPer account limit (rate, burst)Per organization limit (rate, burst)
EnableAWSServiceAccess, DisableAWSServiceAccess1, 2
ListAWSServiceAccessForOrganization, ListDelegatedServicesForAccount1, 31, 4
ListDelegatedAdministrators5, 86, 10
RegisterDelegatedAdministrator, DeregisterDelegatedAdministrator1, 2
Terminology and concepts
Region support

[8]
ページ先頭

©2009-2025 Movatter.jp