- Overview
- Prerequisites
- Deployment Steps
- Deployment Validation
- Running the Guidance
- Next Steps
- Cleanup
Managing AWS service quotas effectively is crucial for maintaining operational continuity and preventing unexpected disruptions to business-critical applications. While AWS provides native solutions like Service Quotas and Trusted Advisor for limit monitoring, organizations often face challenges in implementing comprehensive quota management strategies, particularly for resources not covered by these services. AWS provides a Quota Monitor solution which allows customers to manage several AWS service Quotas. However there are quotas which are not currently exposed through the AWS Service Quota service and cannot be managed by these solutions.
This Guidance in this repository provides an automation to manage quotas which are not captured by above solutions. It uses a flexible, pull-based model that allows customers to monitor Any AWS service quota, if they are not covered by AWS Trusted Advisor or Service Quotas. This Guidance empowers organizations to:
- Create custom quota monitoring templates for any AWS service
- Define and track service-specific limits using AWS API calls
- Implement automated usage monitoring and threshold alerts
- Maintain centralized visibility of all service quotas across their multi-account AWS environment
- Provide information on which resources are crossing the Service Quota threshold boundary
Whether you're managing a growing cloud infrastructure or maintaining large-scale AWS deployments, this Guidance provides the tools necessary for proactive quota management and operational excellence.
The Guidance can be deployed in a single account or accross multiple accounts within an organization:
The Single Account deployment model monitors service quotas within one AWS account. The Guidance works as follows,
- Scheduled Monitoring: An EventBridge rule triggers the Lambda function (QuotaGuardLambda) every 10 minutes. The Lambda function reads the configuration file (QuotaList.json) from the specified S3 bucket to identify the quotas to monitor and their thresholds.
- Quota Data Retrieval: The Lambda function queries AWS Service Quotas API to fetch current quota value for the specified services and regions. It also fetches the quota usage from the specified services.
- Threshold Evaluation: The Lambda function compares the retrieved quota usage against the thresholds and if any quota exceeds its threshold, the Lambda function generates a custom event (quota-threshold-event).
- Alert Generation: The custom event is sent to EventBridge, which matches it against a notification rule (QuotaGuardEventNotificationRule). The matched event is routed to an SNS topic (QuotaThresholdSnsTopic).
- Administrator Notification: The SNS topic sends an email notification to the administrator's email address provided during deployment. The email contains details about the breached quota, including service name, region, and usage percentage.
- Data Storage: The Lambda function stores quota usage data in a DynamoDB table (QuotaGuardDDBTable) for tracking and analysis.
The Multi-Account model uses a hub-and-spoke architecture to monitor quotas across multiple AWS accounts in an organization. The Guidance works as follows,
Spoke (or member) Account Workflow
- Local Quota Monitoring: In each spoke account, an EventBridge rule triggers a Lambda function (QuotaGuardLambda) every 10 minutes. The Lambda function reads QuotaList.json from S3 to identify quotas and thresholds for monitoring.
- Quota Data Retrieval: The Lambda function queries AWS Service Quotas API to fetch current quota value for the specified services and regions. It also fetches the quota usage from the specified services.
- Threshold Evaluation: The Lambda function compares current usage and If any quota exceeds its threshold, it generates a custom event (quota-threshold-event).
- Event Forwarding to Hub: Using a cross-account IAM role, the custom event is sent to the central EventBus in the hub account (or management account) via EventBridge.
- Data Storage: Quota usage data is stored locally in a DynamoDB table (QuotaGuardDDBTable) for tracking purposes.
Hub Account Workflow
- Centralized Event Aggregation: The hub account's EventBridge receives quota-threshold-event events from all spoke accounts. A policy on the EventBus ensures only events from accounts within the same AWS Organization are accepted.
- Notification Rule Matching: Events are matched against a notification rule (QuotaGuardEventRule) that routes them to an SNS topic (QuotaThresholdSnsTopic).
- Administrator Notification: The SNS topic sends notifications to administrators with details about breached quotas across all accounts. Notifications include information such as account ID, service name, region, and usage percentage.
| Service Code | Quota Code | Limit Name |
|---|---|---|
| ebs | L-D18FCD1D | Storage for General Purpose SSD (gp2) volumes, in TiB |
| ec2 | L-C4B238BF | Concurrent client connections per Client VPN endpoint |
| ec2 | L-43872EB7 | Route Tables per transit gateway |
| elasticloadbalancing | L-CE3125E5 | Registered Instances per Classic Load Balancer |
| vpc | L-DF5E4CA3 | Network interfaces per Region |
| vpc | L-1B52E74A | Gateway VPC endpoints per Region |
| s3 | L-DC2B2D3D | Buckets |
| iam | L-0DA4ABF3 | Managed policies per role |
| iam | L-BF35879D | Server certificates per account |
| vpc | L-DFA99DE7 | Private IP address quota per NAT gateway |
| vpc | L-BB24F6E5 | Network Address Usage |
You can tailor QuotaGuard solution guidance to your needs by:
- Updating the QuotaList.json file with additional services or custom thresholds for service limits you want to monitor.
- Modifying Lambda function code for custom logic or additional integrations for service limits that you want to monitor.
- Adjusting CloudFormation templates to add resources or change configurations (e.g., notification protocols).
You are responsible for the cost of the AWS services used while running this Guidance. As of May 2025, The cost of running this Guidance per region per account is $6.45 per month for processing 259200 quota usage records. We recommend creating a Budget through AWS Cost Explorer to help manage costs. Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this Guidance.
The following table provides a sample cost breakdown for deploying this Guidance with the default parameters in the US East (N. Virginia) Region for one month per each account
| AWS service | Dimensions | Cost [USD] |
|---|---|---|
| Amazon EventBridge | 259,200 | $ 0.26 |
| AWS Lambda | 259,200 invokations | $ 2.75 |
| Amazon DynamoDB | 5 million writes / 1 million reads | $ 3.44 |
These deployment instructions are optimized to best work on macOS, Linux or Windows based operating systems with a bash shell and the aws cli. Deployment in another OS may require additional steps.
- Enable IAM Identity Center to your AWS account
- A S3 bucket to store the Guidance artifacts (Lambda function code, configuration and deployment files)
- For Multi-account deployments apply the following resource policy to the S3 bucket. Replace ORG_ID for your organization identifier. You can get your ORG_ID from the settings view of your AWS Organizations.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowGetObject",
"Principal": {
"AWS": "*"
},
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::["S3_BUCKET_NAME"]/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": ["ORG_ID"]
}
}
}]
}
- Clone / Copy github Repo
- Create a S3 bucket for the Guidance resources and create a folder named "qg-templates" in the bucket
- Create your SSO profile as specified in the document “Configuring IAM Identity Center authentication with the AWS CLI”
- Use the below command to upload resources to the bucket and deploy the stack
./deploy.sh -h
Usage: ./deploy.sh [OPTIONS]
Deploy CloudFormation stack for Quota Guard
Required Parameters:
-p, --profile AWS CLI profile name
-b, --bucket S3 bucket name for deployment
-t, --type Account type (single or multi)
-e, --email Email address for notifications
Example:
./deploy.sh --profile myprofile --bucket my-bucket-name --type multi --email [email protected]
./deploy.sh -p myprofile -b my-bucket-name -t single -e [email protected]
-
Use this CloudFormation template quota-guard-single-account.yaml from the S3 bucket to deploy the Guidance. CloudFormation stacks are deployed using the console as explained in the documentation through console or CLI.
-
Provide the required parameters -
- Configfile - JSON Config file name for the configuration.
- DeploymentBucket - The name of the S3 bucket containing the lambda package and templates.
- DeploymentBucketPrefix - S3 prefix of folder containing Lambda package and templates.
- QuotaThresholdEventNotificationEmail - Email Address of an Admin who will receive notifications of Quota Threshold Exceeded Events.
- RegionList - List of AWS Regions to monitor quota of resources.
- ExecutionTimeInCron - Cron Expression to specify the schedule for pulling usage data and performing threshold checks.
-
Deploy the stack
Make sure to have followed the AWS account requirements before continuing with these steps. Additionally, you need a multi-account AWS environment by setting up AWS Organizations
- Clone / Copy github Repo
- Create a S3 bucket for the Guidance resources in the Hub account i.e. management account and create a folder named "qg-templates" in the bucket
- Create your SSO profile as specified in the document “Configuring IAM Identity Center authentication with the AWS CLI”
- Use the below command to upload resources to the bucket and deploy the stack
./deploy.sh -h
Usage: ./deploy.sh [OPTIONS]
Deploy CloudFormation stack for Quota Guard
Required Parameters:
-p, --profile AWS CLI profile name
-b, --bucket S3 bucket name for deployment
-t, --type Account type (single or multi)
-e, --email Email address for notifications
Example:
./deploy.sh --profile myprofile --bucket my-bucket-name --type multi --email [email protected]
./deploy.sh -p myprofile -b my-bucket-name -t single -e [email protected]
-
Deploy the Hub Stack in the management account:
5.1. Use this CloudFormation template quota-guard-hub.yaml from the S3 bucket to deploy the Guidance. CloudFormation stacks are deployed using the console as explained in the documentation through console or CLI.
5.2. Provide the required parameters -
- AWSOrganizationId - Organization Id for your AWS Organizations.
- ConfigFile - JSON Config file name for the configuration.
- DeploymentBucket - S3 bucket containing the Lambda package and templates.
- DeploymentBucketPrefix - S3 prefix of folder containing Lambda package and templates.
- OrganizationalUnits - List of OUs for which you want to monitor Quotas.
- QuotaThresholdEventNotificationEmail - Email Address of an Admin who will receive notifications of Quota Threshold Exceeded Events.
- RegionList - List of AWS Regions to monitor quota of resources.
- ExecutionTimeInCron - Cron Expression to specify the schedule for pulling usage data and performing threshold checks.
-
The Spoke Stack will be automatically deployed to member accounts via StackSets in provided OrganizationalUnits
- Open CloudFormation console and verify the status of the template with the name starting with quota-guard-single-account.
- Open CloudFormation console and verify the status of the template with the name starting with quota-guard-hub.
- In the CloudFormation console, select StackSets and verify the status of the templates in the stack set with the name starting with QuotaGuardSpokeStackSet.
There is no action needed once the stacks are deployed. The Guidance will run a lambda function periodically, per account, to check quotas specified in the configuration file
You can tailor QuotaGuard Guidance to your needs by:
- Updating the QuotaList.json file with additional services or custom thresholds for service limits you want to monitor.
- Modifying Lambda function code for custom logic or additional integrations for service limits that you want to monitor.
- Adjusting CloudFormation templates to add resources or change configurations (e.g., notification protocols).
- Delete the stack from the cloudformation console
- Delete the stacksets from the cloudformation console
- Delete the stack from the cloudformation console
Customers are responsible for making their own independent assessment of the information in this Guidance. This Guidance: (a) is for informational purposes only, (b) represents AWS current product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided “as is” without warranties, representations, or conditions of any kind, whether express or implied. AWS responsibilities and liabilities to its customers are controlled by AWS agreements, and this Guidance is not part of, nor does it modify, any agreement between AWS and its customers.
- Anandprasanna Gaitonde - [email protected]
- Preetam Rebello - [email protected]
- Raj Bagwe - [email protected]
- Varun Mehta - [email protected]
- Santiago Flores Kanter - [email protected]