AWS Service Limits

Whitelisted query strings per cache behavior

For more information, see Configuring CloudFront to Cache Based on Query String Parameters in the Amazon CloudFront Developer Guide.

Request timeout per origin

For more information, see Request Timeout in the Amazon CloudFront Developer Guide.

Get, describe, and list APIs

10 transactions per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

This limit cannot be increased.

All other APIs

1 transaction per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

This limit cannot be increased.

DescribeAlarms

3 transactions per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

You can request a limit increase.

GetMetricStatistics

400 transactions per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

You can request a limit increase.

ListMetrics

25 transactions per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

You can request a limit increase.

PutMetricAlarm

3 transactions per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

You can request a limit increase.

PutMetricData

150 transactions per second (TPS)

The maximum number of operation requests you can make per second without being throttled.

You can request a limit increase.

Rules

100 per region per account

You can request a limit increase.

Before requesting a limit increase, examine your rules. You may have multiple rules each matching to very specific events. Consider broadening their scope by using fewer identifiers in your Events and Event Patterns. In addition, a rule can invoke several targets each time it matches an event. Consider adding more targets to your rules.

CreateLogGroup

5000 log groups/account/region

If you exceed your log group limit, you get a ResourceLimitExceeded exception.

You can request a limit increase.

DescribeLogStreams

5 transactions per second (TPS)/account/region

If you experience frequent throttling, you can request a limit increase.

FilterLogEvents

5 transactions per second (TPS)/account/region

This limit can be changed only in special circumstances. If you experience frequent throttling, contact AWS Support.

GetLogEvents

10 transactions per second (TPS)/account/region

We recommend subscriptions if you are continuously processing new data. If you need historical data, we recommend exporting your data to Amazon S3. This limit can be changed only in special circumstances. If you experience frequent throttling, contact AWS Support.

Maximum number of pipelines per region in an AWS account

US East (N. Virginia) (us-east-1): 40

US West (Oregon) (us-west-2): 60

EU (Ireland) (eu-west-1): 60

All other supported regions: 20

Number of stages in a pipeline

Minimum of 2, maxi­mum of 10

Number of actions in a stage

Minimum of 1, maxi­mum of 20

Number of custom actions per region in an AWS account

50

Maximum number of revisions running across all pipelines in an AWS account, per region

Five times the number of pipelines in the region

Maximum size of source artifacts

500 megabytes (MB)

Maximum number of times an action can be run per month

1,000 per calendar month

Maximum Amazon Connect instances

3

Maximum users

500

Maximum phone numbers

10

Maximum queues

50

Maximum queues per routing profile

50

Maximum routing profiles

100

Maximum hours of operation

100

Maximum transfer destinations

100

Maximum prompts

500

Maximum agent status

50

Maximum security profiles

100

Maximum contact flows

100

Maximum groups per level

50

Maximum reports

500

Maximum scheduled reports

50

Maximum active calls

100

Maximum sustained incoming call rate per second

1

Dialable outbound destination countries

US

You can request a limit increase.

App file size you can upload

4 GB

Number of devices that AWS Device Farm can test during a run

5

This limit can be increased to 100 upon request.

Number of devices you can include in a test run

None

Number of runs you can schedule

None

60 minutes

Maximum capacity units per table or global secondary index

Maximum capacity units per account

Maximum capacity units per table or global secondary index

Maximum capacity units per account

500

Each AWS account can register/activate a maximum of 500 managed instances in a region.

200

Each AWS account can create a maximum of 200 documents per region.

1000

A single Systems Manager document can be shared with a maximum of 1000 AWS accounts.

5

Each AWS account can publicly share a maximum of five documents.

10,000

Each Systems Manager document can be associated with a maximum of 10,000 instances.

Inventory data collected per instance per call

1 MB

This maximum adequately supports most inventory collection scenarios. When this limit is reached, no new inventory data is collected for the instance. Inventory data previously collected is stored until the expiration.

Inventory data collected per instance per day

5 MB

When this limit is reached, no new inventory data is collected for the instance. Inventory data previously collected is stored until the expiration.

Custom Inventory Types

20

You can add up to 20 custom inventory types.

Custom Inventory Type Size

4 KB

This is the maximum size of the type, not the inventory collected.

Custom Inventory Type Attributes

50

This is the maximum number of attributes within the custom inventory type.

Inventory data expiration

30 days

If you terminate an instance, inventory data for that instance is deleted immediately. For running instances, inventory data older than 30 days is deleted. If you need to store inventory data longer than 30 days, you can use AWS Config to record history or periodically query and upload the data to an Amazon S3 bucket. For more information, see, Recording Amazon EC2 managed instance inventory in the AWS Config Developer Guide.

Maintenance Windows per account

50

Tasks per Maintenance Window

20

Targets per Maintenance Window

50

Instance IDs per target

50

Targets per task

10

Concurrent executions of a single Maintenance Window

1

Concurrent executions of Maintenance Windows

5

Maintenance Window execution history retention

30 days

Maximum number of parameters per account

1000

Max size for parameter value

4096 characters

Max history for a parameter

100 past values

Patch baselines per account

25

Patch groups per patch baseline

25

US East (N. Virginia) Region – 20

US West (N. California) Region – 12

US West (Oregon) Region – 20

Asia Pacific (Mumbai) Region – 12

Asia Pacific (Singapore) Region – 12

Asia Pacific (Sydney) Region – 12

Asia Pacific (Tokyo) Region – 12

EU (Ireland) Region – 20

20 instances per account, regardless of instance type

1 with GameLift SDK v2.x

50 with GameLift SDK v3.x and up

To increase this limit, contact AWS Support.

By default, an MQTT client connection is disconnected after 30 minutes of inactivity. When the client sends a PUBLISH, SUBSCRIBE, PING, or PUBACK message, the inactivity timer is reset.

A client can request a shorter keep-alive interval by specifying a value between 5-1,200 seconds in the MQTT CONNECT message sent to the server. If a keep-alive value is specified, the server disconnects the client if it does not receive a PUBLISH, SUBSCRIBE, PINGREQ, or PUBACK message within a period 1.5 times the requested interval. The keep-alive timer starts after the sender sends a CONNACK.

If a client sends a keep-alive value of zero, the default keep-alive behavior remains in place.

If a client requests a keep-alive shorter than 5 seconds, the server treats the client as though it requested a keep-alive interval of 5 seconds.

The keep-alive timer begins immediately after the server returns a CONNACK to the client. There might be a brief delay between the client's sending of a CONNECT message and the start of keep-alive behavior.

Connect requests per second per account

AWS IoT limits an account to a maximum of 300 MQTT CONNECT requests per second.

A topic provided while publishing a message or a topic filter provided while subscribing can have no more than 7 forward slashes (/).

The message broker allows 100 in-progress unacknowledged messages per client. (This limit is applied across all messages that require ACK.) When this limit is reached, no new messages are accepted from this client until an ACK is returned by the server.

The message broker allows only 100 in-progress unacknowledged messages per client. (This limit is applied across all messages that require ACK.) When this limit is reached, no new messages are sent to the client until the client acknowledges the in-progress messages.

A single SUBSCRIBE call is limited to request a maximum of eight subscriptions.

The payload for every PUBLISH message is limited to 128 KB. The AWS IoT service rejects messages larger than this size.

9000 per second per account (inbound publishes - max. 3000 per second, outbound publishes - max. 6000 per second)

Inbound publishes count for all the messages that the message broker processes before routing the messages to the subscribed clients or the rules engine. For example, a single message published on $aws/things/device/shadow/update topic can result in publishing three additional messages to $aws/things/device/shadow/update/accepted, $aws/things/device/shadow/update/documents, $aws/things/device/shadow/delta topics. In this case, AWS IoT counts those as 4 inbound publishes towards this limit. However, a single message to an unreserved topic like "a/b" is counted only as a single inbound publish

Outbound publishes count for every message that resulted in matching a client's subscription or matching a rules engine subscription. For example, two clients are subscribed to topic filter 'a/b' and a rule is subscribed to topic filter 'a/#'. An inbound publish message on topic 'a/b' results in a total of 3 outbound publishes.

Subscriptions per second per account

AWS IoT limits an account to a maximum of 500 subscriptions per second. For example, if there are two MQTT SUBSCRIBE calls within a second with 3 subscriptions (topic filters) each, AWS IoT counts those as 6 subscriptions towards this limit.

The message broker limits each client session to subscribe to up to 50 subscriptions. A SUBSCRIBE request that pushes the total number of subscriptions past 50 results in the connection being disconnected.

AWS IoT limits the ingress and egress rate on each client connection to 512 KB/s. Data sent or received at a higher rate is throttled to this throughput.

WebSocket connections are limited to 24 hours. If the limit is exceeded, the WebSocket connection is automatically closed when an attempt is made to send a message by the client or server. To maintain an active WebSocket connection for longer than 24 hours, simply close and reopen the WebSocket connection from the client side before the time limit elapses.

AWS IoT supports keep-alive values specified in MQTT CONNECT messages. When a client specifies a keep-alive value, the client tells the server to disconnect the client and transmit any last-will message associated with the MQTT session if the server does not receive a message (PUBLISH, SUBSCRIBE, PUBACK, PINGREQ) within 1.5 times the keep-alive period. AWS IoT supports keep-alive values between 5 seconds and 20 minutes. If a client requests no keep-alive (that is, sets the field to 0 in the MQTT CONNECT message), the server sets the keep-alive value to 20 minutes, which corresponds to the maximum idle time supported by AWS IoT of 30 minutes. Most MQTT clients (including the AWS SDK clients) support keep-alive values by sending a PINGREQ if the keep-alive period expires without the transmission of any other message by the client.

Copy
"desired": {
    "one": {
        "two": {
            "three": {
                "four": {
                    "five":{
                    }
                 }
             }
        }
    }
}

20

2,000 transactions/second

5,000 records/second

5 MB/second

US East (N. Virginia) Region – 500

US West (Oregon) Region – 500

EU (Ireland) Region – 500

All other supported regions – 200

Maximum duration of service usage per VM (not per account), beginning with the initial replication of a VM. We terminate an ongoing replication after this period, unless a customer requests a limit increase.

VPCs per region

5

The limit for Internet gateways per region is directly correlated to this one. Increasing this limit increases the limit on Internet gateways per region by the same amount. To increase this limit, submit a request.

Subnets per VPC

200

To increase this limit, submit a request.

Internet gateways per region

5

This limit is directly correlated with the limit on VPCs per region. You cannot increase this limit individually; the only way to increase this limit is to increase the limit on VPCs per region. Only one Internet gateway can be attached to a VPC at a time.

Virtual private gateways per region

5

To increase this limit, contact AWS Support; however, only one virtual private gateway can be attached to a VPC at a time.

Customer gateways per region

50

To increase this limit, contact AWS Support.

VPN connections per region

50

To increase this limit, submit a request.

VPN connections per VPC (per virtual private gateway)

To increase this limit, submit a request.

Route tables per VPC

200

Including the main route table. You can associate one route table to one or more subnets in a VPC.

Routes per route table (non-propagated routes)

50

This is the limit for the number of non-propagated entries per route table. You can submit a request for an increase of up to a maximum of 100; however, network performance may be impacted. This limit is enforced separately for IPv4 routes and IPv6 routes (50 each, and a maximum of 100 each).

BGP advertised routes per route table (propagated routes)

100

You can have up to 100 propagated routes per route table. This limit cannot be increased. If you require more than 100 prefixes, advertise a default route.

Elastic IP addresses per region for each AWS account

5

This is the limit for the number of VPC Elastic IP addresses you can allocate within a region. This is a separate limit from the Amazon EC2 Elastic IP address limit. To increase this limit, submit a request.

Security groups per VPC

500

To increase this limit, you can submit a request.

Inbound or outbound rules per security group

50

You can have 50 inbound and 50 outbound rules per security group (giving a total of 100 combined inbound and outbound rules). To increase or decrease this limit, you can contact AWS Support — a limit change applies to both inbound and outbound rules. However, the multiple of the limit for inbound or outbound rules per security group and the limit for security groups per network interface cannot exceed 250. For example, if you increase the limit to 100, we decrease your number of security groups per network interface to 2.

This limit is enforced separately for IPv4 rules and IPv6 rules. A rule that references a security group counts as one rule for IPv4 and one rule for IPv6.

Security groups per network interface

5

To increase or decrease this limit, you can contact AWS Support. The maximum is 16. The multiple of the limit for security groups per network interface and the limit for rules per security group cannot exceed 250. For example, if you want 10 security groups per network interface, we decrease your number of rules per security group to 25.

Network interfaces per instance

-

This limit varies by instance type. For more information, see IP Addresses Per ENI Per Instance Type.

Network interfaces per region

350

This limit is the greater of either the default limit (350) or your On-Demand Instance limit multiplied by 5. The default limit for On-Demand Instances is 20. If your On-Demand Instance limit is below 70, the default limit of 350 applies. You can increase the number of network interfaces per region by contacting AWS Support, or by increasing your On-Demand Instance limit.

Network ACLs per VPC

200

You can associate one network ACL to one or more subnets in a VPC. This limit is not the same as the number of rules per network ACL.

Rules per network ACL

This is the one-way limit for a single network ACL, where the limit for ingress rules is 20, and the limit for egress rules is 20. This limit includes both IPv4 and IPv6 rules, and includes the default deny rules (rule number 32767 for IPv4 and 32768 for IPv6, or an asterisk * in the Amazon VPC console).

This limit can be increased upon request up to a maximum if 40; however, network performance may be impacted due to the increased workload to process the additional rules.

Active VPC peering connections per VPC

50

To increase this limit, contact AWS Support. The maximum limit is 125 peering connections per VPC. The number of entries per route table should be increased accordingly; however, network performance may be impacted.

Outstanding VPC peering connection requests

25

This is the limit for the number of outstanding VPC peering connection requests that you've requested from your account. To increase this limit, contact AWS Support.

Expiry time for an unaccepted VPC peering connection request

1 week (168 hours)

To increase this limit, contact AWS Support.

VPC endpoints per region

20

To increase this limit, contact AWS Support. The maximum limit is 255 endpoints per VPC, regardless of your endpoint limit per region.

Flow logs per single network interface, single subnet, or single VPC in a region

Web ACLs per AWS account

50

Rules per AWS account

100

Conditions per AWS account

100 of each condition type (For example: 100 Size constraint conditions, 100 IP match conditions, etc.)

Rules per web ACL

10

Conditions per rule

10

IP address ranges (in CIDR notation) per IP match condition

10,000

Filters per cross-site scripting match condition

10

Filters per size constraint condition

10

Filters per SQL injection match condition

10

Filters per string match condition

10

In string match conditions, the number of characters in HTTP header names, when you've configured AWS WAF to inspect the headers in web requests for a specified value

40

In string match conditions, the number of bytes in the value tfor which AWS WAF should search

50

This is a hard limit and cannot be changed.

This is a hard limit and cannot be changed.

This is a hard limit and cannot be changed.