Quotas - Automated Security Response on AWS
Quotas for AWS services in this solutionAWS CloudFormation quotasAWS CloudWatch quotasAWS Organizations

Quotas

Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account.

Quotas for AWS services in this solution

Make sure you have sufficient quota for each of the services implemented in this solution. For more information, refer to AWS service quotas.

Use the following links to go to the page for that service. To view the Service Quotas for all AWS services in the documentation without switching pages, view the information in the Service endpoints and quotas page in the PDF instead.

AWS CloudFormation quotas

Your AWS account has AWS CloudFormation quotas that you should be aware of when launching the stack in this solution. By understanding these quotas, you can avoid limitation errors that would prevent you from deploying this solution successfully. For more information, see AWS CloudFormation quotas in the AWS CloudFormation User Guide.

AWS CloudWatch quotas

Your AWS account has AWS CloudWatch quotas tied to CloudWatch Resource Policies which only allows 10 resource policies per region per account and this cannot be requested for a quota increase, see AWS CloudWatch Logs Quotas in the AWS CloudWatch User Guide. Before your deployment please check your current usage to ensure you won’t cross this threshold when deploying the solution.

AWS Organizations

The solution’s Lambda functions make calls to the AWS Organizations API in order to fetch the alias of the current account to include in messages published to the solution’s SNS topic. This enables human-readable account names to be visible in the solution’s notifications for debugging and tracking purposes.

AWS Organizations imposes limits on how often customers can invoke their API endpoints. If you find that the solution is exceeding the limits set for your account, you can disable the feature that fetches and displays the account alias.

To do this, navigate to the Lambda function named SO0111-ASR-sendNotifications located in the region and account where you deployed the Admin stack. Then, locate the environment variable named DISABLE_ACCOUNT_ALIAS_LOOKUP and change the value from "False" to "True". The account alias field in the solution’s notifications will now be "Unknown" however this will not impact the functionality of the solution.