Troubleshooting issues with OpsCenter - AWS Systems Manager
You receive the OpsItemLimitExceededExceptionYou receive a large bill from AWS for large numbers of auto-generated OpsItems

AWS Systems Manager Change Manager is no longer open to new customers. Existing customers can continue to use the service as normal. For more information, see AWS Systems Manager Change Manager availability change.

Troubleshooting issues with OpsCenter

This topic includes information to help you troubleshoot common errors and issues with OpsCenter.

You receive the OpsItemLimitExceededException

If your AWS account has reached the maximum number of OpsItems allowed when you call the CreateOpsItem API operation, you receive an OpsItemLimitExceededException. OpsCenter returns the exception if your call would exceed the maximum number of OpsItems for either of the following quotas:

  • Total number of OpsItems per AWS account per Region (including Open and Resolved OpsItems): 500,000

  • Maximum number of OpsItems per AWS account per month: 10,000

These quotas apply to OpsItems created from any source except the following:

  • OpsItems created by AWS Security Hub CSPM findings

  • OpsItems that are auto-generated when an Incident Manager incident is opened

OpsItems created from these sources don't count against your OpsItem quotas, but you are charged for each OpsItem.

If you receive an OpsItemLimitExceededException, you can manually delete OpsItems until you are below the quota preventing you from creating a new OpsItem. Again, deleting OpsItems created for Security Hub CSPM findings or Incident Manager incidents won't reduce your total number of OpsItems enforced by the quotas. You must delete OpsItems from other sources. For information about how to delete an OpsItem, see Delete OpsItems.

You receive a large bill from AWS for large numbers of auto-generated OpsItems

If you configured integration with AWS Security Hub CSPM, OpsCenter creates OpsItems for Security Hub CSPM findings. Depending on the number of finding Security Hub CSPM generates and the account you were logged into when you configured integration, OpsCenter can generate large numbers of OpsItems, at a cost. Here are more specific details related to OpsItems generated by Security Hub CSPM findings:

  • If you are logged into the Security Hub CSPM administrator account when you configure OpsCenter and Security Hub CSPM integration, the system creates OpsItems for findings in the administrator and all member accounts. The OpsItems are all created in the administrator account. Depending on a variety of factors, this can lead to an unexpectedly large bill from AWS.

    If you are logged into a member account when you configure integration, the system only creates OpsItems for findings in that individual account. For more information about the Security Hub CSPM administrator account, member accounts, and their relation to the EventBridge event feed for findings, see Types of Security Hub CSPM integration with EventBridge in the AWS Security Hub User Guide.

  • For each finding that creates an OpsItem, you are charged the regular price for creating the OpsItem. You are also charged if you edit the OpsItem or if the corresponding finding is updated in Security Hub CSPM (which triggers an OpsItem update).

  • OpsItems that are created by an integration with AWS Security Hub CSPM are not currently limited by the maximum quota of 500,000 OpsItems per account in a Region. It is therefore possible for Security Hub CSPM alerts to create more than 500,000 chargeable OpsItems in each Region in an account.

    For high-production environments, we therefore recommend limiting the scope of Security Hub CSPM findings to high severity issues only.

Important

If you believe a large number of OpsItems were created in error and your AWS bill is unwarranted, contact Support.

Use the following procedure if you no longer want the system to create OpsItems for Security Hub CSPM findings.

To stop receiving OpsItems for Security Hub CSPM findings

  1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

  2. In the navigation pane, choose OpsCenter.

  3. Choose Settings.

  4. In the Security Hub CSPM findings section, choose Edit.

  5. Choose the slider to change Enabled to Disabled. If you aren't able to toggle the slider, Security Hub CSPM hasn't been enabled for your AWS account.

  6. Choose Save to save your configuration. OpsCenter no longer creates OpsItems based on Security Hub CSPM findings.

Important

If OpsCenter toggles the setting back to Enabled and continues to create OpsItems for findings, log into the Systems Manager delegated administrator account or the AWS Organizations management account and repeat this procedure. If you don't have permission to log into either of those accounts, contact your administrator and ask them to repeat this procedure to disable integration for your account.