Menu
Limit Monitor on AWS
AWS Limit Monitor

Architecture Overview

Deploying this solution with the default parameters builds the following environment in the AWS Cloud.


      AWS Limit Monitor Architecture

Figure 1: AWS Limit Monitor Architecture

The AWS CloudFormation template deploys and configures an Amazon CloudWatch event, a master AWS Lambda function, two child Lambda functions, AWS Identity and Access Management (IAM) roles with fine-grained permissions to check each account’s limits, and an Amazon Simple Notification Service (Amazon SNS) topic for push notifications.

The CloudWatch event executes the master Lambda function once every 24 hours, by default. (You can modify the AWS CloudFormation template to change how often the master Lambda function is invoked.) The master Lambda function launches the child Lambda functions and passes the relevant account numbers to the child functions, which request service limits and usage through API calls. The child Lambda functions are invoked once for each account you monitor. They calculate actual service usage against limits. If usage exceeds 80% of a service limit, the child Lambda functions publish a message to an Amazon SNS topic. To see your service usage before it exceeds 80%, go to the Trusted Advisor console.

Request Limits With AWS Lambda

The master AWS Lambda function launches the child Lambda functions every 24 hours. Each time the child Lambda functions are invoked, they request service limits and usage data for a specific account from AWS Trusted Advisor through the AWS Support API, and Amazon DynamoDB and AWS CloudFormation through direct API calls to those services. The child Lambda functions calculate the usage against the service limits. If actual usage exceeds 80% of a given service limit, the child Lambda functions publish a message to the Amazon SNS topic which is sent to the email address you specify during setup. We recommend creating a group alias email address rather than using an individual email address.

Cross-Account Support

Large enterprise customers who want to check limits in many different accounts must create AWS Identity and Access Management (IAM) roles for each account to allow AWS Lambda to check all accounts and aggregate all approaching limits to a single Amazon SNS topic. The IAM roles create a trust policy that allows the child Lambda functions to make API calls on behalf of the additional accounts. Detailed instructions are in Step 2 of the Automated Deployment.