Limitations and quotas in AWS Control Tower

This chapter covers the AWS service limitations and quotas that you should keep in mind as you use AWS Control Tower. If you're unable to set up your landing zone due to a service quota issue, contact AWS Support.

Limitations in AWS Control Tower

This section describes known limitations and unsupported use cases in AWS Control Tower.

• AWS Control Tower has overall concurrency limitations. In general, one operation at a time is permitted. Two exceptions to this limitation are allowed:

  • Optional controls can be activated and deactivated concurrently, through an asynchronous process. Up to ten (10) control-related operations at a time can be in progress

  • Accounts can be provisioned, updated, and enrolled concurrently in Account Factory, through an asynchronous process, with up to five (5) account-related operations in progress simultaneously.

• Email addresses of shared accounts in the Security OU can be changed, but you must update your landing zone to see these changes in the AWS Control Tower console.

• A limit of 5 SCPs per OU applies to OUs in your AWS Control Tower landing zone.

• Existing OUs with over 300 accounts cannot be registered or re-registered in AWS Control Tower.

• The limit for EnableControl and DisableControl updates in AWS Control Tower is 10 concurrent operations.

You can contact AWS Support to request a limit increase for some resources in AWS Control Tower. For example, you can request a limit increase from five of up to ten (10) concurrent account-related operations. Some AWS Control Tower performance metrics may change after a limit increase.

Video: Automate requests for service limit increase

This video (7:24) describes how to automate service limit increases for deployments in AWS Control Tower. It also shows how to automate enrolllment of new accounts into AWS Enterprise support for your organization. For better viewing, select the icon at the lower right corner of the video to enlarge it to full screen. Captioning is available.

When provisioning new accounts in this environment, you can use lifecycle events to trigger automated requests for service limit increases in specified AWS Regions.

Control limitations

If you modify AWS Control Tower resources, such as an SCP, or remove any AWS Config resource, such as a Config recorder or aggregator, AWS Control Tower can no longer guarantee that the controls are functioning as designed. Therefore, the security of your multi-account environment may be compromised. The AWS shared responsibility model of security is applicable to any such changes you may make.

AWS Control Tower helps maintain the integrity of your environment by resetting the SCPs of the controls to their standard configuration when you update your landing zone. Changes that you may have made to SCPs are replaced by the standard version of the control, by design.

Quotas for Integrated Services

Each AWS service has its own quotas and limits. You can find the quotas for each service in its documentation. For more information, see the related links:

• AWS CloudFormation – AWS CloudFormation Quotas

• AWS CloudTrail – Quotas in AWS CloudTrail

• Amazon CloudWatch – CloudWatch Quotas

• AWS Config – AWS Config Quotas

• AWS Identity and Access Management – Quotas for IAM Entities and Objects

• AWS Lambda – AWS Lambda Quotas

• AWS Organizations – Quotas for AWS Organizations

• Amazon Simple Storage Service – Bucket Restrictions and Quotas

• Service Catalog – Service Catalog Default Service Quotas

• AWS IAM Identity Center (successor to AWS Single Sign-On) – Quotas in IAM Identity Center

• Amazon Simple Notification Service – Amazon Simple Notification Service (Amazon SNS) Quotas

• AWS Step Functions – Quotas

More information about AWS quotas is available in the AWS General Reference.