Limitations and quotas in AWS Control Tower
This chapter covers the AWS service limitations and quotas that you should keep in mind as
you use AWS Control Tower. If you're unable to set up your landing zone due to a service quota issue,
contact AWS Support
Limitations in AWS Control Tower
This section describes known limitations and unsupported use cases in AWS Control Tower.
-
Email addresses of shared accounts in the Security OU can be changed, but you must update your landing zone to see these changes in the AWS Control Tower console.
-
A limit of 5 SCPs per OU applies to OUs in your AWS Control Tower landing zone.
-
Existing OUs with over 300 accounts cannot be registered or re-registered in AWS Control Tower.
For information about how to increase certain AWS Control Tower service quotas with an
automated request method, view this video: Automate Service Limit
Increases
Quotas for Integrated Services
Each AWS service has its own quotas and limits. You can find the quotas for each service in its documentation. For more information, see the related links:
-
AWS CloudFormation – AWS CloudFormation Quotas
-
AWS CloudTrail – Quotas in AWS CloudTrail
-
Amazon CloudWatch – CloudWatch Quotas
-
AWS Config – AWS Config Quotas
-
AWS Identity and Access Management – Quotas for IAM Entities and Objects
-
AWS Lambda – AWS Lambda Quotas
-
AWS Organizations – Quotas for AWS Organizations
-
Amazon Simple Storage Service – Bucket Restrictions and Quotas
-
AWS Service Catalog – AWS Service Catalog Default Service Quotas
-
AWS IAM Identity Center (successor to AWS Single Sign-On) – Quotas in IAM Identity Center
-
Amazon Simple Notification Service – Amazon Simple Notification Service (Amazon SNS) Quotas
-
AWS Step Functions – Quotas