Limitations and quotas in AWS Control Tower
This chapter covers the AWS service limitations and quotas that you should keep in mind as
you use AWS Control Tower. If you're unable to set up your landing zone due to a service quota issue,
contact AWS Support
For more information about limitations that are specific to controls, see Control limitations.
A new Controls Reference Guide
Information about AWS Control Tower controls has been moved to the AWS Control Tower Controls Reference Guide.
Limitations in AWS Control Tower
This section describes known limitations and unsupported use cases in AWS Control Tower.
-
AWS Control Tower has overall concurrency limitations. In general, one operation at a time is permitted. Two exceptions to this limitation are allowed:
-
Optional controls can be activated and deactivated concurrently, through an asynchronous process. Up to ten (10) control-related operations at a time can be in progress, in total, no matter if they are called from the console or from an API.
-
Accounts can be provisioned, updated, and enrolled concurrently in Account Factory, through an asynchronous process, with up to five (5) account-related operations in progress simultaneously. Unmanaging accounts must be performed one account at a time.
-
-
Email addresses of shared accounts in the Security OU can be changed, but you must update your landing zone to see these changes in the AWS Control Tower console.
-
A limit of five (5) SCPs per OU applies to OUs in your AWS Control Tower landing zone.
AWS Control Tower supports up to 10,000 accounts in your landing zone's organization, divided among all of your OUs.
-
Existing OUs with over 300 directly nested accounts cannot be registered or re-registered in AWS Control Tower. For more information about limitations with registering OUs, see Regions and stack set limitations.
Customizations for AWS Control Tower (CfCT) is unavailable in these AWS Regions, because some dependencies are not available:
Asia Pacific (Jakarta and Osaka)
Israel (Tel Aviv)
Middle East (UAE)
Europe (Spain)
Asia Pacific (Hyderabad)
Europe (Zurich)
You can deploy and manage resources in these Regions with CfCT, if you deploy CfCT to your AWS Control Tower home Region, but you cannot build CfCT in these Regions.
AWS Control Tower Account Factory for Terraform (AFT) is not available in the following AWS Regions, because some dependencies are not available:
Israel (Tel Aviv)
Middle East (UAE)
Europe (Spain)
Asia Pacific (Hyderabad)
Europe (Zurich)
The following Regions do not support IAM Identity Center.
Middle East (UAE) Region, me-central-1
Asia Pacific (Hyderabad) Region, ap-south-2
For more information about AWS Regions and support for IAM Identity Center, see Regions and endpoints in the AWS Identity and Access Management User Guide.
-
When calling a control API to activate or deactivate a control, the limit for
EnableControlandDisableControlupdates in AWS Control Tower is ten (10) concurrent operations. You may need to adjust your code to wait for completions. When you are provisioning accounts with AFC, with blueprints that are based in Terraform, you can deploy those blueprints to only one AWS Region. By default, AWS Control Tower deploys to the home Region.
You can contact AWS Support
Video: Automate requests for service limit increase
This video (7:24) describes how to automate service limit increases for deployments in AWS Control Tower. It also shows how to automate enrollment of new accounts into AWS Enterprise support for your organization. For better viewing, select the icon at the lower right corner of the video to enlarge it to full screen. Captioning is available.
When provisioning new accounts in this environment, you can use lifecycle events to trigger automated requests for service limit increases in specified AWS Regions.
More information about AWS quotas is available in the AWS General Reference.
Control behavior also is limited in case of mixed governance. For more information, see Avoid mixed governance when configuring Regions.
