Limitations and quotas in AWS Control Tower - AWS Control Tower

Limitations and quotas in AWS Control Tower

This chapter covers the AWS service limitations and quotas that you should keep in mind as you use AWS Control Tower. If you're unable to set up your landing zone due to a service quota issue, contact AWS Support.

Limitations in AWS Control Tower

This section describes known limitations and unsupported use cases in AWS Control Tower.

  • Email addresses of shared accounts in the Security OU can be changed, but you must update your landing zone to see these changes in the AWS Control Tower console.

  • A limit of 5 SCPs per OU applies to OUs in your AWS Control Tower landing zone.

  • Existing OUs with over 300 accounts cannot be registered or re-registered in AWS Control Tower.

For information about how to increase certain AWS Control Tower service quotas with an automated request method, view this video: Automate Service Limit Increases. When provisioning new accounts in this environment, you can use lifecycle events to trigger automated requests for service limit increases in specified AWS Regions. The video also shows how to automate enrollment of new accounts into Enterprise support for your organization.

Quotas for Integrated Services

Each AWS service has its own quotas and limits. You can find the quotas for each service in its documentation. For more information, see the related links: