Quotas in AWS CloudTrail - AWS CloudTrail

Quotas in AWS CloudTrail

The following table describes quotas, or limits, within CloudTrail. CloudTrail has no adjustable quotas. For information about other quotas in AWS, see AWS service quotas.

Resource Default Limit Comments
Trails per region 5 This limit cannot be increased.
Get, describe, and list APIs 10 transactions per second (TPS) The maximum number of operation requests you can make per second without being throttled. The LookupEvents API is not included in this category.

This limit cannot be increased.

LookupEvents API 2 transactions per second (TPS) The maximum number of operation requests you can make per second without being throttled.

This limit cannot be increased.

All other APIs 1 transaction per second (TPS) The maximum number of operation requests you can make per second without being throttled.

This limit cannot be increased.

Event selectors 5 per trail This limit cannot be increased.
Advanced event selectors 500 conditions across all advanced event selectors

If a trail uses advanced event selectors, a maximum of 500 total values for all conditions in all advanced event selectors is allowed. Unless a trail logs data events on all resources, such as all S3 buckets or all Lambda functions, a trail is limited to 250 data resources. Data resources can be distributed across event selectors, but the overall total cannot exceed 250.

This limit cannot be increased.

Data resources in event selectors 250 across all event selectors in a trail If you choose to limit data events by using event selectors or advanced event selectors, the total number of data resources cannot exceed 250 across all event selectors in a trail. The limit of number of resources on an individual event selector is configurable up to 250. This upper limit is allowed only if the total number of data resources does not exceed 250 across all event selectors.

Examples:

  • A trail with 5 event selectors, each configured with 50 data resources, is allowed. (5*50=250)

  • A trail with 5 event selectors, 3 of which are configured with 50 data resources, 1 of which is configured with 99 data resources, and 1 of which is configured with 1 data resource, is also allowed. ((3*50)+1+99=250)

  • A trail configured with 5 event selectors, all of which are configured with 100 data resources, is not allowed. (5*100=500)

This limit cannot be increased.

The limit does not apply if you choose to log data events on all resources, such as all S3 buckets or all Lambda functions.

Event size

All event versions: events over 256 KB cannot be sent to CloudWatch Logs

Event version 1.05 and newer: total event size limit of 256 KB

Amazon CloudWatch Logs and Amazon CloudWatch Events each allow a maximum event size of 256 KB. CloudTrail does not send events over 256 KB to CloudWatch Logs or CloudWatch Events.

Starting with event version 1.05, events have a maximum size of 256 KB. This is to help prevent exploitation by malicious actors, and allow events to be consumed by other AWS services, such as CloudWatch Logs and CloudWatch Events.

CloudTrail file size sent to Amazon S3

256 KB ZIP file

Writing buffer size: 5 MB or 5 minutes

CloudTrail sends a maximum zipped log file size of 256 KB to S3.

The maximum amount of data in the writing buffer is 5 MB (or five minutes, whichever limit is reached first). CloudTrail writes the data in maximum 256 KB-per-file ZIP files to S3. If five minutes lapse before the maximum amount of data fills the buffer, the log files in the buffer are sent to S3 in 256 KB blocks, and if enabled on the trail, log delivery notifications are sent by Amazon SNS.