AWS IoT Core endpoints and quotas - AWS General Reference

AWS IoT Core endpoints and quotas

The following are the service endpoints and service quotas for this service. To connect programmatically to an AWS service, you use an endpoint. In addition to the standard AWS endpoints, some AWS services offer FIPS endpoints in selected Regions. For more information, see AWS service endpoints. Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. For more information, see AWS service quotas.

Service Endpoints

The following sections describe the service endpoints for AWS IoT Core.

Note

You can use these endpoints to perform the operations in the AWS IoT API Reference. The endpoints in the following sections are different from the device endpoints, which provide devices an MQTT publish/subscribe interface and a subset of the API operations. For more information about the data, credential access, and job management endpoints used by devices, see AWS IoT device endpoints.

For information about connecting to and using the AWS IoT endpoints, see Connecting devices to AWS IoT in the AWS IoT Developer Guide.

Control Plane API Endpoints

The following table contains AWS Region-specific endpoints that AWS IoT Core supports for group management operations. For information about the actions supported by these endpoints, see AWS IoT operations in the AWS IoT API Reference.

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2 iot.us-east-2.amazonaws.com HTTPS
US East (N. Virginia) us-east-1 iot.us-east-1.amazonaws.com HTTPS
US West (N. California) us-west-1 iot.us-west-1.amazonaws.com HTTPS
US West (Oregon) us-west-2 iot.us-west-2.amazonaws.com HTTPS
Asia Pacific (Hong Kong) ap-east-1 iot.ap-east-1.amazonaws.com HTTPS
Asia Pacific (Mumbai) ap-south-1 iot.ap-south-1.amazonaws.com HTTPS
Asia Pacific (Seoul) ap-northeast-2 iot.ap-northeast-2.amazonaws.com HTTPS
Asia Pacific (Singapore) ap-southeast-1 iot.ap-southeast-1.amazonaws.com HTTPS
Asia Pacific (Sydney) ap-southeast-2 iot.ap-southeast-2.amazonaws.com HTTPS
Asia Pacific (Tokyo) ap-northeast-1 iot.ap-northeast-1.amazonaws.com HTTPS
Canada (Central) ca-central-1 iot.ca-central-1.amazonaws.com HTTPS
Europe (Frankfurt) eu-central-1 iot.eu-central-1.amazonaws.com HTTPS
Europe (Ireland) eu-west-1 iot.eu-west-1.amazonaws.com HTTPS
Europe (London) eu-west-2 iot.eu-west-2.amazonaws.com HTTPS
Europe (Paris) eu-west-3 iot.eu-west-3.amazonaws.com HTTPS
Europe (Stockholm) eu-north-1 iot.eu-north-1.amazonaws.com HTTPS
Middle East (Bahrain) me-south-1 iot.me-south-1.amazonaws.com HTTPS
South America (São Paulo) sa-east-1 iot.sa-east-1.amazonaws.com HTTPS
AWS GovCloud (US-East) us-gov-east-1 iot.us-gov-east-1.amazonaws.com HTTPS
AWS GovCloud (US-West) us-gov-west-1 iot.us-gov-west-1.amazonaws.com HTTPS

Data Plane API Endpoints

The Data Plane API endpoints are specific to each AWS Account and Region. To find the Data Plane API endpoint for your AWS Account and Region, use the describe-endpoint CLI command shown here, or the DescribeEndpoint REST API.

aws iot describe-endpoint --endpoint-type iot:Data-ATS

This command returns your Data Plane API endpoint in the following format:

account-specific-prefix.iot.aws-region.amazonaws.com

For information about the actions supported by the Data Plane API Endpoints, see AWS IoT data plane operations in the AWS IoT API Reference.

The following table contains generic representations of the AWS Account-specific endpoints for each Region that AWS IoT Core supports. In the Endpoint column, the account-specific-prefix from your Account-specific endpoint replaces data shown in the generic endpoint representation.

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2 data.iot.us-east-2.amazonaws.com HTTPS
US East (N. Virginia) us-east-1 data.iot.us-east-1.amazonaws.com HTTPS
US West (N. California) us-west-1 data.iot.us-west-1.amazonaws.com HTTPS
US West (Oregon) us-west-2 data.iot.us-west-2.amazonaws.com HTTPS
Asia Pacific (Hong Kong) ap-east-1 data.iot.ap-east-1.amazonaws.com HTTPS
Asia Pacific (Mumbai) ap-south-1 data.iot.ap-south-1.amazonaws.com HTTPS
Asia Pacific (Seoul) ap-northeast-2 data.iot.ap-northeast-2.amazonaws.com HTTPS
Asia Pacific (Singapore) ap-southeast-1 data.iot.ap-southeast-1.amazonaws.com HTTPS
Asia Pacific (Sydney) ap-southeast-2 data.iot.ap-southeast-2.amazonaws.com HTTPS
Asia Pacific (Tokyo) ap-northeast-1 data.iot.ap-northeast-1.amazonaws.com HTTPS
Canada (Central) ca-central-1 data.iot.ca-central-1.amazonaws.com HTTPS
Europe (Frankfurt) eu-central-1 data.iot.eu-central-1.amazonaws.com HTTPS
Europe (Ireland) eu-west-1 data.iot.eu-west-1.amazonaws.com HTTPS
Europe (London) eu-west-2 data.iot.eu-west-2.amazonaws.com HTTPS
Europe (Paris) eu-west-3 data.iot.eu-west-3.amazonaws.com HTTPS
Europe (Stockholm) eu-north-1 data.iot.eu-north-1.amazonaws.com HTTPS
Middle East (Bahrain) me-south-1 data.iot.me-south-1.amazonaws.com HTTPS
South America (São Paulo) sa-east-1 data.iot.sa-east-1.amazonaws.com HTTPS
AWS GovCloud (US-East) us-gov-east-1 data.iot.us-gov-east-1.amazonaws.com HTTPS
AWS GovCloud (US-West) us-gov-west-1 data.iot.us-gov-west-1.amazonaws.com HTTPS

Jobs Data Plane API Endpoints

The Jobs Data Plane API endpoints are specific to each AWS Account and Region. To find the Jobs Data Plane API endpoint for your AWS Account and Region, use the describe-endpoint CLI command shown here, or the DescribeEndpoint REST API.

aws iot describe-endpoint --endpoint-type iot:Jobs

This command returns your Jobs Data Plane API endpoint in the following format:

account-specific-prefix.jobs.iot.aws-region.amazonaws.com.

For information about the actions supported by the Jobs Data Plane API Endpoints, see AWS IoT jobs data plane operations in the AWS IoT API Reference.

The following table contains AWS Region-specific endpoints that AWS IoT Core supports for job data operations. In the Endpoint column, the account-specific-prefix from your Account-specific endpoint replaces prefix shown in the generic endpoint representation.

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2 prefix.jobs.iot.us-east-2.amazonaws.com HTTPS
US East (N. Virginia) us-east-1 prefix.jobs.iot.us-east-1.amazonaws.com HTTPS
US West (N. California) us-west-1 prefix.jobs.iot.us-west-1.amazonaws.com HTTPS
US West (Oregon) us-west-2 prefix.jobs.iot.us-west-2.amazonaws.com HTTPS
Asia Pacific (Hong Kong) ap-east-1 prefix.jobs.iot.ap-east-1.amazonaws.com HTTPS
Asia Pacific (Mumbai) ap-south-1 prefix.jobs.iot.ap-south-1.amazonaws.com HTTPS
Asia Pacific (Seoul) ap-northeast-2 prefix.jobs.iot.ap-northeast-2.amazonaws.com HTTPS
Asia Pacific (Singapore) ap-southeast-1 prefix.jobs.iot.ap-southeast-1.amazonaws.com HTTPS
Asia Pacific (Sydney) ap-southeast-2 prefix.jobs.iot.ap-southeast-2.amazonaws.com HTTPS
Asia Pacific (Tokyo) ap-northeast-1 prefix.jobs.iot.ap-northeast-1.amazonaws.com HTTPS
Canada (Central) ca-central-1 prefix.jobs.iot.ca-central-1.amazonaws.com HTTPS
China (Beijing) cn-north-1 prefix.jobs.iot.cn-north-1.amazonaws.com.cn HTTPS
China (Ningxia) cn-northwest-1 prefix.jobs.iot.cn-northwest-1.amazonaws.com.cn HTTPS
Europe (Frankfurt) eu-central-1 prefix.jobs.iot.eu-central-1.amazonaws.com HTTPS
Europe (Ireland) eu-west-1 prefix.jobs.iot.eu-west-1.amazonaws.com HTTPS
Europe (London) eu-west-2 prefix.jobs.iot.eu-west-2.amazonaws.com HTTPS
Europe (Paris) eu-west-3 prefix.jobs.iot.eu-west-3.amazonaws.com HTTPS
Europe (Stockholm) eu-north-1

prefix.jobs.iot.eu-north-1.amazonaws.com

HTTPS
Middle East (Bahrain) me-south-1 prefix.jobs.iot.me-south-1.amazonaws.com HTTPS
South America (São Paulo) sa-east-1 prefix.jobs.iot.sa-east-1.amazonaws.com HTTPS
AWS GovCloud (US) us-gov-west-1 prefix.jobs.iot.us-gov-west-1.amazonaws.com HTTPS

Secure Tunneling API Endpoints

The following table contains AWS Region-specific endpoints that AWS IoT Core supports for secure tunneling operations. For more information, see AWS IoT secure tunneling operations in the AWS IoT API Reference.

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2 api.tunneling.iot.us-east-2.amazonaws.com HTTPS
US East (N. Virginia) us-east-1 api.tunneling.iot.us-east-1.amazonaws.com HTTPS
US West (N. California) us-west-1 api.tunneling.iot.us-west-1.amazonaws.com HTTPS
US West (Oregon) us-west-2 api.tunneling.iot.us-west-2.amazonaws.com HTTPS
Asia Pacific (Hong Kong) ap-east-1 api.tunneling.iot.ap-east-1.amazonaws.com HTTPS
Asia Pacific (Mumbai) ap-south-1 api.tunneling.iot.ap-south-1.amazonaws.com HTTPS
Asia Pacific (Seoul) ap-northeast-2 api.tunneling.iot.ap-northeast-2.amazonaws.com HTTPS
Asia Pacific (Singapore) ap-southeast-1 api.tunneling.iot.ap-southeast-1.amazonaws.com HTTPS
Asia Pacific (Sydney) ap-southeast-2 api.tunneling.iot.ap-southeast-2.amazonaws.com HTTPS
Asia Pacific (Tokyo) ap-northeast-1 api.tunneling.iot.ap-northeast-1.amazonaws.com HTTPS
Canada (Central) ca-central-1 api.tunneling.iot.ca-central-1.amazonaws.com HTTPS
Europe (Frankfurt) eu-central-1 api.tunneling.iot.eu-central-1.amazonaws.com HTTPS
Europe (Ireland) eu-west-1 api.tunneling.iot.eu-west-1.amazonaws.com HTTPS
Europe (London) eu-west-2 api.tunneling.iot.eu-west-2.amazonaws.com HTTPS
Europe (Paris) eu-west-3 api.tunneling.iot.eu-west-3.amazonaws.com HTTPS
Europe (Stockholm) eu-north-1 api.tunneling.iot.eu-north-1.amazonaws.com HTTPS
Middle East (Bahrain) me-south-1 api.tunneling.iot.me-south-1.amazonaws.com HTTPS
South America (São Paulo) sa-east-1 api.tunneling.iot.sa-east-1.amazonaws.com HTTPS
AWS GovCloud (US-East) us-gov-east-1 api.tunneling.iot.us-gov-east-1.amazonaws.com HTTPS
AWS GovCloud (US-West) us-gov-west-1 api.tunneling.iot.us-gov-west-1.amazonaws.com HTTPS

AWS IoT Core for LoRaWAN API endpoints

Control Plane API Endpoints

The following table contains AWS Region-specific endpoints that AWS IoT Core for LoRaWAN supports for operations to manage LoRaWAN gateways and devices.

Region Name Region Endpoint Protocol
US East (N. Virginia) us-east-1

api.iotwireless.us-east-1.amazonaws.com

HTTPS
US West (Oregon) us-west-2

api.iotwireless.us-west-2.amazonaws.com

HTTPS
Europe (Ireland) eu-west-1

api.iotwireless.eu-west-1.amazonaws.com

HTTPS
Asia Pacific (Tokyo) ap-northeast-1

api.iotwireless.ap-northeast-1.amazonaws.com

HTTPS
Asia Pacific (Sydney) ap-southeast-2

api.iotwireless.ap-southeast-2.amazonaws.com

HTTPS

Data Plane API Endpoints

The Data Plane API endpoints are specific to each AWS Account and Region. To find the Data Plane API endpoint for your AWS Account and Region, use the get-service-endpoint CLI command shown here, or the GetServiceEndpoint REST API.

aws iotwireless get-service-endpoint

This command returns information about:

  • The service type for which you want to get endpoint information about, which can be CUPS or LNS.

  • The CUPS or LNS server trust certificate depending on the endpoint specified.

  • Your Data Plane API endpoint in the following format:

    account-specific-prefix.service.lorawan.aws-region.amazonaws.com

where service can be cups or lns.

The following table contains generic representations of the AWS Account-specific LNS endpoints for each Region that AWS IoT Core supports. In the Endpoint column, the account-specific-prefix from your Account-specific endpoint replaces data shown in the generic endpoint representation.

LNS endpoints
Region Name Region Endpoint Protocol
US East (N. Virginia) us-east-1

prefix.lns.lorawan.us-east-1.amazonaws.com

WSS
US West (Oregon) us-west-2

prefix.lns.lorawan.us-west-2.amazonaws.com

WSS
Europe (Ireland) eu-west-1

prefix.lns.lorawan.eu-west-1.amazonaws.com

WSS
Asia Pacific (Tokyo) ap-northeast-1

prefix.lns.lorawan.ap-northeast-1.amazonaws.com

WSS
Asia Pacific (Sydney) ap-southeast-2

prefix.lns.lorawan.ap-southeast-2.amazonaws.com

WSS

The following table contains generic representations of the AWS Account-specific CUPS endpoints for each Region that AWS IoT Core supports. In the Endpoint column, the account-specific-prefix from your Account-specific endpoint replaces data shown in the generic endpoint representation.

CUPS endpoints
Region Name Region Endpoint Protocol
US East (N. Virginia) us-east-1

prefix.cups.lorawan.us-east-1.amazonaws.com

HTTPS
US West (Oregon) us-west-2

prefix.cups.lorawan.us-west-2.amazonaws.com

HTTPS
Europe (Ireland) eu-west-1

prefix.cups.lorawan.eu-west-1.amazonaws.com

HTTPS
Asia Pacific (Tokyo) ap-northeast-1

prefix.cups.lorawan.ap-northeast-1.amazonaws.com

HTTPS
Asia Pacific (Sydney) ap-southeast-2

prefix.cups.lorawan.ap-southeast-2.amazonaws.com

HTTPS

Service Quotas

AWS IoT Core Bulk Thing Registration

Resource Description Default
Allowed registration tasks For any given AWS account, only one bulk registration task can run at a time. 1
Data retention policy After the bulk registration task (which can be long lived) is complete, data related to bulk thing registration is permanently deleted after 30 days. 30 days
Maximum line length Each line in an Amazon S3 input JSON file can't exceed 256K in length. 256K
Registration task termination Any pending or incomplete bulk registration tasks are terminated after 30 days. 30 days

AWS IoT Core Rules Engine

Resource Description Quota Adjustable
Rule evaluations per second per AWS account

The maximum number rules that can be evaluated per second per AWS account. This quota includes rule evaluations that result from inbound Basic Ingest messages.

20,000 Yes
Maximum number of actions per rule The maximum number of entries in the rule's actions property. 10 No
Maximum number of rules per AWS account The maximum number of rules that can be defined in a single AWS account. 1,000 Yes
Rule size The maximum size that a rule document definition can contain, measured by number of UTF-8 encoded characters, including white spaces. 256 KB No

AWS IoT Core Rules Engine HTTP Actions

Resource Description Quota Adjustable
Maximum length of an endpoint URL Maximum length of an endpoint URL for topic rule HTTP Action. 2 KB No
Maximum number of headers per action Maximum number of headers per HTTP action. When specifying the list of headers to include in the HTTP request, it must contain a header key and a header value. For more information, see HTTPS. 100 No
Maximum size of a header key Maximum size of a header key for topic rule HTTP action. The header file for a HTTP request includes this header key and a header value. 256 bytes No
Maximum topic rule destinations per AWS account Maximum number of topic rule destinations per AWS account for topic rule HTTPS action. You must confirm and enable HTTPS endpoints before the rules engine can use them. For more information, see Working with topic rule destinations. 1,000 Yes
Ports allowed for HTTP action Number of ports allowed per HTTP action. 443 and 8443 No
Request timeout Request timeout for topic rule HTTP action. The AWS IoT rules engine retries the HTTPS action until the total time to complete a request exceeds the timeout quota. 3,000 ms No

AWS IoT Core Rules Engine Apache Kafka Actions

Resource Limits
Bootstrap server ports 9000-9100
Kerberos key distribution center (KDC) 88

AWS IoT Core Rules Engine VPC Actions

Resource Quota
Maximum number of VPC destinations 5 per account per Region

AWS IoT Core Throttling

This table describes the maximum number of transactions per second (TPS) that can be made to each AWS IoT API.

API Quota (tps) Adjustable
AcceptCertificateTransfer 10 Yes
AddThingToBillingGroup 60 Yes
AddThingToThingGroup 60 Yes
AssociateTargetsWithJob 10 Yes
AttachPolicy 15 Yes
AttachPrincipalPolicy 15 Yes
AttachThingPrincipal 15 No
CancelCertificateTransfer 10 Yes
CancelJob 10 Yes
CancelJobExecution 10 Yes
ClearDefaultAuthorizer 10 Yes
CreateAuthorizer 10 Yes
CreateBillingGroup 25 Yes
CreateCertificateFromCsr 15 Yes
CreateDomainConfiguration 1 No
CreateDynamicThingGroup 5 Yes
CreateJob 10 No
CreateKeysAndCertificate 10 Yes
CreatePolicy 10 Yes
CreatePolicyVersion 10 Yes
CreateProvisioningClaim 10 Yes
CreateProvisioningTemplate 10 Yes
CreateProvisioningTemplateVersion 10 Yes
CreateRoleAlias 10 Yes
CreateThing 15 Yes
CreateThingGroup 25 Yes
CreateThingType 15 Yes
CreateTopicRule 5 Yes
CreateTopicRuleDestination 5 Yes
DeleteAuthorizer 10 Yes
DeleteBillingGroup 15 Yes
DeleteCertificate 10 Yes
DeleteDomainConfiguration 10 Yes
DeleteCACertificate 10 Yes
DeleteDynamicThingGroup 5 Yes
DeleteJob 10 Yes
DeleteJobExecution 10 Yes
DeletePolicy 10 Yes
DeletePolicyVersion 10 Yes
DeleteProvisioningTemplate 10 Yes
DeleteProvisioningTemplateVersion 10 Yes
DeleteRegistrationCode 10 Yes
DeleteRoleAlias 10 Yes
DeleteThing 15 Yes
DeleteThingGroup 15 Yes
DeleteThingType 15 Yes
DeprecateThingType 15 Yes
DeleteTopicRule 20 Yes
DeleteTopicRuleDestination 5 Yes
DeleteV2LoggingLevel 2 No
DescribeAuthorizer 10 Yes
DescribeBillingGroup 100 Yes
DescribeCertificate 10 Yes
DescribeCertificateTag 10 Yes
DescribeCACertificate 10 Yes
DescribeDomainConfiguration 10 Yes
DescribeEndpoint 10 Yes
DescribeDefaultAuthorizer 10 Yes
DescribeJob 10 Yes
DescribeJobExecution 10 Yes
DescribeProvisioningTemplate 10 Yes
DescribeProvisioningTemplateVersion 10 Yes
DescribeRoleAlias 10 Yes
DescribeThing 350 Yes
DescribeThingGroup 100 Yes
DescribeThingType 10 Yes
DetachThingPrincipal 15 Yes
DisableTopicRule 5 Yes
EnableTopicRule 5 Yes
DetachPrincipalPolicy 15 Yes
DetachPolicy 15 Yes
GetEffectivePolicies 50 Yes
GetJobDocument 10
GetLoggingOptions 2 No
GetPolicy 10 Yes
GetPolicyVersion 15 Yes
GetRegistrationCode 10 Yes
GetTopicRule 200 Yes
GetTopicRuleDestination 50 Yes
GetV2LoggingOptions 2 No
ListAttachedPolicies 15 Yes
ListAuthorizers 10 Yes
ListBillingGroups 10 Yes
ListCACertificates 10 Yes
ListCertificates 10 Yes
ListDomainConfigurations 10 Yes
ListCertificatesByCA 10 Yes
ListJobExecutionsForJob 10 Yes
ListJobExecutionsForThing 10 Yes
ListJobs 10 Yes
ListOutgoingCertificates 10 Yes
ListPolicies 10 Yes
ListPolicyPrincipals 10 Yes
ListPolicyVersions 10 Yes
ListPrincipalPolicies 15 Yes
ListPrincipalThings 10 Yes
ListProvisioningTemplates 10 Yes
ListProvisioningTemplateVersions 10 Yes
ListRoleAliases 10 Yes
ListTagsForResource 10 Yes
ListTargetsForPolicy 10 Yes
ListThingGroups 10 Yes
ListThingGroupsForThing 10 Yes
ListThingPrincipals 10 Yes
ListThings 10 Yes
ListThingsInBillingGroup 25 Yes
ListThingsInThingGroup 25 Yes
ListThingTypes 10 Yes
ListTopicRuleDestinations 1 Yes
ListTopicRules 1 Yes
ListV2LoggingLevels 2 No
RegisterCertificate 10 Yes
RegisterCertificateWithoutCA 10 Yes
RegisterCACertificate 10 Yes
RegisterThing 10 Yes
RejectCertificateTransfer 10 Yes
RemoveThingFromBillingGroup 15 Yes
RemoveThingFromThingGroup 15 Yes
ReplaceTopicRule 5 Yes
SetDefaultAuthorizer 10 Yes
SetDefaultPolicyVersion 10 Yes
SetLoggingOptions 2 No
SetV2LoggingLevel 2 No
SetV2LoggingOptions 2 No
TagResource 10 Yes
TestAuthorization 10 Yes
TestInvokeAuthorizer 10 Yes
TransferCertificate 10 Yes
UntagResource 10 Yes
UpdateAuthorizer 10 Yes
UpdateBillingGroup 15 Yes
UpdateCertificate 10 Yes
UpdateCertificateMode 10 Yes
UpdateCertificateTag 10 Yes
UpdateDomainConfiguration 10 Yes
UpdateCACertificate 10 Yes
UpdateDynamicThingGroup 5 Yes
UpdateJob 10 Yes
UpdateProvisioningTemplate 10 Yes
UpdateRoleAlias 10 Yes
UpdateThing 10 Yes
UpdateThingGroup 15 Yes
UpdateTopicRuleDestination 5 Yes

AWS IoT Core for LoRaWAN limits

Device data quotas

The following service quotas apply to AWS IoT Core for LoRaWAN device data, which are transmitted between LoRaWAN devices, gateways, and AWS IoT Core for LoRaWAN.

Resource Description Quota (messages/second) Adjustable

Uplink messages

These are messages from LoRaWAN devices and received by AWS IoT Core for LoRaWAN.

50 Yes

Downlink messages

These are messages sent from AWS IoT Core for LoRaWAN and received by devices.

10 Yes

Connected Gateways

These are messages sent between the LoRaWAN devices and gateways.

100 Yes

API Throttling

The following tables describes the maximum number of transactions per second (TPS) that can be made to each action in the AWS IoT Wireless API, which includes AWS IoT Core for LoRaWAN and Amazon Sidewalk Integration.

LoRaWAN Gateways API Throttling

This table describes the maximum TPS for APIs used with LoRaWAN gateways. The gateways route messages between LoRaWAN devices and AWS IoT Core for LoRaWAN.

LoRaWAN Gateways API Throttling
API Quota (tps) Adjustable
AssociateWirelessGatewayWithCertificate 10

No

AssociateWirelessGatewayWithThing 10 Yes
CreateWirelessGateway 10 Yes
CreateWirelessGatewayTask 10

No

CreateWirelessGatewayTaskDefinition 10

No

DeleteWirelessGateway 10 Yes
DeleteWirelessGatewayTask 10

No

DeleteWirelessGatewayTaskDefinition 10

No

DisassociateWirelessGatewayFromCertificate 10

No

DisassociateWirelessGatewayFromThing 10 Yes
GetWirelessGateway 10 Yes
GetWirelessGatewayCertificate 10

No

GetWirelessGatewayFirmwareInformation 10

No

GetWirelessGatewayStatistics 10

No

GetWirelessGatewayTask 10

No

GetWirelessGatewayTaskDefinition 10

No

ListWirelessGatewayTaskDefinitions 10

No

ListWirelessGateways 10 Yes
UpdateWirelessGateway 10 Yes

LoRaWAN Devices API Throttling

This table describes the maximum TPS for APIs used with LoRaWAN devices.

LoRaWAN Devices API Throttling
API Quota (tps) Adjustable
AssociateWirelessDeviceWithThing 10 Yes
CreateWirelessDevice 10 Yes
DeleteWirelessDevice 10 Yes
DisassociateWirelessDeviceFromThing 10 Yes
GetWirelessDevice 10 Yes
GetWirelessDeviceStatistics 10

No

ListWirelessDevices 10 Yes
SendDataToWirelessDevice 10 Yes
TestWirelessDevice 10 Yes
UpdateWirelessDevice 10 Yes

Device Profiles and Destination API Throttling

This table describes device profiles and service profiles and destinations that can route messages to other AWS services.

LoRaWAN Devices API Throttling
API Quota (tps) Adjustable
CreateDestination 10 Yes
CreateDeviceProfile 10 Yes
CreateServiceProfile 10 Yes
DeleteDestination 10 Yes
DeleteDeviceProfile 10 Yes
DeleteServiceProfile 10 Yes
DisassociateWirelessDeviceFromThing 10 Yes
GetDestination 10 Yes
GetDeviceProfile 10 Yes
GetServiceProfile 10 Yes
ListDestinations 10 Yes
ListDeviceProfiles 10 Yes
ListServiceProfiles 10 Yes
UpdateDestination 10 Yes

Sidewalk and Logging API Throttling

This table describes the maximum TPS for Amazon Sidewalk APIs and APIs that are used for log levels based on resource types.

Sidewalk and Logging API Throttling
API Quota (tps) Adjustable
AssociateAwsAccountWithPartnerAccount 10 Yes
DisassociateAwsAccountFromPartnerAccountt 10 Yes
GetLogLevelsByResourceTypes 10 Yes
GetPartnerAccount 10 Yes
GetResourceLogLevel 10 Yes
ListPartnerAccounts 10 Yes
PutResourceLogLevel 10 Yes
ResetAllResourceLogLevels 10 Yes
ResetResourceLogLevel 10 Yes
UpdateLogLevelsByResourceTypes 10 Yes
UpdatePartnerAccount 10 Yes

Tagging and GetServiceEndpoint API Throttling

This table describes the maximum TPS for the GetServiceEndpoint API and APIs used for tagging resources.

Tagging and GetServiceEndpoint API Throttling
API Quota (tps) Adjustable
GetServiceEndpoint 10

No

ListTagsForResource 10 Yes
TagResource 10 Yes
UntagResource 10 Yes

Billing Group Restrictions

  • A thing can belong to exactly one billing group.

  • Unlike thing groups, billing groups cannot be organized into hierarchies.

  • For its usage to be registered for tagging or billing purposes, a device must:

    • Be registered as a thing in AWS IoT Core.

    • Communicate with AWS IoT Core using MQTT only.

    • Authenticate with AWS IoT Core using only its thing name as the client ID.

    • Use an X.509 certificate or Amazon Cognito Identity to authenticate.

    For more information, see Managing Devices with AWS IoT, Authentication, and Device Provisioning. You can use the AttachThingPrincipal API operation to attach a certificate or other credential to a thing.

  • The maximum number of billing groups per AWS account is 20,000.

Device Shadow service

The Device Shadow service API is subject to these per-account limits, depending on the Region.

Device Shadow service API limits
Region Quota Adjustable
  • ap-northeast-1

  • ap-northeast-2

  • ap-south-1

  • ap-southeast-1

  • ap-southeast-2

  • cn-north-1

  • eu-central-1

  • eu-west-1

  • eu-west-2

  • us-east-1

  • us-east-2

  • us-west-1

  • us-west-2

4,000 Device Shadow API requests/second per account Yes

All other Regions

400 Device Shadow API requests/second per account

Yes

Device Shadow service resources are subject to these limits.

Device Shadow service resource limits
Resource Description Quotas Adjustable
Maximum depth of JSON device state documents The maximum number of levels in the desired or reported section of the JSON device state document is 5. For example:
"desired": { "one": { "two": { "three": { "four": { "five":{ } } } } } }
5 No

Maximum number of in-flight, unacknowledged messages per thing

The Device Shadow service supports up to 10 in-flight, unacknowledged messages per thing on a single connection. When this quota is reached, all new Device Shadow service requests are rejected with a 429 error code until the number of in-flight requests drop below the limit.

10 No

Maximum number of JSON objects per AWS account

The maximum number of JSON objects per AWS account, which is unlimited.

Unlimited N/A

Maximum number of Device Shadows in an AWS account

The maximum number of Device Shadows in an AWS account.

Unlimited N/A

Maximum size of a JSON state document

By default, each individual Device Shadow document must be 8KB or less in size. The maximum Device Shadow document size can be adjusted from 8KB to 30KB.

Metadata doesn't contribute to the document size for service quotas or pricing.

8 KB Yes
Maximum thing name size Maximum size of the thing name, which is 128 bytes of UTF-8 encoded characters. 128 bytes No

Maximum Device Shadow name size

Maximum size of the Device Shadow name, in bytes of UTF-8 encoded characters.

64 bytes No

Requests per second per thing

The Device Shadow service requests per second per thing. This quota is per thing resource, not per API.

20 No
Note

AWS IoT Core deletes a Device Shadow document after the creating account is deleted or upon customer request. For operational purposes, AWS IoT service backups are retained for 6 months.

AWS IoT Core Fleet Provisioning

Following are throttling limits for some fleet provisioning APIs per AWS account.

Fleet Provisioning API Throttling
API Transactions Per Second (TPS) Adjustable
CreateKeysAndCertificate 10 Yes
CreateCertificateFromCsr 100 Yes
RegisterThing 10 Yes

Fleet provisioning is also subject to these quotas.

Resource Description Quota Adjustable
Maximum number of fleet provisioning template versions per template Maximum number of fleet provisioning template versions per template. Each template version has a version ID and a creation date for devices connecting to AWS IoT using fleet previsioning. 5 No
Maximum number of fleet provisioning templates per customer Maximum number of fleet provisioning templates per customer. Use fleet provisioning templates to generate certificates and private keys for your devices to securely connect to AWS IoT. 256 No
Maximum size of fleet provisioning template Maximum size of fleet provisioning templates in Kilobytes. Fleet provisioning templates allow you to generate certificates and private keys for your devices to securely connect to AWS IoT. 10 Kb No
Maximum number of provisioning claims that can be generated per second by trusted user The maximum number of provisioning claims that can be generated per second by a trusted user. A trusted user can be an end user or installation technician who uses a mobile app or web application to configure the device in its deployed location. 10 tps No

AWS IoT Core Message Broker

Resource Description Default Adjustable
Connect requests per second per account AWS IoT Core restricts an account to a maximum number of MQTT CONNECT requests per second. 500 Yes

Connect requests per second per client ID

AWS IoT Core restricts MQTT CONNECT requests from the same accountId and clientId to 1 MQTT CONNECT operation per second.

1 No
Inbound publish requests per second per account Inbound publish requests count for all the messages that AWS IoT Core processes before routing the messages to the subscribed clients or the rules engine. For example, a single message published on $aws/things/device/shadow/update topic can result in publishing 3 additional messages to $aws/things/device/shadow/update/accepted, $aws/things/device/shadow/update/documents, and $aws/things/device/shadow/delta topics. In this case, AWS IoT Core counts those as 4 inbound publish requests. However, a single message to an unreserved topic like a/b is counted as a single inbound publish request. 20,000 Yes
Maximum concurrent client connections per account The maximum number of concurrent connections allowed per account. 500,000 Yes
Maximum inbound unacknowledged QoS 1 publish requests AWS IoT Core restricts the number of unacknowledged inbound publish requests per client. When this quota is reached, no new publish requests are accepted from this client until a PUBACK message is returned by the server. 100 No
Maximum outbound unacknowledged QoS 1 publish requests AWS IoT Core restricts the number of unacknowledged outbound publish requests per client. When this quota is reached, no new publish requests are sent to the client until the client acknowledges the publish requests. 100 No
Maximum retry interval for delivering QoS 1 messages AWS IoT Core retries delivery of unacknowledged quality of service 1 (QoS 1) publish requests to a client for up to one hour. If AWS IoT Core does not receive a PUBACK message from the client after one hour, it drops the publish requests. 1 hour No
Outbound publish requests per second per account Outbound publish requests count for every message that resulted in matching a client's subscription or matching a rules engine subscription. For example, 2 clients are subscribed to topic filter a/b and a rule is subscribed to topic filter a/#. An inbound publish request on topic a/b results in a total of 3 outbound publish requests. 20,000 Yes
Persistent session expiry period The duration for which the message broker stores an MQTT persistent session. The expiry period begins when the message broker detects the session has become disconnected. After the expiry period has elapsed, the message broker terminates the session and discards any associated queued messages. You can adjust this to a value from 1 hour to 7 days by using the standard limit increase process. 1 hour Yes
Queued session message requests per second per account AWS IoT Core restricts an account to a maximum number of queued message per second per account. This limit applies when AWS IoT Core stores the messages send to offline persistent sessions. 500 Yes
Publish requests per second per connection AWS IoT Core restricts each client connection to a maximum number of inbound and outbound publish requests per second. This limit includes messages sent to offline persistent session. Publish requests that exceed that quota are discarded. 100 No
Subscriptions per account AWS IoT Core restricts an account to a maximum number of subscriptions across all active connections. 500,000 Yes
Subscriptions per connection AWS IoT Core supports 50 subscriptions per connection. AWS IoT Core might reject subscription requests on the same connection in excess of this amount and the connection is closed. Clients should validate the SUBACK message to ensure that their subscription requests have been successfully processed. 50 No
Subscriptions per second per account AWS IoT Core restricts an account to a maximum number of subscriptions per second. For example, if there are 2 MQTT SUBSCRIBE requests sent within a second, each with 3 subscriptions (topic filters), AWS IoT Core counts those as 6 subscriptions. 500 Yes
Throughput per second per connection Data received or sent over a client connection is processed at a maximum throughput rate. Data that exceeds the maximum throughput is delayed in processing. 512 KiB No

Protocols

Resource Description Default Adjustable
Client ID size Size of the client ID, which is 128 bytes of UTF-8 encoded characters. 128 No
Connection inactivity (keep-alive interval)

For MQTT (or MQTT over WebSocket) connections, a client can request a keep-alive interval between 30—1200 seconds as part of the MQTT CONNECT message. AWS IoT Core starts the keep-alive timer for a client when sending CONNACK in response to the CONNECT message. This timer is reset whenever AWS IoT receives a PUBLISH, SUBSCRIBE, PING, or PUBACK message from the client. AWS IoT Core disconnects a client whose keep-alive timer has reached 1.5x the specified keep-alive interval (i.e., by a factor of 1.5).

The default keep-alive interval is 1200 seconds. If a client requests a keep-alive interval of zero, the default keep-alive interval is used. If a client requests a keep-alive interval greater than 1200 seconds, the default keep-alive interval is used. If a client requests a keep-alive interval shorter than 30 seconds but greater than zero, the server treats the client as though it requested a keep-alive interval of 30 seconds.

1200 No
Maximum number of slashes in topic and topic filter A topic in a publish or subscribe request can have no more than 7 forward slashes (/). This excludes the first 3 slashes in the mandatory segments for Basic Ingest topics ($AWS/rules/rule-name/). 7 No
Maximum subscriptions per subscribe request A single SUBSCRIBE request has a quota of 8 subscriptions. 8 No
Message size The payload for every publish request can be no larger than 128 KB. AWS IoT Core rejects publish and connect requests larger than this size. 128 No
Restricted client ID prefix $ is reserved for AWS IoT Core-generated client IDs. N/A N/A
Restricted topic prefix Topics that start with $ are reserved by AWS IoT Core. They are not supported for publishing and subscribing except for using the specific topic names defined by AWS IoT Core services (for example, the Device Shadow service). N/A N/A
Topic size The topic passed to AWS IoT Core when sending a publish request can be no larger than 256 bytes of UTF-8 encoded characters. This excludes the first 3 mandatory segments for Basic Ingest topics ($AWS/rules/rule-name/). 256 No
WebSocket connection duration The WebSocket connection quota is 24 hours. If the quota is exceeded, the WebSocket connection is closed when the client or server attempts to send a message. 86400 No

AWS IoT Core Credential Provider

Following shows the throttling limit for the AssumeRoleWithCertificate API.

Region Transactions Per Second (TPS) Adjustable
  • us-east-1

  • us-west-2

  • eu-west-1

100 Yes

All other Regions

50 Yes

AWS IoT Core Credential Provider is also subject to the following limit.

Resource Description Default Adjustable
Maximum number of AWS IoT Core role aliases per AWS Account per AWS Region Maximum number of AWS IoT Core role aliases registered in your AWS account. AWS IoT Core role alias allows connected devices to authenticate to AWS IoT using X.509 certificates and obtain short-lived AWS credentials from an IAM role that is associated with the role alias. 100 No

Security and Identity

Resource Description Default Adjustable
Maximum number of CA certificates with the same subject field allowed per AWS account per Region The maximum number of CA certificates with the same subject field allowed per AWS account per Region. If you have more than one CA certificate with the same subject field, you must specify the CA certificate that was used to sign the device certificate being registered. 10 No
Maximum number of device certificates that can be registered per second The maximum number of device certificates that can be registered per second. You can select up to 15 files to register. 15 Yes
Maximum number of named policy versions per policy The maximum number of named policy versions. A managed AWS IoT policy can have up to five versions. To update a policy, create a new policy version. If the policy has five versions, you must delete an existing version before creating a new one. 5 No
Maximum number of policies that can be attached to a certificate or Amazon Cognito identity The maximum number of policies that can be attached to a client certificate or an Amazon Cognito identity, which is 10. Amazon Cognito identity enables you to create temporary, limited-privilege AWS credentials for use in mobile and web applications. 10 No
Maximum policy document size The maximum size of the policy document, which is 2048 characters excluding white spaces. 2048 characters (excluding white space) No

Maximum number of domain configurations per AWS Account per AWS Region

The maximum number of domain configurations per AWS Account per AWS Region.

10

Yes
Custom authentication: maximum number of authorizers per AWS Account per AWS Region The maximum number of authorizers that can be registered to your AWS account. Authorizers have a lambda function that implements custom authentication and authorization. 10 No
Custom authentication: minimum connection duration (value of DisconnectAfterInSecs) The Lambda function of a custom authorizer uses a DisconnectAfterInSeconds parameter to indicate the maximum duration (in seconds) of the connection to the AWS IoT Core gateway. The connection is terminated if it exceeds this value. 300 No
Custom authentication: maximum connection duration (value of DisconnectAfterInSecs) The maximum duration (in seconds) of the connection to the AWS IoT Core gateway, defined by the value of DisconnectAfterInSecs. 86,400 No
Custom authentication: minimum policy refresh rate (value of RefreshAfterInSecs) The Lambda function of a custom authorizer uses a RefreshAfterInSeconds parameter to indicate the interval (in seconds) between policy refreshes when connected to the AWS IoT Core gateway. When this interval passes, AWS IoT Core invokes the Lambda function to allow for policy refreshes. 300 No
Custom authentication: maximum policy refresh rate (value of RefreshAfterInSecs) The maximum time interval between policy refreshes when connected to the AWS IoT Core gateway, defined by the value of RefreshAfterInSeconds. 86,400 No

MQTT-based File Delivery

MQTT-based File Delivery Resource Quotas
Resource Description Default Adjustable
Streams per account The maximum number of streams per account. 10000* No
Files per stream The maximum number of files per stream. 10 No
File size The maximum file size (in MB). 24 MB No
Maximum data block size The maximum data block size. 128 KB No
Minimum data block size The minimum data block size. 256 bytes No
Maximum block offset specified in a stream file request The maximum block offset specified in a stream file request. 98,304 No
Maximum blocks that can be requested per stream file request The maximum number of blocks that can be requested per stream file request. 98,304 No
Maximum block bitmap size The maximum block bitmap size. 12,288 bytes No

* For additional information, see Using AWS IoT MQTT-based file delivery in devices in the AWS IoT Developer Guide.

MQTT-based File Delivery Throttling
API Transactions Per Second
CreateStream 15 TPS
DeleteStream 15 TPS
DescribeStream 15 TPS
ListStreams 15 TPS
UpdateStream 15 TPS

Things

Resource Description Default Adjustable
Maximum number of thing attributes for a thing with a thing type Maximum number of thing attributes for a thing with a thing type. Thing types are optional and make it easier to discover things. Things with a thing type can have up to 50 attributes. 50 Yes
Maximum number of thing attributes for a thing without a thing type Maximum number of thing attributes for a thing without a thing type. Things without a thing type can have up to three attributes. 3 No
Maximum number of groups to which a thing can belong The maximum number of groups to which a thing can belong. 10 No
Maximum number of thing types in an AWS account An AWS account can have an unlimited number of thing types. Thing types allow you to store description and configuration information that is common to all things associated with the same thing type. Unlimited N/A
Number of thing types that can be associated with a thing Thing types make it easier to discover things. A thing can be associated with only one thing type. 1 No
Maximum thing name size Maximum size of a thing name, which is 128 bytes of UTF-8 encoded characters. 128 bytes No
Size of thing attributes per thing The size of thing attributes per thing, which is 47 kilobytes. Thing attributes are optional name-value pairs that store information about the thing, which makes their use easier to discover things. 47 KB Yes

Thing Groups

Resource Description Default Adjustable
Maximum number of thing groups a thing can belong to A thing can be added to a maximum of 10 thing groups. But you cannot add a thing to more than one group in the same hierarchy. This means that a thing cannot be added to two groups that share a common parent. 10 No
Maximum number of things in a thing group The maximum number of things that can be defined a thing group, which is unlimited. Unlimited No
Maximum depth of a thing group hierarchy The maximum depth of a hierarchy of thing groups. When you build a hierarchy of groups, the policy attached to the parent group is inherited by its child group, and by all the things in the group and its child groups. This makes it easier to manage permissions for large number of things. 7 No
Maximum number of attributes associated with a thing group Maximum number of attributes associated with a thing group. Attributes are name-value pairs you can use to store information about a group. You can add, delete, or update the attributes of a group. 50 No
Maximum number of direct child groups The maximum number of direct child groups that a thing group can have in a thing group hierarchy. 100 No
Maximum number of dynamic groups The maximum number of dynamic groups. 100 No
Maximum thing group name size The maximum thing group name size, which is 128 bytes of UTF-8 encoded characters. 128 bytes No
Maximum size of a thing group attribute name, in chars. The maximum size of a thing group attribute name, in chars. 128 No
Maximum size of a thing group attribute value, in chars. The maximum size of a thing group attribute value, in chars. 800 No
Maximum number of policies attached to a static thing group You can attach a policy to a static thing group and so, by extension, to all things in that group and things in any of its child groups. A maximum of 2 policies can be attached to a group. 2 No