AWS IoT Core endpoints and quotas - AWS General Reference

AWS IoT Core endpoints and quotas

The following are the service endpoints and service quotas for this service. To connect programmatically to an AWS service, you use an endpoint. For more information, see AWS service endpoints. Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. For more information, see AWS service quotas.

Service Endpoints

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2 HTTPS
US East (N. Virginia) us-east-1 HTTPS
US West (N. California) us-west-1 HTTPS
US West (Oregon) us-west-2 HTTPS
Asia Pacific (Hong Kong) ap-east-1 HTTPS
Asia Pacific (Mumbai) ap-south-1 HTTPS
Asia Pacific (Seoul) ap-northeast-2 HTTPS
Asia Pacific (Singapore) ap-southeast-1 HTTPS
Asia Pacific (Sydney) ap-southeast-2 HTTPS
Asia Pacific (Tokyo) ap-northeast-1 HTTPS
Canada (Central) ca-central-1 HTTPS
China (Beijing) cn-north-1 HTTPS
China (Ningxia) cn-northwest-1 HTTPS
Europe (Frankfurt) eu-central-1 HTTPS
Europe (Ireland) eu-west-1 HTTPS
Europe (London) eu-west-2 HTTPS
Europe (Paris) eu-west-3 HTTPS
Europe (Stockholm) eu-north-1 HTTPS
Middle East (Bahrain) me-south-1 HTTPS
South America (São Paulo) sa-east-1 HTTPS
AWS GovCloud (US) us-gov-west-1 HTTPS

For information about using AWS IoT in the AWS GovCloud (US-West) Region, see AWS GovCloud (US-West) Endpoints.

For information about using AWS IoT in the China Regions, see:

AWS IoT supports additional endpoints for working with device shadows. These endpoints add an account specific prefix to the endpoints already listed and can be used with both the MQTT and HTTPS protocols. To look up your account-specific prefix, use the describe-endpoint command:

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2 HTTPS, MQTT
US East (N. Virginia) us-east-1 HTTPS, MQTT
US West (N. California) us-west-1 HTTPS, MQTT
US West (Oregon) us-west-2 HTTPS, MQTT
Asia Pacific (Hong Kong) ap-east-1 HTTPS, MQTT
Asia Pacific (Mumbai) ap-south-1 HTTPS, MQTT
Asia Pacific (Seoul) ap-northeast-2 HTTPS, MQTT
Asia Pacific (Singapore) ap-southeast-1 HTTPS, MQTT
Asia Pacific (Sydney) ap-southeast-2 HTTPS, MQTT
Asia Pacific (Tokyo) ap-northeast-1 HTTPS, MQTT
Canada (Central) ca-central-1 HTTPS, MQTT
China (Beijing) cn-north-1 HTTPS, MQTT
China (Ningxia) cn-northwest-1 HTTPS, MQTT
Europe (Frankfurt) eu-central-1 HTTPS, MQTT
Europe (Ireland) eu-west-1 HTTPS, MQTT
Europe (London) eu-west-2 HTTPS, MQTT
Europe (Paris) eu-west-3 HTTPS, MQTT
Europe (Stockholm) eu-north-1 HTTPS, MQTT
Middle East (Bahrain) me-south-1 HTTPS, MQTT
South America (São Paulo) sa-east-1 HTTPS, MQTT
AWS GovCloud (US-West) us-gov-west-1 HTTPS, MQTT

AWS IoT supports multiple protocols for accessing the message broker and the Thing Shadows service. The following table lists the ports to use for each protocol.

Port Protocol Authentication Mechanism
443 HTTPS Signature Version 4
443 MQTT over WebSocket Signature Version 4
8443 HTTPS TLS client authentication, with certificates
8883 MQTT TLS client authentication, with certificates

Service Quotas


AWS IoT Core Bulk Thing Registration

Resource Default Note
Allowed registration tasks 1 For any given AWS account, only one bulk registration task can run at a time.
Data retention policy 30 days After the bulk registration task (which can be long lived) is complete , data related to bulk thing registration is permanently deleted after 30 days.
Maximum line length 256K Each line in an Amazon S3 input JSON file cannot exceed 256K in length.
Registration task termination 30 days Any pending or incomplete bulk registration tasks are terminated after 30 days.

AWS IoT Core Rules Engine

Resource Quota Adjustable
Inbound publish requests per second per account 20,000 Yes
Maximum number of actions per rule 10 No
Maximum number of rules per AWS account 1,000 Yes
Rule size Up to 256 KB of UTF-8 encoded characters (including white space). No
Basic ingest
Resource Description Quota
Number of rules per account 1,000 maximum
Number of actions per rule 10 maximum
Rule size 256 KB maximum
Inbound publish requests Basic ingest inbound publish requests count for all the messages published on basic ingest topics that start with $aws/rules/rule-name 20,000 per second per account

AWS IoT Core Rules Engine HTTP Actions

Resource Quota Adjustable
Maximum length of an endpoint URL 2 KiB No
Maximum number of headers per action 100 No
Maximum size of a header key 256 bytes No
Maximum topic rule destinations per account 1,000 No
Ports allowed for HTTP action 443 and 8443 No
Request timeout 3,000 ms No

AWS IoT Core Throttling

API Transactions per Second Adjustable
AcceptCertificateTransfer 10 Yes
AddThingToBillingGroup 60 Yes
AddThingToThingGroup 60 Yes
AssociateTargetsWithJob 10
AttachPolicy 15 Yes
AttachPrincipalPolicy 15 Yes
AttachThingPrincipal 15
CancelCertificateTransfer 10 Yes
CancelJob 10
CancelJobExecution 10
ClearDefaultAuthorizer 10 Yes
CreateAuthorizer 10 Yes
CreateBillingGroup 25 Yes
CreateCertificateFromCsr 15 Yes
CreateDomainConfiguration 10 Yes
CreateDynamicThingGroup 5 Yes
CreateJob 10
CreateKeysAndCertificate 10 Yes
CreatePolicy 10 Yes
CreatePolicyVersion 10 Yes
CreateProvisioningClaim 10 Yes
CreateProvisioningTemplate 10 Yes
CreateProvisioningTemplateVersion 10 Yes
CreateRoleAlias 10 Yes
CreateThing 15 Yes
CreateThingGroup 25 Yes
CreateThingType 15 Yes
CreateTopicRule 5 No
CreateTopicRuleDestination 5 No
CreateTopicRule 5
CreateTopicRuleDestination 5
DeleteAuthorizer 10 Yes
DeleteBillingGroup 15 Yes
DeleteCertificate 10 Yes
DeleteDomainConfiguration 10 Yes
DeleteCACertificate 10 Yes
DeleteDynamicThingGroup 5 Yes
DeleteJob 10
DeleteJobExecution 10
DeletePolicy 10 Yes
DeletePolicyVersion 10 Yes
DeleteProvisioningTemplate 10 Yes
DeleteProvisioningTemplateVersion 10 Yes
DeleteRegistrationCode 10 Yes
DeleteRoleAlias 10 Yes
DeleteThing 15 Yes
DeleteThingGroup 15 Yes
DeleteThingType 15 Yes
DeleteTopicRule 20
DeleteTopicRuleDestination 5
DeleteV2LoggingLevel 2
DeprecateThingType 15 Yes
DeleteTopicRule 20 No
DeleteTopicRuleDestination 5 No
DeleteV2LoggingLevel 2 No
DescribeAuthorizer 10 Yes
DescribeBillingGroup 100 Yes
DescribeCertificate 10 Yes
DescribeCertificateTag 10 Yes
DescribeCACertificate 10 Yes
DescribeDomainConfiguration 10 Yes
DescribeEndpoint 10 Yes
DescribeDefaultAuthorizer 10 Yes
DescribeJob 10
DescribeJobExecution 10
DescribeProvisioningTemplate 10 Yes
DescribeProvisioningTemplateVersion 10 Yes
DescribeRoleAlias 10 Yes
DescribeThing 350 Yes
DescribeThingGroup 100 Yes
DescribeThingType 10 Yes
DetachThingPrincipal 15 Yes
DisableTopicRule 5 No
EnableTopicRule 5 No
DetachPrincipalPolicy 15 Yes
DetachPolicy 15 Yes
DisableTopicRule 5
EnableTopicRule 5
GetEffectivePolicies 50 Yes
GetJobDocument 10
GetLoggingOptions 2 No
GetLoggingOptions 2
GetPolicy 10 Yes
GetPolicyVersion 15 Yes
GetRegistrationCode 10 Yes
GetTopicRule 200 No
GetTopicRuleDestination 50 No
GetV2LoggingOptions 2 No
GetTopicRule 200
GetTopicRuleDestination 50
GetV2LoggingOptions 2
ListAttachedPolicies 15 Yes
ListAuthorizers 10 Yes
ListBillingGroups 10 Yes
ListCACertificates 10 Yes
ListCertificates 10 Yes
ListChildThingGroups 15 Yes
ListDomainConfigurations 10 Yes
ListCertificatesByCA 10 Yes
ListJobExecutionsForJob 10
ListJobExecutionsForThing 10
ListJobs 10
ListOutgoingCertificates 10 Yes
ListPolicies 10 Yes
ListPolicyPrincipals 10 Yes
ListPolicyVersions 10 Yes
ListPrincipalPolicies 15 Yes
ListPrincipalThings 10 Yes
ListProvisioningTemplates 10 Yes
ListProvisioningTemplateVersions 10 Yes
ListRoleAliases 10 Yes
ListTagsForResource 10 Yes
ListTargetsForPolicy 10 Yes
ListThingGroups 10 Yes
ListThingGroupsForThing 10 Yes
ListThingPrincipals 10 Yes
ListThings 10 Yes
ListThingsInBillingGroup 25 Yes
ListThingsInThingGroup 25 Yes
ListThingTypes 10 Yes
ListTopicRuleDestinations 1 No
ListTopicRules 1 No
ListV2LoggingLevels 2 No
ListTopicRules 1
ListTopicRuleDestinations 1
ListV2LoggingLevels 2
RegisterCertificate 10 Yes
RegisterCertificateWithoutCA 10 Yes
RegisterCACertificate 10 Yes
RegisterThing 10 Yes
RejectCertificateTransfer 10 Yes
RemoveThingFromBillingGroup 15 Yes
RemoveThingFromThingGroup 15 Yes
ReplaceTopicRule 5 No
ReplaceTopicRule 5
SetDefaultAuthorizer 10 Yes
SetDefaultPolicyVersion 10 Yes
SetLoggingOptions 2 No
SetV2LoggingLevel 2 No
SetV2LoggingOptions 2 No
SetLoggingOptions 2
SetV2LoggingLevel 2
SetV2LoggingOptions 2
TagResource 10 Yes
TestAuthorization 10 Yes
TestInvokeAuthorizer 10 Yes
TransferCertificate 10 Yes
UntagResource 10 Yes
UpdateAuthorizer 10 Yes
UpdateBillingGroup 15 Yes
UpdateCertificate 10 Yes
UpdateCertificateMode 10 Yes
UpdateCertificateTag 10 Yes
UpdateDomainConfiguration 10 Yes
UpdateCACertificate 10 Yes
UpdateDynamicThingGroup 5 Yes
UpdateJob 10
UpdateProvisioningTemplate 10 Yes
UpdateRoleAlias 10 Yes
UpdateThing 10 Yes
UpdateThingGroup 15 Yes
UpdateTopicRuleDestination 5 No
UpdateTopicRuleDestination 5

Billing Group Restrictions

  • A thing can belong to exactly one billing group.

  • Unlike thing groups, billing groups cannot be organized into hierarchies.

  • For its usage to be registered for tagging or billing purposes, a device must:

    • Be registered as a thing in AWS IoT Core.

    • Communicate with AWS IoT Core using MQTT only.

    • Authenticate with AWS IoT Core using only its thing name as the client ID.

    • Use an X.509 certificate or Amazon Cognito Identity to authenticate.

    For more information, see Managing Devices with AWS IoT, Authentication, and Device Provisioning. The AttachThingPrincipal API command can be used to attach a certificate or other credential to a thing.

  • The maximum number of billing groups per account is 20,000.

Device Shadows

Resource Description Adjustable
Maximum depth of JSON device state documents The maximum number of levels in the desired or reported section of the JSON device state document is 5. For example:
"desired": { "one": { "two": { "three": { "four": { "five":{ } } } } } }

Maximum number of in-flight, unacknowledged messages per thing

The Device Shadow service supports up to 10 in-flight unacknowledged messages per thing. When this quota is reached, all new shadow requests are rejected with a 429 error code.

Maximum number of JSON objects per AWS account


Maximum number of shadows in an AWS account


Maximum size of a JSON state document

8 KB. Metadata does not contribute to the document size for service quotas or pricing.


Maximum size of a thing name

128 bytes of UTF-8 encoded characters.

Requests per second per thing

The Device Shadow service supports up to 20 requests per second per thing. This quota is per thing, not per API.


AWS IoT Core deletes a device shadow after the creating account is deleted or upon customer request. For operational purposes, AWS IoT service backups are retained for 6 months.

AWS IoT Core Fleet Provisioning

Resource Quota
Maximum number of fleet provisioning template versions per template 5
Maximum number of fleet provisioning templates per customer 256
Maximum size of fleet provisioning template 10 KiB
Maximum number of provisioning claims that can be generated per second by trusted user 10 tps

AWS IoT Core Message Broker

Resource Description Default Adjustable
Connect requests per second per account AWS IoT Core restricts an account to a maximum number of MQTT CONNECT requests per second. 500 Yes

Connect requests per second per client ID

AWS IoT Core restricts MQTT CONNECT requests from the same accountId and clientId to 1 MQTT CONNECT operation per second.

1 No
Inbound publish requests per second per account Inbound publish requests count for all the messages that AWS IoT Core processes before routing the messages to the subscribed clients or the rules engine. For example, a single message published on $aws/things/device/shadow/update topic can result in publishing 3 additional messages to $aws/things/device/shadow/update/accepted, $aws/things/device/shadow/update/documents, and $aws/things/device/shadow/delta topics. In this case, AWS IoT Core counts those as 4 inbound publish requests. However, a single message to an unreserved topic like a/b is counted as a single inbound publish request. 20,000 Yes
Maximum concurrent client connections per account The maximum number of concurrent connections allowed per account. 500,000 Yes
Maximum inbound unacknowledged QoS 1 publish requests AWS IoT Core restricts the number of unacknowledged inbound publish requests per client. When this quota is reached, no new publish requests are accepted from this client until a PUBACK message is returned by the server. 100 No
Maximum outbound unacknowledged QoS 1publish requests AWS IoT Core restricts the number of unacknowledged outbound publish requests per client. When this quota is reached, no new publish requests are sent to the client until the client acknowledges the publish requests. 100 No
Maximum retry interval for delivering QoS 1 messages AWS IoT Core retries delivery of unacknowledged quality of service 1 (QoS 1) publish requests to a client for up to one hour. If AWS IoT Core does not receive a PUBACK message from the client after one hour, it drops the publish requests. 1 hour No
Outbound publish requests per second per account Outbound publish requests count for every message that resulted in matching a client's subscription or matching a rules engine subscription. For example, 2 clients are subscribed to topic filter a/b and a rule is subscribed to topic filter a/#. An inbound publish request on topic a/b results in a total of 3 outbound publish requests. 20,000 Yes
Persistent session expiry period The duration for which the message broker stores an MQTT persistent session. The expiry period begins when the message broker detects the session has become disconnected. After the expiry period has elapsed, the message broker terminates the session and discards any associated queued messages. 1 hour Yes
Publish requests per second per connection AWS IoT Core restricts each client connection to a maximum number of inbound and outbound publish requests per second. Publish requests that exceed that quota are discarded. 100 No
Subscriptions per account AWS IoT Core restricts an account to a maximum number of subscriptions across all active connections. 500,000 Yes
Subscriptions per connection AWS IoT Core supports 50 subscriptions per connection. AWS IoT Core might reject subscription requests on the same connection in excess of this amount and the connection is closed. Clients should validate the SUBACK message to ensure that their subscription requests have been successfully processed. 50 No
Subscriptions per second per account AWS IoT Core restricts an account to a maximum number of subscriptions per second. For example, if there are 2 MQTT SUBSCRIBE requests sent within a second, each with 3 subscriptions (topic filters), AWS IoT Core counts those as 6 subscriptions. 500 Yes
Throughput per second per connection Data received or sent over a client connection is processed at a maximum throughput rate. Data that exceeds the maximum throughput is delayed in processing. 512 KiB No


Resource Description
Client ID size 128 bytes of UTF-8 encoded characters.
Connection inactivity (keep-alive interval) For MQTT (or MQTT over WebSocket) connections, a client can request a keep-alive interval between 30—1200 seconds as part of the MQTT CONNECT message. AWS IoT Core starts the keep-alive timer for a client when sending CONNACK in response to the CONNECT message. This timer is reset whenever AWS IoT receives a PUBLISH, SUBSCRIBE, PING, or PUBACK message from the client. AWS IoT Core disconnects a client whose keep-alive timer has reached 1.5x the specified keep-alive interval (i.e., by a factor of 1.5).The default keep-alive interval is 1200 seconds. If a client requests a keep-alive interval of zero, the default keep-alive interval is used. If a client requests a keep-alive interval greater than 1200 seconds, the default keep-alive interval is used. If a client requests a keep-alive interval shorter than 30 seconds but greater than zero, the server treats the client as though it requested a keep-alive interval of 30 seconds.
Maximum number of slashes in topic and topic filter A topic in a publish or subscribe request can have no more than 7 forward slashes (/). This excludes the first 3 slashes in the mandatory segments for Basic Ingest topics ($AWS/rules/rule-name/).
Maximum subscriptions per subscribe request A single SUBSCRIBE request has a quota of 8 subscriptions.
Message size The payload for every publish request can be no larger than 128 KB. AWS IoT Core rejects publish and connect requests larger than this size.
Restricted client ID prefix $ is reserved for AWS IoT Core-generated client IDs.
Restricted topic prefix Topics that start with $ are reserved by AWS IoT Core. They are not supported for publishing and subscribing except for using the specific topic names defined by AWS IoT Core services (for example, the Device Shadow service).
Topic size The topic passed to AWS IoT Core when sending a publish request can be no larger than 256 bytes of UTF-8 encoded characters. This excludes the first 3 mandatory segments for Basic Ingest topics ($AWS/rules/rule-name/).
WebSocket connection duration The WebSocket connection quota is 24 hours. If the quota is exceeded, the WebSocket connection is closed when the client or server attempts to send a message.

Security and Identity

Resource Default
Maximum number of AWS IoT Core role aliases 100
Maximum number of CA certificates with the same subject field allowed per AWS account per Region 10
Maximum number of device certificates that can be registered per second 15
Maximum number of named policy versions 5
Maximum number of policies that can be attached to a certificate or Amazon Cognito identity 10
Maximum policy document size 2048 characters (excluding white space)


Resource Default Adjustable
Maximum number of thing attributes for a thing with a thing type 50 Yes
Maximum number of thing attributes for a thing without a thing type 3 No
Maximum number of groups to which a thing can belong 10 No
Maximum number of thing types in an AWS account Unlimited.
Number of thing types that can be associated with a thing 1
Thing name size 128 bytes of UTF-8 encoded characters. This quota applies for both the registry and Device Shadow service.
Size of thing attributes per thing 47 KB Yes

Thing Groups

Resource Default Adjustable
Maximum number of thing groups a thing can belong to 10 No
Maximum depth of a thing group hierarchy 7 No
Maximum number of attributes associated with a thing group 50 No
Maximum number of direct child groups 100 No
Maximum number of dynamic groups 100 No
Maximum size of a thing group attribute name, in chars. 128 No
Maximum size of a thing group attribute value, in chars. 800 No