Architecture overview - AWS Limit Monitor

Architecture overview

Deploying this solution builds the following environment in the AWS Cloud.

        AWS Limit Monitor architecture

Figure 1: AWS Limit Monitor architecture

The AWS Limit Monitor includes a template that you deploy in your primary account. This template launches the following workflow:

  1. An AWS Lambda function that runs once every 24 hours. The Lambda function refreshes the AWS Trusted Advisor Service Limits checks to retrieve the most current utilization and quota data through API calls. Trusted Advisor calculates usage against the quota to determine whether the status is OK (less than 80% utilization), WARN (between 80% and 99% utilization), or ERROR (100% utilization).

  2. If you opt in to monitor Amazon Elastic Compute Cloud (Amazon EC2) virtual central processing unit-based (vCPU-based) quotas, the template launches another Lambda function that runs every five minutes. The function checks Service Quotas to retrieve vCPU usage and quota data for every AWS Region. The function calculates vCPU usage against quotas to determine whether the status is OK (less than 80% utilization), WARN (between 80% and 99% utilization), or ERROR (100% utilization).

  3. Amazon CloudWatch Events captures the status events from Trusted Advisor and the vCPU monitoring Lambda function, and uses a set of CloudWatch Events rules to send the status events to all the targets you choose during initial deployment of the solution: an Amazon Simple Queue Service (Amazon SQS) queue, an Amazon Simple Notification Service (Amazon SNS) topic (optional), or a Lambda function for Slack notifications (optional).

  4. If you activate Slack notifications during initial deployment, the solution launches a Lambda function that sends notifications to your existing Slack channel. An AWS Systems Manager Parameter Store will also be deployed to provide highly available, secure, durable storage for your Slack WebHook URL which is used to send messages to the Slack channel. For more information, refer to Slack Integration.

  5. Amazon SQS receives all the OK, WARN, and ERROR status. The Limit Summarizer Lambda function ingests the messages from the queue and stores them in the Amazon DynamoDB table for historical view of all quota related events in your accounts. The dead-letter queue stores all messages that couldn't be read by the Limit Summarizer function. By default, Amazon SNS and Slack receive only WARN and ERROR status events. However, you can customize the notifications for your specific needs.

The solution also includes a secondary template you can deploy in secondary accounts. This template launches the following:

  1. A Lambda function that refreshes the Trusted Advisor Service Limits checks in the secondary account.

  2. If activated, this template also launches a Lambda function to check Service Quotas for vCPU quotas.

  3. CloudWatch Events in the secondary account captures the status events from both functions and sends those events to the primary account using the CloudWatch Event Bus. Once those events are received in the primary account, the CloudWatch Events rules send the events to your chosen targets.


AWS CloudFormation resources are created from AWS Cloud Development Kit (AWS CDK) components.