Quotas for AWS Organizations - AWS Organizations

Quotas for AWS Organizations

This section specifies quotas that affect AWS Organizations.

Naming guidelines

The following are guidelines for names that you create in AWS Organizations, including names of accounts, organizational units (OUs), roots, and policies:

  • They must be composed of Unicode characters

  • Maximum string length for names vary by the object. To see actual limit for each, see the AWS Organizations API Reference and find the API operation that creates the object. Look at the details for that operation's Name parameter. For example: Account name, or OU name.

Maximum and minimum values

The following are the default maximums for entities in AWS Organizations.


You can request increases for some of these values by using the Service Quotas console.

Organizations is a global service that is physically hosted in the US East (N. Virginia) Region (us-east-1). Therefore, you must use us-east-1 to access Organizations quotas when using the Service Quotas console, the AWS CLI, or an AWS SDK.

Number of AWS accounts in an organization

10 — The default maximum number of accounts allowed in an organization. If you need more, you can request an increase by using the Service Quotas console.

An invitation sent to an account counts against this quota. The count is returned if the invited account declines, the management account cancels the invitation, or the invitation expires.

Newly created accounts and organizations may experience a quota below the default of 10 accounts.

Number of roots in an organization


Number of OUs in an organization


Number of policies of each type in an organization

AI services opt-out policies: 1000

Backup policies: 1000

Service control policies: 2000

Tag policies: 1000

Maximum size of a policy document

AI services opt-out policies: 2500 characters

Backup policies: 10,000 characters

Service control policies: 5120 characters

Tag policies: 10,000 characters

Note: If you save the policy by using the AWS Management Console, extra white space (such as spaces and line breaks) between JSON elements and outside of quotation marks, is removed and not counted. If you save the policy using an SDK operation or the AWS CLI, then the policy is saved exactly as you provided and no automatic removal of characters occurs.

OU maximum nesting in a root

Five levels of OUs deep under a root.

Maximum number of invitation attempts you can perform in a 24-hour period

Either 20 or the maximum number of accounts allowed in your organization, whichever is greater. Accepted invitations don't count against this quota. As soon as one invitation is accepted, you can send another invitation that same day.

If the maximum number of accounts allowed in your organization is less than 20, then you get an "account limit exceeded" exception if you attempt to invite more accounts than your organization can contain. However, you can cancel invitations and send new ones up to the maximum of 20 attempts in one day.

Number of member accounts you can create concurrently

5 — As soon as one finishes, you can start another, but only five can be in progress at a time.

Number of member accounts you can close in a 30-day period

10% of member accounts in an organization, with a maximum of 1000.

  • < 100 accounts – You can close up to 10 member accounts

  • 100 - 10,000 accounts – You can close up to 10% of your member accounts

  • > 10,000 accounts – You can close up to 1000 member accounts

For example, if you have 10,500 member accounts, you can close up to 1000 (not 1050) accounts in a 30-day period. After you reach this quota, you can close additional accounts in the AWS Billing console or wait until your quota resets. For more information, see What you need to know before closing your account in the AWS Account Management Guide.

Number of member accounts you can close concurrently 3 — Only three account closures can be in progress at the same time. As soon as one finishes, you can close another account.

Number of entities to which you can attach a policy


Number of tags that you can attach to a root, OU, or account


Maximum size of the resource-based delegation policy 40,000 characters

Expiration times for handshakes

The following are the timeouts for handshakes in AWS Organizations.

Invitation to join an organization

15 days

Request to enable all features in an organization

90 days

Handshake is deleted and no longer appears in lists

30 days after the handshake is completed

Number of policies that you can attach to an entity

The minimum and maximum depend on the policy type and the entity that you're attaching the policy to. The following table shows each policy type and the number of entities that you can attach each type to.


These numbers apply to only those policies that are directly attached to an OU or an account. Policies that affect an OU or account by inheritance do not count against these limits.

Policy type Minimum attached to an entity Maximum attached to root Maximum attached per OU Maximum attached per account
Service control policy 1 — Every entity must have at least one SCP attached at all times. You can't remove the last SCP from an entity. 5 5 5
AI services opt-out policy 0 5 5 5
Backup policy 0 10 10 10
Tag policy 0 10 10 10

Currently, you can have only one root in an organization.

Throttling limits

The following table lists the AWS Organizations APIs by management category, and shows their respective throttle rates at the account and organizational level.

AWS Organizations API Per account limit (rate, burst) Per organization limit (rate, burst)
Account management
CloseAccount .05, 1
CreateAccount, CreateGovCloudAccount 0.1, 3
DescribeAccount 20, 30 24, 36
DescribeCreateAccountStatus 2, 2 2, 3
LeaveOrganization 1, 1
ListCreateAccountStatus 5, 8 6, 10
Handshake management
AcceptHandshake, DescribeHandshake 1, 1
CancelHandshake 2, 3
DeclineHandshake 1, 3
InviteAccountToOrganization 3, 5
ListHandshakesForAccount, ListHandshakesForOrganization 5, 8 6, 10
Organization management
CreateOrganization, DeleteOrganization, EnableFullControl 1, 1
CreateOrganizationalUnit, DescribeOrganization 1, 2
MoveAccount, UpdateOrganizationalUnit, DeleteOrganizationalUnit 2, 3
DescribeOrganizationalUnit 2, 2 2, 3
ListAccounts 8, 12 9, 15
ListChildren 6, 10 7, 12
ListParents, ListAccountsForParent, ListOrganizationalUnitsForParent 5, 8 6, 10
ListRoots 1, 2 1, 3
ListTagsForResource 10, 15 12, 18
RemoveAccountFromOrganization 2, 2
TagResource, UntagResource 4, 6
Policy management
CreatePolicy, DeletePolicy, AttachPolicy, DetachPolicy 2, 3
DescribePolicy 2, 2 2, 3
DisablePolicyType, EnablePolicyType 1, 1
ListPolicies, ListPoliciesForTarget, ListTargetsForPolicy 5, 8 6, 10
UpdatePolicy 2, 3
Service management
EnableAWSServiceAccess, DisableAWSServiceAccess 1, 2
ListAWSServiceAccessForOrganization, ListDelegatedServicesForAccount 1, 3 1, 4
ListDelegatedAdministrators 5, 8 6, 10
RegisterDelegatedAdministrator, DeregisterDelegatedAdministrator 1, 2