AWS IAM Identity Center (successor to AWS Single Sign-On) quotas
The following tables describe quotas within IAM Identity Center.
Application quotas
| Resource | Default quota | Can be increased |
|---|---|---|
|
File size of service provider SAML certificates (in PEM format) |
2 KB | No |
File size limit of the IdP certificate uploaded to SSO |
2500 (UTF-8) characters | No |
AWS account quotas
| Resource | Default quota | Can be increased |
|---|---|---|
| Number of permission sets allowed in IAM Identity Center | 500 | Yes |
| Number of permission sets allowed per AWS account | 50 | Yes |
| Number of inline policies per permission set | 1 | No |
| Number of AWS managed and customer managed policies per permission set | 201 | No |
| Maximum size of inline policy per permission set | 10,240 bytes | No |
|
Number of IAM roles in the AWS account that can be repaired at a time |
1 | No |
1AWS Identity and Access Management (IAM) sets a quota of 10 managed policies per role. To take advantage of this quota, request an increase to the IAM quota Managed policies attached to an IAM role in the Service Quotas console for each AWS account where you want to deploy the permission set.
Permission sets are provisioned in AWS accounts as IAM roles, or use existing IAM roles in AWS accounts, and therefore follow IAM quotas. For more information about quotas that are associated with IAM roles, see IAM and STS quotas.
Active Directory quotas
| Resource | Default quota | Can be increased |
|---|---|---|
|
Number of unique directory groups that can be assigned * |
2500 | Yes |
|
Number of connected directories that you can have at a time |
1 | No |
* Users can belong to many directory groups, and a directory may contain many groups (see IAM Identity Center identity store quotas). Within IAM Identity Center, a maximum of 2500 of these groups can be assigned for using accounts and applications.
IAM Identity Center identity store quotas
| Resource | Default quota | Can be increased |
|---|---|---|
|
Number of unique groups that can be assigned * |
2500 | Yes |
|
Number of users supported in IAM Identity Center |
50000 | Yes |
| Number of groups supported in IAM Identity Center | 10000 | Yes |
* Users within an IAM Identity Center store can have up to 100 of their groups assigned for using applications.
IAM Identity Center throttle limits
| Resource | Default quota |
|---|---|
| IAM Identity Center APIs | IAM Identity Center APIs have a collective throttle maximum of 20 transactions per second (TPS). The CreateAccountAssignment has a maximum rate of 10 outstanding async calls. These quotas cannot be changed. |
Additional quotas
| Resource | Default quota | Can be increased |
|---|---|---|
|
Total number of AWS accounts or applications that can be configured * |
500 | Yes |
|
Number of unique groups that can be used to evaluate the permissions for a user ** |
1000 | No |
* Up to 500 AWS accounts or applications (total combined) are supported. For example, you might configure 275 accounts and 225 applications, resulting in a total of 500 accounts and applications.
** Before displaying the user’s available AWS accounts and application icons in the user portal, IAM Identity Center evaluates the user’s effective permissions by evaluating their group memberships. Up to 1000 unique groups can be used to determine a user’s effective permissions.
