Quotas for Amazon Verified Permissions - Amazon Verified Permissions

Quotas for Amazon Verified Permissions

Your AWS account has default quotas, formerly referred to as limits, for each AWS service. Unless otherwise noted, each quota is Region-specific. You can request increases for some quotas, and other quotas cannot be increased.

To view the quotas for Verified Permissions, open the Service Quotas console. In the navigation pane, choose AWS services and select Verified Permissions.

To request a quota increase, see Requesting a Quota Increase in the Service Quotas User Guide. If the quota is not yet available in Service Quotas, use the limit increase form.

Your AWS account has the following quotas related to Verified Permissions.

Quotas for resources

Name Default Adjustable Description
Policy stores per Region per account Each supported Region: 1,000 Yes The maximum number of policy stores.
Policy templates per policy store Each supported Region: 40 Yes The maximum number of policy templates in a policy store.
Identity sources per policy store 1 No The maximum number of identity sources that you can define for a policy store.
Authorization request size¹ 1 MB No The maximum size of an authorization request.
Policy size 10,000 bytes No The maximum size of an individual policy.
Schema size 100,000 bytes No The maximum size of the schema of a policy store.
Policy size per resource 200,000 bytes² No The maximum size of all policies that reference a specific resource.

¹ The quota for an authorization request is the same for both IsAuthorized and IsAuthorizedWithToken.

² The total size of all policies pertaining to a single resource can't exceed 200,000 bytes. For template-linked policies, the size of the policy template is counted only once, plus the size of each set of parameters used to instantiate each template-linked policy.

Quotas for hierarchies

Name Default Adjustable Description
Transitive parents per principal 100 No The maximum number of transitive parents for each principal.
Transitive parents per action 100 No The maximum number of transitive parents for each action.
Transitive parents per resource 100 No The maximum number of transitive parents for each resource.

The diagram below illustrates how transitive parents can be defined for an entity (principal, action, or resource).


                Transitive parents per entity

Quotas for operations per second

Verified Permissions throttles requests to service endpoints in an AWS Region when application requests exceed the quota for an API operation. Verified Permissions might return an exception when you exceed the quota in requests per second, or you attempt simultaneous write operations. You can view your current RPS quotas in Service Quotas. To prevent applications from exceeding the quota for an operation, you must optimize them for retries and exponential backoff. For more information, see Retry with backoff pattern and Managing and monitoring API throttling in your workloads.

Name Default Adjustable Description
BatchIsAuthorized requests per second per Region per account Each supported Region: 30 Yes The maximum number of BatchIsAuthorized requests per second.
BatchIsAuthorizedWithToken requests per second per Region per account Each supported Region: 30 Yes maximum number of BatchIsAuthorizedWithToken requests per second.
CreatePolicy requests per second per Region per account Each supported Region: 10 Yes The maximum number of CreatePolicy requests per second.
CreatePolicyStore requests per second per Region per account Each supported Region: 1 No The maximum number of CreatePolicyStore requests per second.
CreatePolicyTemplate requests per second per Region per account Each supported Region: 10 Yes The maximum number of CreatePolicyTemplate requests per second.
DeletePolicy requests per second per Region per account Each supported Region: 10 Yes The maximum number of DeletePolicy requests per second.
DeletePolicyStore requests per second per Region per account Each supported Region: 1 No The maximum number of DeletePolicyStore requests per second.
DeletePolicyTemplate requests per second per Region per account Each supported Region: 10 Yes The maximum number of DeletePolicyTemplate requests per second.
GetPolicy requests per second per Region per account Each supported Region: 10 Yes The maximum number of GetPolicy requests per second.
GetPolicyTemplate requests per second per Region per account Each supported Region: 10 Yes The maximum number of GetPolicyTemplate requests per second.
GetSchema requests per second per Region per account Each supported Region: 10 Yes The maximum number of GetSchema requests per second.
IsAuthorized requests per second per Region per account Each supported Region: 200 Yes The maximum number of IsAuthorized requests per second.
IsAuthorizedWithToken requests per second per Region per account Each supported Region: 200 Yes The maximum number of IsAuthorizedWithToken requests per second.
ListPolicies requests per second per Region per account Each supported Region: 10 Yes The maximum number of ListPolicies requests per second.
ListPolicyStores requests per second per Region per account Each supported Region: 10 Yes The maximum number of ListPolicyStores requests per second.
ListPolicyTemplates requests per second per Region per account Each supported Region: 10 Yes The maximum number of ListPolicyTemplates requests per second.
PutSchema requests per second per Region per account Each supported Region: 10 Yes The maximum number of PutSchema requests per second.
UpdatePolicy requests per second per Region per account Each supported Region: 10 Yes The maximum number of UpdatePolicy requests per second.
UpdatePolicyTemplate requests per second per Region per account Each supported Region: 10 Yes The maximum number of UpdatePolicyTemplate requests per second.