AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
Developer Guide (API Version 2019-07-29)

AWS Firewall Manager Limits

AWS Firewall Manager has default limits on the number of entities per account. You can request an increase in these limits.

Resource Default Limit

Accounts per organization in AWS Organizations

Varies. An invitation sent to an account counts against this limit. The count is returned if the invited account declines, the master account cancels the invitation, or the invitation expires.

Firewall Manager policies per organization in AWS Organizations


Tags that include or exclude resources per Firewall Manager policy


Rule groups per Firewall Manager administrator account 10
Primary security groups per common Firewall Manager policy 1
Audit security groups per content audit Firewall Manager policy 1
Amazon VPC instances in scope per Firewall Manager common security group policy 5

The security group policies managed by Firewall Manager are subject to standard Amazon VPC limits. For more information, see Amazon VPC Limits in the Amazon VPC User Guide.

The following limits related to AWS Firewall Manager can't be changed.

Resource Limit

Rule groups per Firewall Manager policy

2: 1 customer-created rule group and 1 AWS Marketplace rule group

Rules per rule group