Quotas and service limits for Amazon Organizations
This topic describes quotas and service limits for Amazon Organizations.
Naming guidelines
The following are guidelines for names that you create in Amazon Organizations, including names of accounts, organizational units (OUs), roots, and policies:
-
Names must be composed of Unicode characters
-
Maximum string length for names vary by the object. For information about the actual limit for each object, see the Amazon Organizations API Reference and find the API operation that creates the object, and look at the details for that operation's
Name
parameter. For example: Account name, or OU name.
Maximum and minimum values
The following are the default maximums for entities in Amazon Organizations.
Note
You can request increases for some of these values by using the Service Quotas console
Organizations is a global service that is physically hosted in the US East (N. Virginia)
Region (us-east-1
). Therefore, you must use us-east-1
to
access Organizations quotas when using the Service Quotas console, the Amazon CLI, or an Amazon
SDK.
Description | Limit |
---|---|
Number of Amazon Web Services accounts in an organization |
10 — The default maximum number of accounts allowed in an
organization. If you need more, you can request an increase by using the
Service Quotas console Note: Only the Management account of an organization can submit this quota increase request. Limit increases can be granted up to 10,000 accounts based on customer qualifications and requirements. Newly created accounts and organizations might experience a quota below the default of 10 accounts. An invitation sent to an account counts against this quota. The count is returned if the invited account declines, the management account cancels the invitation, or the invitation expires. When an account is closed it does not stop counting against this quota until it is permanently closed. For more information on when an account is permanently closed, see Post-closure period in the Amazon Account Management Reference Guide. Some services have account limits separate from the maximum number of accounts allowed in an organization. For more information, see Limits by Amazon service. |
Number of roots in an organization |
1 |
Number of OUs in an organization |
1000 |
Number of policies of each type in an organization |
Service control policies: 2000 Backup policies: 1000 Tag policies: 1000 Chatbot policies: 1000 AI services opt-out policies: 1000 |
Maximum size of a policy document |
Service control policies: 5120 characters Backup policies: 10,000 characters Chatbot policies: 10,000 characters AI services opt-out policies: 2500 characters Tag policies: 10,000 characters Note: If you save the policy by using the Amazon Web Services Management Console, extra white space (such as spaces and line breaks) between JSON elements and outside of quotation marks, is removed and not counted. If you save the policy using an SDK operation or the Amazon CLI, then the policy is saved exactly as you provided and no automatic removal of characters occurs. |
OU maximum nesting in a root |
Five levels of OUs deep under a root. |
Maximum number of invitation attempts you can perform in a 24-hour period |
Either 20 or the maximum number of accounts allowed in your organization, whichever is greater. Accepted invitations don't count against this quota. As soon as one invitation is accepted, you can send another invitation that same day. If the maximum number of accounts allowed in your organization is less than 20, then you get an "account limit exceeded" exception if you attempt to invite more accounts than your organization can contain. However, you can cancel invitations and send new ones up to the maximum of 20 attempts in one day. |
Number of member accounts you can create concurrently |
5 — As soon as one finishes, you can start another, but only five can be in progress at a time. |
Number of member accounts you can close in a 30-day period |
10% of member accounts in an organization, with a maximum of 1000.
After you reach this quota, you can close additional accounts or wait until your quota resets. For more information, see Close an Amazon account in the Amazon Account Management Guide. |
Number of member accounts you can close concurrently | 3 — Only three account closures can be in progress at the same time. As soon as one finishes, you can close another account. |
Number of entities to which you can attach a policy |
Unlimited |
Number of tags that you can attach to a root, OU, or account |
50 |
Maximum size of the resource-based delegation policy | 40,000 characters |
Limits by Amazon service
Most Amazon Web Services services support the stated maximum number of accounts that you can have in an organization. However, some services have account limits separate from the maximum number of accounts allowed in an organization.
The following tables shows services with separate account limits.
Amazon service | Limit | Can be increased |
---|---|---|
Amazon IAM Identity Center | 3000 | Yes |
Amazon Application Migration Service | 5000 | No |
Amazon Directory Service | 250 | Yes |
For more information, see Amazon IAM Identity Center quotas in the IAM Identity Center User Guide and Amazon MGN service quota limits in the Application Migration Service User Guide.
Expiration times for handshakes
The following are the timeouts for handshakes in Amazon Organizations.
Description | Limit |
---|---|
Invitation to join an organization |
15 days |
Request to enable all features in an organization |
90 days |
Handshake is deleted and no longer appears in lists |
30 days after the handshake is completed |
Number of policies that you can attach to an entity
The minimum and maximum depend on the policy type and the entity that you're attaching the policy to. The following table shows each policy type and the number of entities that you can attach each type to.
Note
These numbers apply to only those policies that are directly attached to an OU or an account. Policies that affect an OU or account by inheritance do not count against these limits. All policy limits are hard limits.
Policy type | Minimum attached to an entity | Maximum attached to root | Maximum attached per OU | Maximum attached per account |
---|---|---|---|---|
Service control policy | 1 — Every entity must have at least one SCP attached at all times. You can't remove the last SCP from an entity. | 5 | 5 | 5 |
Backup policy | 0 | 10 | 10 | 10 |
Tag policy | 0 | 10 | 10 | 10 |
Chatbot policy | 0 | 5 | 5 | 5 |
AI services opt-out policy | 0 | 5 | 5 | 5 |
Note
You can have only one root in an organization.
Throttling limits
The following tables lists the Amazon Organizations APIs by management category, and shows their respective throttle rates at the account and organizational level.
Account management limits
The following table lists the Amazon Organizations APIs for account management.
Amazon Organizations API | Per account limit (rate, burst) | Per organization limit (rate, burst) |
---|---|---|
CloseAccount | .05, 1 | |
CreateAccount, CreateGovCloudAccount | 0.1, 3 | |
DescribeAccount | 20, 30 | 24, 36 |
DescribeCreateAccountStatus | 2, 2 | 2, 3 |
LeaveOrganization | 1, 1 | |
ListCreateAccountStatus | 5, 8 | 6, 10 |
Handshake management limits
The following table lists the Amazon Organizations APIs for account handshake.
Amazon Organizations API | Per account limit (rate, burst) | Per organization limit (rate, burst) |
---|---|---|
AcceptHandshake, DescribeHandshake | 1, 1 | |
CancelHandshake | 2, 3 | |
DeclineHandshake | 1, 3 | |
InviteAccountToOrganization | 3, 5 | |
ListHandshakesForAccount, ListHandshakesForOrganization | 5, 8 | 6, 10 |
Organization management limits
The following table lists the Amazon Organizations APIs for organization management.
Amazon Organizations API | Per account limit (rate, burst) | Per organization limit (rate, burst) |
---|---|---|
CreateOrganization, DeleteOrganization, EnableFullControl | 1, 1 | |
CreateOrganizationalUnit, DescribeOrganization | 1, 2 | |
MoveAccount, UpdateOrganizationalUnit, DeleteOrganizationalUnit | 2, 3 | |
DescribeOrganizationalUnit | 2, 2 | 2, 3 |
ListAccounts | 8, 12 | 9, 15 |
ListChildren | 6, 10 | 7, 12 |
ListParents, ListAccountsForParent, ListOrganizationalUnitsForParent | 5, 8 | 6, 10 |
ListRoots | 1, 2 | 1, 3 |
ListTagsForResource | 10, 15 | 12, 18 |
RemoveAccountFromOrganization | 2, 2 | |
TagResource, UntagResource | 4, 6 |
Policy management limits
The following table lists the Amazon Organizations APIs for policy management.
Amazon Organizations API | Per account limit (rate, burst) | Per organization limit (rate, burst) |
---|---|---|
CreatePolicy, DeletePolicy, AttachPolicy, DetachPolicy | 2, 3 | |
DescribePolicy | 2, 2 | 2, 3 |
DisablePolicyType, EnablePolicyType | 1, 1 | |
ListPolicies, ListPoliciesForTarget, ListTargetsForPolicy | 5, 8 | 6, 10 |
UpdatePolicy | 2, 3 |
Service management limits
The following table lists the Amazon Organizations APIs for service management.
Amazon Organizations API | Per account limit (rate, burst) | Per organization limit (rate, burst) |
---|---|---|
EnableAWSServiceAccess, DisableAWSServiceAccess | 1, 2 | |
ListAWSServiceAccessForOrganization, ListDelegatedServicesForAccount | 1, 3 | 1, 4 |
ListDelegatedAdministrators | 5, 8 | 6, 10 |
RegisterDelegatedAdministrator, DeregisterDelegatedAdministrator | 1, 2 |