Amazon managed policies for Service Quotas - Service Quotas
ServiceQuotasFullAccessServiceQuotasReadOnlyAccessServiceQuotasServiceRolePolicyPolicy updates
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Service Quotas

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

Amazon managed policy: ServiceQuotasFullAccess

You can attach ServiceQuotasFullAccess to your users, groups, and roles.

This policy grants permissions that allow full administrative control of the Service Quotas service. You can perform all tasks involved in viewing and managing your quotas for Amazon services in Service Quotas in the Amazon Regions in your account.

Permissions details

This policy includes permissions that allow all actions for Service Quotas, including viewing Amazon default values and applied values, requesting a service quota increase, and viewing current utilization of resources. This policy also includes 18 permissions that are not part of Service Quotas and can be broadly split into non-mutating and mutating operations. Non-mutating operations include permissions from trusted advisors to retrieve applied quota value and view current utilization of resources. Mutating operations include permission to create and delete alarms on utilization of resources, and permissions to create the service-linked role necessary to create a support case on your behalf while requesting a quota increase.

This policy includes the following non-mutating and mutating operations that are not part of Service Quotas:

Non-mutating operations

  • autoscaling:DescribeAccountLimits – Allows Service Quotas to retrieve applied quota value for Amazon Auto Scaling quotas.

  • cloudformation:DescribeAccountLimits – Allows Service Quotas to retrieve applied quota value for Amazon CloudFormation quotas.

  • cloudwatch:DescribeAlarmsForMetric – Allows you to retrieve alarms for specified metrics from Service Quotas that were created for notifying automatically whenever a specified quota reaches a percentage of the maximum or reaches the maximum level.

  • cloudwatch:DescribeAlarms – Allows you to retrieve alarms from Service Quotas that were created for notifying automatically whenever a specified quota reaches a percentage of the maximum or reaches the maximum level.

  • cloudwatch:GetMetricData – Allows Service Quotas to view current utilization of resources.

  • cloudwatch:GetMetricStatistics – Allows Service Quotas to view current utilization of resources.

  • dynamodb:DescribeLimits – Allows Service Quotas to retrieve applied quota value for DynamoDB quotas.

  • elasticloadbalancing:DescribeAccountLimits – Allows Service Quotas to retrieve applied quota value for Elastic Load Balancing quotas.

  • iam:GetAccountSummary – Allows Service Quotas to retrieve applied quota value for IAM.

  • kinesis:DescribeLimits – Allows Service Quotas to retrieve applied quota value for Amazon Kinesis quotas.

  • organizations:DescribeAccount and organizations:DescribeOrganization – Allows Service Quotas to create and execute quota templates.

  • rds:DesceibeAccountAttributes – Allows Service Quotas to retrieve applied quota value for Amazon RDS quotas.

  • route53:GetAccountLimit – Allows Service Quotas to retrieve applied quota value for Amazon Route 53 quotas.

  • tag:GetTagKeys – Allows Service Quotas to get tag keys currently in use in the specified Amazon Web Services Region for the calling account.

  • tag:GetTagValues – Allows Service Quotas to get tag values for the specified key that are used in the specified Amazon Web Services Region for the calling account.

Mutating operations

  • cloudwatch:PutMetricAlarm – Allows Service Quotas to create an alarm for notifying you automatically whenever a specified quota reaches a percentage of the maximum or the maximum level.

  • cloudwatch:DeleteAlarms – Allows Service Quotas to delete the specified alarm.

  • organizations:EnableAWSServiceAccess – Allows Service Quotas to create a service-linked role in all the accounts in your organization. This allows Service Quotas to perform operations on your behalf in your organization and its accounts.

  • iam:CreateServicelinkedRole – Allows Service Quotas to create an IAM role that allows Service Quotas to create a support case on your behalf when you request a quota increase.

To see the latest version of this Amazon managed policy, see ServiceQuotasFullAccess in the Amazon Managed Policy Reference Guide.

Amazon managed policy: ServiceQuotasReadOnlyAccess

You can attach ServiceQuotasReadOnlyAccess to your users, groups, and roles.

This policy grants permissions that allow users to view their Amazon default quotas, applied quotas, and view current utilization of resources.

Permissions details

This policy includes permissions that allow your to perform the Service Quotas Get*, and List* operations to view your Amazon default quotas and applied quotas. You can also view current utilization of resources.

Note

This policy does not allow you to request a service quota increase.

This policy includes the following non-mutating operations that are not part of Service Quotas:

Non-mutating operations

  • autoscaling:DescribeAccountLimits – Allows Service Quotas to retrieve applied quota value for Amazon Auto Scaling quotas.

  • cloudformation:DescribeAccountLimits – Allows Service Quotas to retrieve applied quota value for Amazon CloudFormation quotas.

  • cloudwatch:DescribeAlarmsForMetric – Allows you to retrieve alarms for specified metrics from Service Quotas that were created for notifying automatically whenever a specified quota reaches a percentage of the maximum or reaches the maximum level.

  • cloudwatch:DescribeAlarms – Allows you to retrieve alarms from Service Quotas that were created for notifying automatically whenever a specified quota reaches a percentage of the maximum or reaches the maximum level.

  • cloudwatch:GetMetricData – Allows Service Quotas to view current utilization of resources.

  • cloudwatch:GetMetricStatistics – Allows Service Quotas to view current utilization of resources.

  • dynamodb:DescribeLimits – Allows Service Quotas to retrieve applied quota value for DynamoDB quotas.

  • elasticloadbalancing:DescribeAccountLimits – Allows Service Quotas to retrieve applied quota value for Elastic Load Balancing quotas.

  • iam:GetAccountSummary – Allows Service Quotas to retrieve applied quota value for IAM.

  • kinesis:DescribeLimits – Allows Service Quotas to retrieve applied quota value for Amazon Kinesis quotas.

  • organizations:DescribeAccount and organizations:DescribeOrganization – Allows Service Quotas to create and execute quota templates.

  • rds:DesceibeAccountAttributes – Allows Service Quotas to retrieve applied quota value for Amazon RDS quotas.

  • route53:GetAccountLimit – Allows Service Quotas to retrieve applied quota value for Amazon Route 53 quotas.

  • tag:GetTagKeys – Allows Service Quotas to get tag keys currently in use in the specified Amazon Web Services Region for the calling account.

  • tag:GetTagValues – Allows Service Quotas to get tag values for the specified key that are used in the specified Amazon Web Services Region for the calling account.

To see the latest version of this Amazon managed policy, see ServiceQuotasReadOnlyAccess in the Amazon Managed Policy Reference Guide.

Amazon managed policy: ServiceQuotasServiceRolePolicy

This policy is attached to a service-linked role that allows the service to perform actions on your behalf. You cannot attach this policy to your users, groups, or roles.

This policy grants permissions that allows Service Quotas to create support cases on your behalf.

Permissions details

This policy includes the following operations:

  • support:CreateCase – Allows Service Quotas to create support cases on your behalf when you request a quota increase.

  • support:DescribeCases – Allows Service Quotas to retrieve the details and status of your support case for the quota increase request.

  • support:RresolveCase – Allows Service Quotas to resolve support cases on your behalf.

To see the latest version of this Amazon managed policy, see ServiceQuotasServiceRolePolicy in the Amazon Managed Policy Reference Guide.

Service Quotas updates to Amazon managed policies

View details about updates to Amazon managed policies for Service Quotas since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Service Quotas Document history page.

Change Description Date

ServiceQuotasFullAccess – New policy

Added a new Amazon managed policy that allows full administrative control of the Service Quotas service. You can perform all tasks involved in viewing and managing your quotas for Amazon services in Service Quotas in the Amazon Regions in your account.

 May 30, 2024

ServiceQuotasReadOnlyAccess – New policy

Added a new Amazon managed policy that allows users to view their Amazon default quotas, applied quotas, and view current utilization of resources.

 May 30, 2024

ServiceQuotasServiceRolePolicy – New policy

Added a new Amazon managed policy that allows Service Quotas to create support cases on your behalf.

 May 30, 2024

Service Quotas started tracking changes

Service Quotas started tracking changes for its Amazon managed policies.

May 30, 2024