Quotas and limits in IAM Identity Center
The following tables describe quotas within IAM Identity Center. Quota increase requests must come from a management or delegated administrator account. To increase a quota, see Requesting a quota increase.
Note
We recommend using the Amazon CLI and APIs to administer IAM Identity Center if you have more than 50,000 users, 10,000 groups, or 500 permission sets. For more information about the CLI, see Integrating Amazon CLI with IAM Identity Center. For more information about APIs, see Welcome to the IAM Identity Center API Reference.
Application quotas
| Resource | Default quota | Can be increased |
|---|---|---|
|
File size of service provider SAML certificates (in PEM format) |
2 KB | No |
|
SAML assertion limit |
50,000 characters | No |
|
File size limit of the IdP certificate uploaded to IAM Identity Center |
2500 (UTF-8) characters | No |
| Access scopes per application | 25 | No |
Amazon Web Services account quotas
| Resource | Default quota | Can be increased |
|---|---|---|
| Number of permission sets allowed in IAM Identity Center | 3500 | Yes |
| Number of provisioned permission sets allowed per Amazon Web Services account | 500 | Yes |
| Number of inline policies per permission set | 1 | No |
| Number of Amazon managed and customer managed policies per permission set | 201 | No |
| Maximum size of inline policy per permission set |
32,768 bytes. Maximum size of non-whitespace characters in the inline policy per permission set is 10,240 bytes. |
No |
|
Number of IAM roles (permission sets) in the Amazon Web Services account that can be updated at a time |
1 | No |
1Amazon Identity and Access Management (IAM) sets a quota of 10 managed policies per role. To take advantage of this quota, request an increase to the IAM quota Managed policies attached to an IAM role in the Service Quotas console for each Amazon Web Services account where you want to deploy the permission set.
Note
Manage Amazon Web Services accounts with permission
sets are
provisioned in Amazon Web Services accounts as IAM roles, or use existing IAM roles in
Amazon Web Services accounts, and therefore follow IAM quotas. For more information about quotas
that are associated with IAM roles, see IAM and STS quotas
Active Directory quotas
| Resource | Default quota | Can be increased |
|---|---|---|
|
Number of connected directories that you can have at a time |
1 | No |
IAM Identity Center identity store quotas
| Resource | Default quota | Can be increased |
|---|---|---|
| Number of users supported in IAM Identity Center | 200000 | Yes |
| Number of groups supported in IAM Identity Center | 100000 | Yes |
| Number of unique groups that can be used to evaluate the permissions for a user | 1000 | No |
IAM Identity Center throttle limits
| Resource | Default quota |
|---|---|
| IAM Identity Center APIs | IAM Identity Center APIs have a collective throttle limit of 20 transactions per second (TPS). You can open a support case to request a limit increase. The CreateAccountAssignment API has a limit of 15 outstanding asynchronous calls. This limit cannot be increased. |
| Identity Store APIs | Identity Store APIs have a throttle limit of 20 transactions per second (TPS) per API. This limit applies per Identity Store instance. You can open a support case to request a limit increase. |
| SCIM APIs | SCIM APIs have throttle limits of 25 transactions per second (TPS) for write APIs and 40 TPS for read APIs. These limits apply per Identity Store instance. You can open a support case to request a limit increase. |
If your IAM Identity Center instance is enabled in multiple Amazon Web Services Regions, the throttle limits apply equally to each enabled Region. For example, you would have the 20 TPS throttle limit on the Identity Store APIs in each enabled Region. For more information about which API operations are available in additional Regions, see the corresponding table.
OIDC service request quotas
| Resource | Default value (requests per second) | Can be increased |
|---|---|---|
|
Request rate from a remote address to register a public OAuth client Applies to: RegisterClient |
20 | Yes |
|
Request rate from a public client registered with the OIDC service Applies to: CreateToken, StartDeviceAuthorization |
80 | Yes |
|
Request rate from all public clients registered with the same IAM Identity Center instance Applies to: CreateToken |
250 | Yes |
|
Request rate from an IAM Identity Center application registered with the IAM Identity Center instance Applies to: CreateTokenWithIAM |
80 | Yes |
|
Token generation rate from all IAM Identity Center applications registered with the same IAM Identity Center instance with JWT Bearer grant Applies to: CreateTokenWithIAM |
10 | Contact Amazon Support |
If your IAM Identity Center instance is enabled in multiple Amazon Web Services Regions, the request rates above apply equally to each enabled Region. For example, if your allowed request rate to register a public OAuth client from a remote address is 20 requests per second, this throughput is available in each enabled Region. For more information about which API operations are available in additional Regions, see the corresponding table.
Additional quotas
| Resource | Default quota | Can be increased |
|---|---|---|
|
Total number of Amazon Web Services accounts or applications that can be configured * ** |
3000 | Yes |
|
Total number of instances of IAM Identity Center per account |
1 | No |
|
Total number of trusted token issuers |
10 | No |
|
Total number of groups that can be assigned to a permission set per Amazon Web Services account, or to an application |
100 | No |
|
Total number of Amazon Web Services Regions enabled for a single IAM Identity Center instance |
3 | Yes |
* For example, you might configure 2750 accounts and 250 applications, resulting in a total of 3000 accounts and applications.
** TheProvisionPermissionSet API operation can provision a
permission set using the option ALL_PROVISIONED_ACCOUNTS to, at most, 3500
Amazon Web Services accounts. If you need to provision a permission set to more than 3500
Amazon Web Services accounts, you can use the ProvisionPermissionSet API operation with
the Amazon_ACCOUNT option, which provisions the permission set in a single
Amazon Web Services account. You can make up to three concurrent calls to
ProvisionPermissionSet.