Troubleshooting issues with OpsCenter
This topic includes information to help you troubleshoot common errors and issues with OpsCenter.
You receive the OpsItemLimitExceededException
If your Amazon Web Services account has reached the maximum number of OpsItems allowed when you
call the CreateOpsItem API operation, you receive an
OpsItemLimitExceededException
. OpsCenter returns the exception if
your call would exceed the maximum number of OpsItems for either of the following
quotas:
-
Total number of OpsItems per Amazon Web Services account per Region (including
Open
andResolved
OpsItems): 500,000 -
Maximum number of OpsItems per Amazon Web Services account per month: 10,000
These quotas apply to OpsItems created from any source except the following:
-
OpsItems created by Amazon Security Hub findings
-
OpsItems that are auto-generated when an Incident Manager incident is opened
OpsItems created from these sources don't count against your OpsItem quotas, but you are charged for each OpsItem.
If you receive an OpsItemLimitExceededException
, you can manually
delete OpsItems until you are below the quota preventing you from creating a new OpsItem.
Again, deleting OpsItems created for Security Hub findings or Incident Manager incidents won't
reduce your total number of OpsItems enforced by the quotas. You must delete OpsItems from
other sources. For information about how to delete an OpsItem, see Delete OpsItems.
You receive a large bill from Amazon for large numbers of auto-generated OpsItems
If you configured integration with Amazon Security Hub, OpsCenter creates OpsItems for Security Hub findings. Depending on the number of finding Security Hub generates and the account you were logged into when you configured integration, OpsCenter can generate large numbers of OpsItems, at a cost. Here are more specific details related to OpsItems generated by Security Hub findings:
-
If you are logged into the Security Hub administrator account when you configure OpsCenter and Security Hub integration, the system creates OpsItems for findings in the administrator and all member accounts. The OpsItems are all created in the administrator account. Depending on a variety of factors, this can lead to an unexpectedly large bill from Amazon.
If you are logged into a member account when you configure integration, the system only creates OpsItems for findings in that individual account. For more information about the Security Hub administrator account, member accounts, and their relation to the EventBridge event feed for findings, see Types of Security Hub integration with EventBridge in the Amazon Security Hub User Guide.
-
For each finding that creates an OpsItem, you are charged the regular price for creating the OpsItem. You are also charged if you edit the OpsItem or if the corresponding finding is updated in Security Hub (which triggers an OpsItem update).
Important
If you believe a large number of OpsItems were created in error and your Amazon bill is unwarranted, contact Amazon Web Services Support.
Use the following procedure if you no longer want the system to create OpsItems for Security Hub findings.
To stop receiving OpsItems for Security Hub findings
Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/
. -
In the navigation pane, choose OpsCenter.
-
Choose Settings.
-
In the Security Hub findings section, choose Edit.
-
Choose the slider to change Enabled to Disabled. If you aren't able to toggle the slider, Security Hub hasn't been enabled for your Amazon Web Services account.
-
Choose Save to save your configuration. OpsCenter no longer creates OpsItems based on Security Hub findings.
Important
If OpsCenter toggles the setting back to Enabled and continues to create OpsItems for findings, log into the Systems Manager delegated administrator account or the Amazon Organizations management account and repeat this procedure. If you don't have permission to log into either of those accounts, contact your administrator and ask them to repeat this procedure to disable integration for your account.