Troubleshooting issues with OpsCenter - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshooting issues with OpsCenter

This topic includes information to help you troubleshoot common errors and issues with OpsCenter.

You receive the OpsItemLimitExceededException

If your Amazon Web Services account has reached the maximum number of OpsItems allowed when you call the CreateOpsItem API operation, you receive an OpsItemLimitExceededException. OpsCenter returns the exception if your call would exceed the maximum number of OpsItems for either of the following quotas:

  • Total number of OpsItems per Amazon Web Services account per Region (including Open and Resolved OpsItems): 500,000

  • Maximum number of OpsItems per Amazon Web Services account per month: 10,000

These quotas apply to OpsItems created from any source except the following:

  • OpsItems created by Amazon Security Hub findings

  • OpsItems that are auto-generated when an Incident Manager incident is opened

OpsItems created from these sources don't count against your OpsItem quotas, but you are charged for each OpsItem.

If you receive an OpsItemLimitExceededException, you can manually delete OpsItems until you are below the quota preventing you from creating a new OpsItem. Again, deleting OpsItems created for Security Hub findings or Incident Manager incidents won't reduce your total number of OpsItems enforced by the quotas. You must delete OpsItems from other sources. For information about how to delete an OpsItem, see Delete OpsItems.

You receive a large bill from Amazon for large numbers of auto-generated OpsItems

If you configured integration with Amazon Security Hub, OpsCenter creates OpsItems for Security Hub findings. Depending on the number of finding Security Hub generates and the account you were logged into when you configured integration, OpsCenter can generate large numbers of OpsItems, at a cost. Here are more specific details related to OpsItems generated by Security Hub findings:

  • If you are logged into the Security Hub administrator account when you configure OpsCenter and Security Hub integration, the system creates OpsItems for findings in the administrator and all member accounts. The OpsItems are all created in the administrator account. Depending on a variety of factors, this can lead to an unexpectedly large bill from Amazon.

    If you are logged into a member account when you configure integration, the system only creates OpsItems for findings in that individual account. For more information about the Security Hub administrator account, member accounts, and their relation to the EventBridge event feed for findings, see Types of Security Hub integration with EventBridge in the Amazon Security Hub User Guide.

  • For each finding that creates an OpsItem, you are charged the regular price for creating the OpsItem. You are also charged if you edit the OpsItem or if the corresponding finding is updated in Security Hub (which triggers an OpsItem update).

Important

If you believe a large number of OpsItems were created in error and your Amazon bill is unwarranted, contact Amazon Web Services Support.

Use the following procedure if you no longer want the system to create OpsItems for Security Hub findings.

To stop receiving OpsItems for Security Hub findings
  1. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

  2. In the navigation pane, choose OpsCenter.

  3. Choose Settings.

  4. In the Security Hub findings section, choose Edit.

  5. Choose the slider to change Enabled to Disabled. If you aren't able to toggle the slider, Security Hub hasn't been enabled for your Amazon Web Services account.

  6. Choose Save to save your configuration. OpsCenter no longer creates OpsItems based on Security Hub findings.

Important

If OpsCenter toggles the setting back to Enabled and continues to create OpsItems for findings, log into the Systems Manager delegated administrator account or the Amazon Organizations management account and repeat this procedure. If you don't have permission to log into either of those accounts, contact your administrator and ask them to repeat this procedure to disable integration for your account.