Amazon Firewall Manager quotas - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Firewall Manager quotas

Amazon Firewall Manager is subject to the following quotas (formerly referred to as limits).

Amazon Firewall Manager has default quotas that you might be able to increase and fixed quotas.

The security group policies and network ACL policies that are managed by Firewall Manager are subject to standard Amazon VPC quotas. For more information, see Amazon VPC Quotas in the Amazon VPC User Guide.

Each Firewall Manager Network Firewall policy creates a Network Firewall firewall with an associated firewall policy and its rule groups. These Network Firewall resources are subject to the quotas listed at Amazon Network Firewall quotas in the Network Firewall Developer Guide.

Soft quotas

Amazon Firewall Manager has default quotas on the number of entities per Region. You can request an increase in these quotas.

All policy types
Resource Default quota per Region

Accounts per organization in Amazon Organizations

Varies. An invitation sent to an account counts against this quota. The count is returned if the invited account declines, the management account cancels the invitation, or the invitation expires.

Firewall Manager policies per organization in Amazon Organizations.

50. The Region specifications Global and US East (N. Virginia) Region refer to the same Region, so this limit applies to the total combined policies for the two of them.

Organizational units in scope per Firewall Manager policy.

20

Accounts in scope of a Firewall Manager policy if you explicitly include and exclude individual accounts.

200

Accounts in scope of a Firewall Manager policy if you do not explicitly include or exclude individual accounts.

2,500

Tags that include or exclude resources per Firewall Manager policy.

8

Number of resource sets per account.

20

Number of resources per resource set.

100

Number of resources sets per Firewall Manager policy.

5

Amazon WAF policies
Resource Default quota per Region
Amazon WAF rule groups per Firewall Manager administrator account. 100
Amazon WAF Classic rule groups per Firewall Manager administrator account. 10
Rule groups per Amazon WAF policy. 50
Common security group policies
Resource Default quota per Region.
Primary security groups per policy. 3
Amazon VPC instances in scope per policy per account, including shared VPCs. 100
Content audit security group policies
Resource Default quota per Region
Audit security groups per policy. 1
Applications per application list. 50
Custom managed application lists for rules that allow all traffic. 1
Custom managed application lists per policy rules. 1
Custom managed application lists per account. 10
Protocols per protocol list. 5
Custom managed protocol lists for any setting in a policy. 1
Custom managed protocol lists per account. 10
Network ACL policies
Resource Default quota per Region
Number of inbound rules per network ACL policy, used for first or last rules. For example, you can have 5 first and 0 last inbound rules, or 2 first and 3 last, but you can't have 4 first and 2 last. 5
Number of outbound rules per network ACL policy, used for first or last rules. For example, you can have 5 first and 0 last outbound rules, or 2 first and 3 last, but you can't have 4 first and 2 last. 5
DNS Firewall policies
Resource Default quota per Region
DNS Firewall rule groups per DNS Firewall policy. 2

Hard quotas

The following per-Region quotas related to Amazon Firewall Manager can't be changed.

All policy types
Resource Quota per Region

The maximum number of Firewall Manager administrators you can have in an Amazon Organizations organization. You must have at one default administrator, and as many as nine additional Firewall Manager administrators.

10
Amazon WAF policies
Resource Quota per Region
Total web ACL capacity units (WCU) for the rule groups in an Amazon WAF policy. 5,000
Amazon WAF Classic policies
Resource Quota per Region

Amazon WAF Classic rule groups per policy.

2: 1 customer-created rule group and 1 Amazon Web Services Marketplace rule group.

Amazon WAF Classic rules per Firewall Manager Amazon WAF Classic rule group.

10

Security group content audit policies
Resource Quota per Region
Firewall Manager managed application lists for any setting in a policy. 1
Firewall Manager managed protocol lists for any setting in a policy. 1
Network Firewall policies
Resource Quota per Region

Number of VPCs that can be automatically remediated for a single policy.

1,000

The number of IPV4 CIDRs that you can provide for a single policy.

50