# Limitations and quotas in AWS Control Tower This chapter covers the AWS service limitations and quotas that you should keep in mind as you use AWS Control Tower. If you're unable to set up your landing zone due to a service quota issue, contact [AWS Support](https://aws.amazon.com/premiumsupport/). For more information about limitations that are specific to controls, see [Control limitations](control-limitations.md). **The Controls Reference Guide** Detailed information about AWS Control Tower controls has been moved to [the AWS Control Tower Controls Reference Guide](https://docs.aws.amazon.com//controltower/latest/controlreference/introduction.html). ## Known limitations in AWS Control Tower This section describes known limitations and unsupported use cases in AWS Control Tower. + AWS Control Tower has overall *concurrency limitations*. In general, one operation at a time is permitted. Two exceptions to this limitation are allowed: + Optional controls can be activated and deactivated concurrently, through an asynchronous process. Up to one hundred (100) control-related operations at a time can be in progress, in total, no matter if they are called from the console or from an API. + Accounts can be provisioned, updated, and enrolled concurrently in Account Factory, through an asynchronous process, with up to five (5) account-related operations in progress simultaneously. Unmanaging accounts must be performed one account at a time. + With auto-enrollment enabled, only a single move account operation can be performed on the destination OU and any additional account-related operations on the same OU will be considered conflicting until the move account operation is finished. + Account Factory for Terraform (AFT) has additional concurrency parameters configured during deployment. AWS has tested AFT with these default values: + `concurrent_account_factory_actions`: 5 (account provisioning) + `maximum_concurrent_customizations`: 5 (customization pipelines) Increasing these limits beyond the tested defaults may reduce stability. + Email addresses of shared accounts in the Security OU can be changed, but you must update your landing zone to see these changes in the AWS Control Tower console. + A limit of five (5) SCPs per OU applies to OUs in your AWS Control Tower landing zone. + AWS Control Tower supports up to 10,000 accounts in your landing zone's organization, divided among all of your OUs. + Existing OUs with over 1000 directly nested accounts cannot be registered or re-registered in AWS Control Tower. For more information about limitations with registering OUs, see [Limitations based on underlying AWS services](region-stackset-limitations.md). + **Customizations for AWS Control Tower (CfCT)** is unavailable in these AWS Regions, because some dependencies are not available: + Europe (Zurich), eu-central-2 + Europe (Spain), eu-south-2 + Canada West (Calgary) ca-west-1 + Asia Pacific (Melbourne), ap-southeast-4 + Asia Pacific (Malaysia), ap-southeast-5 + Asia Pacific (Thailand), ap-southeast-7 + Mexico (Central), mx-central-1 You can deploy and manage resources in these Regions with CfCT, if you deploy CfCT to your AWS Control Tower home Region, but you cannot build CfCT in these Regions. + **AWS Control Tower Account Factory for Terraform (AFT)** is not available in the following AWS Regions, because some dependencies are not available: + Europe (Zurich), eu-central-2 + Europe (Spain), eu-south-2 + Canada West (Calgary), ca-west-1 + Asia Pacific (Melbourne), ap-southeast-4 + Asia Pacific (Malaysia), ap-southeast-5 + Asia Pacific (Thailand), ap-southeast-7 + Mexico (Central), mx-central-1 + **AWS Control Tower Account Factory for Terraform (AFT)** cannot be deployed by new AFT customers in the following Regions, because AWS CodeConnections is not available to connect to a third-party version control system (VCS): + Asia Pacific (Hong Kong), Africa (Cape Town), Middle East (Bahrain), Europe (Zurich), Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Israel (Tel Aviv), Europe (Spain), Middle East (UAE), Asia Pacific (Thailand), Mexico (Central) + The following Regions do not support **AWS Service Catalog**. + Canada West (Calgary), ca-west-1 + Asia Pacific (Malaysia), ap-southeast-5 + Asia Pacific (Thailand), ap-southeast-7 + Mexico (Central), mx-central-1 **Note** Regions that do not support Service Catalog do not support Account Factory Customizations for AWS Control Tower (AFC). For more information about AWS Control Tower functionality in Regions that do not support AWS Service Catalog, see [AWS Control Tower available in AWS Canada West (Calgary)](2024-all.md#yyc-available). + When calling a control API to activate or deactivate a control, the limit for `EnableControl` and `DisableControl` updates in AWS Control Tower is one hundred (100) concurrent operations. Ten operations (10) can be in progress simultaneously, with the remaining operations queued. You may need to adjust your code to wait for completions. + When you provision accounts through **Account Factory Customizations (AFC)**, with blueprints that are based in Terraform, you can deploy those blueprints to only one AWS Region. By default, AWS Control Tower deploys to the home Region. # Request a quota increase The Service Quotas console provides information about AWS Control Tower quotas. You can use the Service Quotas console to view the default service quotas or to [request quota increases](https://console.aws.amazon.com/servicequotas/home?region=us-east-1#!/services/controltower/quotas) for adjustable quotas. **Note** Newly created accounts and organizations might experience a quota below the default of 10 accounts. **The following quotas can be viewed through the Service Quotas console** + *Concurrent account operations quota* : The maximum number of concurrent account operations that can be performed at the same time. Default: 5, Maximum: 10, adjustable + *Number of accounts in a single OU* : The maximum number of AWS Control Tower managed accounts that can be present in one OU. If you add accounts beyond this limit, the OU registration process in AWS Control Tower cannot be performed. To learn more about the number of accounts per OU, review [Limitations based on underlying AWS services](region-stackset-limitations.md) in the AWS Control Tower documentation. Default: 1000, not adjustable. + *Concurrent operations for organizational units (OUs)* : The maximum number of concurrent OU-related operations that can be performed at the same time. Default: 1, not adjustable. For example, you can request a quota increase from five of up to ten concurrent account-related operations. Some AWS Control Tower performance characteristics may change after a quota increase. For example, it may take longer to update an OU when you have more accounts in it. Or, it may take longer to complete an action on an OU with five SCPs than with three SCPs. **Note** A service quota increase request may require up to two days before it takes effect. Be sure to request the quota increase from your AWS Control Tower home Region. As an alternative, you can contact [AWS Support](https://aws.amazon.com//premiumsupport/) to request a quota increase for some resources in AWS Control Tower. Or you can view the video that follows, and learn how to automate certain service quota increases. **Video: Automate requests for service quota increases, in services related to AWS Control Tower** This video (7:24) describes how to automate service quota increases for related, integrated AWS services, based on deployments in AWS Control Tower. It also shows how to automate enrollment of new accounts into AWS Enterprise support for your organization. For better viewing, select the icon at the lower right corner of the video to enlarge it to full screen. Captioning is available. [![AWS Videos](http://img.youtube.com/vi/3WUShZ4lZGE/0.jpg)](http://www.youtube.com/watch?v=3WUShZ4lZGE) When provisioning new accounts in this environment, you can use lifecycle events to trigger automated requests for service quota increases in specified AWS Regions. More information about AWS quotas is available in the [AWS General Reference](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#limits_config). # Control limitations AWS Control Tower assists you with maintaining a secure, multi-account environment on AWS by means of controls, which are implemented in various forms, such as service control policies (SCPs), AWS Config rules, and CloudFormation hooks. **The Controls Reference Guide** Detailed information about AWS Control Tower controls has been moved to [the AWS Control Tower Controls Reference Guide](https://docs.aws.amazon.com//controltower/latest/controlreference/introduction.html). If you modify AWS Control Tower resources, such as an SCP, or remove any AWS Config resource, such as a Config recorder or aggregator, AWS Control Tower can no longer guarantee that the controls are functioning as designed. Therefore, the security of your multi-account environment may be compromised. The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model) of security is applicable to any such changes you may make. **Note** AWS Control Tower helps maintain the integrity of your environment by resetting the SCPs of the preventive controls to their standard configuration when you update your landing zone. Changes that you may have made to SCPs are replaced by the standard version of the control, by design. **Limitations by Region** Some controls in AWS Control Tower do not operate in certain AWS Regions where AWS Control Tower is available, because those Regions do not support the required underlying functionality. As a result, when you deploy that control, it may not be operating in all Regions that you govern with AWS Control Tower. This limitation affects certain detective controls, certain proactive controls, and certain controls in the **Security Hub CSPM Service-managed Standard: AWS Control Tower**. For more information about Regional availability, see the [Security Hub controls](https://docs.aws.amazon.com//controltower/latest/controlreference/security-hub-controls.html). Also see the [Regional services list documentation](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) and the [Security Hub CSPM controls reference documentation](https://docs.aws.amazon.com//securityhub/latest/userguide/securityhub-controls-reference.html). Control behavior also is limited in case of *mixed governance*. For more information, see [Avoid mixed governance when configuring Regions](mixed-governance.md). For more information about how AWS Control Tower manages the limitations of Regions and controls, see [Considerations for activating AWS opt-in Regions](opt-in-region-considerations.md). **Note** For the most updated information about controls and Region support, we recommend that you call the [https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_GetControl.html](https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_GetControl.html) and [https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_ListControls.html](https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_ListControls.html) API operations. ## Find available controls and Regions You can view the available Regions for each control in the AWS Control Tower console. You can view the available Regions programmatically with the [https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_GetControl.html](https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_GetControl.html) and [https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_ListControls.html](https://docs.aws.amazon.com//controlcatalog/latest/APIReference/API_ListControls.html) APIs from AWS Control Catalog. For information about AWS Security Hub CSPM controls from the **Service-Managed Standard: AWS Control Tower** that are not supported in certain AWS Regions, see "Unsupported Regions" in the [Security Hub CSPM standard](https://docs.aws.amazon.com//controltower/latest/controlreference/security-hub-controls.html). # Limitations based on underlying AWS services This page describes limitations that you may encounter due to limitations in other AWS services, and how AWS Control Tower works with those services. **General guidelines** As a general rule, we expect that the number of accounts supported when registering an OU diminishes as you increase the number of Regions governed, and the number of controls enabled, for that OU. These general guidelines assume that you have 15 optional controls enabled. If you have more or fewer controls enabled on your OU, the limits on accounts per OU will differ when registering. + With 15 governed Regions, OUs of up to 1000 accounts are supported. + With 16 to 21 governed Regions, the maximum supported OU size is in the range of 600-1000 accounts. + With 22 governed Regions, OUs of up to 680 accounts are supported. + With 23 or more governed Regions, the maximum supported OU size is less than 680 accounts. **In case of error** If registration fails, you can try to **Re-register** the OU. Also, you can make the OU smaller by using a nested OU or by moving acounts to another OU. **Note** The mandatory controls that AWS Control Tower always enforces are not counted toward the number of controls you've enabled on an OU, for purposes of registration. **CloudFormation stack set limitations** If you plan to register a large number of accounts across multiple AWS Regions, you may encounter limits created by CloudFormation stack sets on the overall size of an organization. You can estimate the limitation with this formula: *Number of managed accounts in the organization x Number of governed Regions <= 150,000* This limitation becomes apparent during the OU registration process. For example, if 15 Regions are governed, and 15 optional controls are enabled, the limit for registering the OU is 1000 accounts. However, if you require to register OUs with more than 1000 accounts, or if you have a large number of optional controls enabled, you must reduce the number of governed Regions below 15. This reduction is due to stack set limitations. **AWS Config limitations** If you plan to register OUs with a large number of accounts, you may encounter limits with [the maximum number of accounts that AWS Config allows to be created or deleted each week](https://docs.aws.amazon.com//config/latest/developerguide/configlimits.html), across all aggregators. Enrolled accounts do not count toward this limit: You may enroll up to 1000 new accounts into AWS Control Tower each week. **First-time limitations for accounts and opt-in Regions** If you plan to register OUs with a large number of accounts across multiple opt-in Regions *for the first time*, you may encounter limitations due to [Account Management quotas](https://docs.aws.amazon.com//accounts/latest/reference/quotas.html), which can lead to prolonged latency. Errors may occur during OU registration due to latency. # Regional differences for AWS Control Tower functionality Certain differences exist in the behavior of AWS Control Tower across AWS Regions, because AWS Control Tower orchestrates the behavior of other AWS services. For example: + AWS Service Catalog is not available in all AWS Regions where AWS Control Tower is available, which changes the behavior of Account Factory in those Regions. + In certain Regions, Account Factory Customizations (AFC) is not available because Service Catalog is not available to support the underlying functionality for blueprints. + Certain controls are not available in all AWS Regions due to lack of underlying functionality. + AFT and CfCT are not available in all AWS Regions due to lack of underlying functionality. To make the best determination of behavior for your AWS Control Tower environment, ascertain your home Region. Then, evaluate the following items. For more details, see [Limitations and quotas in AWS Control Tower](https://docs.aws.amazon.com//controltower/latest/userguide/limits.html). + Is AWS Service Catalog available in your desired home Region? + Are the controls available that you require? See [Control limitations](https://docs.aws.amazon.com/controltower/latest/userguide/control-limitations.html). + Is IAM Identity Center available in your desired home Region? **Deployable Regions for controls** AWS Control Tower cannot activate certain controls when you deploy them in certain Regions, due to lack of underlying dependencies. You can find the most updated information about the deployable Regions for any control by calling the `ListControls` and `GetControl` APIs. You also can view the deployable Regions in the AWS Control Tower console. When you activate a control on an OU that's governed by AWS Control Tower, the control's effective area is the *intersection* of your AWS Control Tower governed Regions with the control's deployable Regions. For example, a control can be enabled on an OU that operates in governed Regions X, Y and Z. But after it is enabled, the same control is deployed only on Regions X and Z, because the control itself does not support Region Y. It's important to monitor the relationships among controls that you deploy and Regions where you operate workloads in AWS Control Tower, so that you don't experience gaps in protection of your AWS resources. **How to check your protected Regions** + In the AWS Control Tower console, you can view the enabled controls and Regions in the **Enabled controls** section. + If you call the `GetEnabledControl` API, the **targetRegions** parameter will show only those Regions where you can deploy the control effectively, not the non-deployable Regions.