# Deploy the solution
<a name="deploy-the-solution"></a>

This solution uses [CloudFormation templates and stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-concepts.html) to automate its deployment. The CloudFormation templates specify the AWS resources included in this solution and their properties. The CloudFormation stack provisions the resources that are described in the templates.

Before you launch the automated deployment, review the architecture and other considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the Quota Monitor for AWS into your account.

 **Time to deploy:** Approximately five minutes.

## Prerequisites
<a name="prerequisites"></a>
+ If you are using AWS Organizations, you can deploy `quota-monitor-prerequisite.template` to fulfill needed prerequisites. For detailed instructions, refer to [Step 2a: Launch the prerequisite stack (optional)](step-2a.-launch-the-prerequisite-stack-optional.md).
+ To support quota usage monitoring with Trusted Advisor, each account must have a Business- or Enterprise-level [Support](https://aws.amazon.com/premiumsupport/) plan to gain access to the Trusted Advisor service quota checks.
+ To use this solution’s Slack notification functionality, you must have an existing Slack channel.

**Important**  
When deploying this solution across multiple account types (management, designated administrator for CloudFormation StackSets, and spoke accounts), ensure that the opted-in Regions overlap across all involved accounts. If the hub account has [opt-in Regions](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-considerations) that are not enabled in the spoke accounts, the solution will attempt to deploy in those Regions. This will cause deployment failures in the spoke accounts and might prevent successful deployment in the common Regions. Ensuring this Region overlap is crucial for the successful deployment and operation of the solution across your organization.

## Deployment overview
<a name="deployment-overview"></a>

To deploy this solution, follow these steps:

 [Step 1: Choose your deployment scenario](step-1.-choose-your-deployment-scenario.md) 

Choose the deployment scenario that meets your needs: AWS Organizations, hybrid, or AWS accounts that are not part of an AWS Organization.

 [Step 2a: Launch the prerequisite stack (optional)](step-2a.-launch-the-prerequisite-stack-optional) 

Launch the prerequisite template in an Organizations management account to invoke a Lambda function that:
+ Checks that the Organizations **All Features** is activated.
+ Adds a member account as the designated administrator for CloudFormation StackSets.

  --Or--

 [Step 2b: Fulfill the prerequisites manually (optional)](step-2b.-achieve-prerequisites-manually-optional.md) 
+ Fulfill the prerequisites needed for monitoring quotas across Organizations manually.

 [Step 3a. Launch the hub stack for AWS Organizations](step-3a.-launch-the-hub-stack-for-aws-organizations.md) 

--Or--

 [Step 3b: Launch the hub stack for single account deployment](step-3b.-launch-the-hub-stack-for-single-account-deployment.md) 
+ Launch the AWS CloudFormation template into an AWS account that is [registered as a delegated administrator for StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html) in your organization.
+ Enter values for the required parameters: **Deployment Configuration.** 
+ Review the other template parameters and adjust if necessary.

 [Step 4a: Update the Systems Manager Parameter Store (Regions List)](step-4a.-update-systems-manager-parameter-store-regions-list.md) 
+ Update Parameter Store with the `RegionToDeploy`.

 [Step 4b: Update the Systems Manager Parameter Store (OUs)](step-4b.-update-systems-manager-parameter-store-ous.md) 
+ Update Parameter Store with the `OUs`.
+ Review StackSets instances.

 [Step 5: Launch the spoke notifications stacks (optional)](step-5.-launch-the-spoke-sns-stacks-when-not-using-aws-organizations-or-hybrid-environments.md) 
+ Launch the components necessary to add decentralized notification into each account.

 [Step 6: Launch the spoke stacks (optional)](step-6.-launch-the-spoke-stacks-optional.md) 
+ Launch the components necessary to monitor quotas in secondary accounts. Review the other template parameters and adjust if necessary.

 [Step 7: Configure notifications (optional)](step-7.-configure-notifications-optional.md) 
+ Configure notification filtering.

 [Step 8. Configure Slack notifications (optional)](step-8.-configure-slack-notifications-optional.md) 
+ Configure Slack for notifications.
+ Add the Slack webhook URL to the Systems Manager Parameter Store.

**Important**  
This solution includes data collection. We use this data to better understand how customers use this solution and related services and products. AWS owns the data gathered though this survey. Data collection is subject to the [AWS Privacy Notice](https://aws.amazon.com/privacy/).

# AWS CloudFormation templates
<a name="aws-cloudformation-templates"></a>

This solution includes the following CloudFormation templates, which you can download before deployment:

 [https://s3.amazonaws.com/solutions-reference/quota-monitor-for-aws/latest/quota-monitor-hub.template](https://s3.amazonaws.com/solutions-reference/quota-monitor-for-aws/latest/quota-monitor-hub.template) **quota-monitor-hub.template** - Use this template to launch the Quota Monitor for AWS solution and all associated components in the monitoring account.

 [https://s3.amazonaws.com/solutions-reference/quota-monitor-for-aws/latest/quota-monitor-sq-spoke.template](https://s3.amazonaws.com/solutions-reference/quota-monitor-for-aws/latest/quota-monitor-sq-spoke.template) **quota-monitor-sq-spoke.template** - Use this template to launch the Quota Monitor for AWS solution and all associated components in secondary accounts to support Service Quotas.

 [https://solutions-reference.s3.amazonaws.com/quota-monitor-for-aws/latest/quota-monitor-sns-spoke.template](https://solutions-reference.s3.amazonaws.com/quota-monitor-for-aws/latest/quota-monitor-sns-spoke.template) **quota-monitor-sns-spoke.template** - Use this template to launch notification resources in secondary accounts. This stack is optional and should be launched in only one Region within each secondary account.

 [https://solutions-reference.s3.amazonaws.com/quota-monitor-for-aws/latest/quota-monitor-ta-spoke.template](https://solutions-reference.s3.amazonaws.com/quota-monitor-for-aws/latest/quota-monitor-ta-spoke.template) **quota-monitor-ta-spoke.template** - Use this template to launch the Quota Monitor for AWS solution and all associated components in secondary accounts to support Trusted Advisor.

 [https://solutions-reference.s3.amazonaws.com/quota-monitor-for-aws/latest/quota-monitor-prerequisite.template](https://solutions-reference.s3.amazonaws.com/quota-monitor-for-aws/latest/quota-monitor-prerequisite.template) **quota-monitor-prerequisite.template** - Use this supplemental template to fulfill the prerequisites needed for monitoring quotas across AWS Organizations. This template should be launched in the organization management account.

 [https://solutions-reference.s3.amazonaws.com/quota-monitor-for-aws/latest/quota-monitor-hub-no-ou.template](https://solutions-reference.s3.amazonaws.com/quota-monitor-for-aws/latest/quota-monitor-hub-no-ou.template) **quota-monitor-hub-no-ou.template** - Use this supplemental template to launch the Quota Monitor for AWS and all associated components in the monitoring account, when you are not using AWS Organizations.

Refer to [Choose your deployment scenario](step-1.-choose-your-deployment-scenario.md) later in this guide to determine which templates you need to deploy to meet your needs. Refer to the [README.md](https://github.com/aws-solutions/quota-monitor-for-aws/blob/main/README.md) file in the GitHub repository for guidance to customize the template.

# Step 1. Choose your deployment scenario
<a name="step-1.-choose-your-deployment-scenario"></a>

You can deploy Quota Monitor for AWS in three deployment scenarios:
+  **Scenario 1** - Environments where all AWS accounts are part of one or more Organizations.
+  **Scenario 2** - Hybrid environments with Organizations and independent AWS accounts.
+  **Scenario 3** - Environments that do not use Organizations and use single accounts instead.

To leverage all the benefits of this solution for automated monitoring and automated deployment, we recommend using Organizations.

The following sections describe how to deploy Quota Monitor for AWS in each of these deployment scenarios.

## Deploying in AWS Organizations environments and hybrid environments (scenarios 1 and 2)
<a name="deploying-in-aws-organizations-environments-and-hybrid-environments-scenarios-1-and-2"></a>

Choose this scenario if you are using Organizations and the AWS account that you are using for monitoring quotas is registered as a delegated administrator for StackSets in the organization.

You can choose from the two deployment modes provided as template input parameters:
+  **Organizations (default mode)** - If you want to monitor quota utilization across your Organizations or across different OUs under your organization, choose this mode.
+  **Hybrid** - If you want to monitor quota utilization across your Organizations, OUs, and accounts outside your Organizations, choose this mode.

The following figure depicts an example of deploying the solution in your monitoring account.

 **Image depicts the workflow for deploying a monitoring account** 

![\[deployment workflow\]](http://docs.aws.amazon.com/solutions/latest/quota-monitor-for-aws/images/deployment-workflow.png)


After you choose the deployment mode, the resources needed for that mode are provisioned. The deployment workflow is invoked when you update the deployed Systems Manager Parameter Store.
+ The `helper` Lambda function updates the permissions on the centralized EventBridge bus, so all monitored accounts can send their quota utilization events to the monitoring account.
+ CloudFormation StackSets automates spoke template deployments in the secondary accounts under targeted OUs.
+ For additional accounts not under the purview of Organizations, you can manually deploy spoke templates.

## Deploying when not using AWS Organizations (scenarios 2 and 3)
<a name="deploying-when-not-using-aws-organizations-scenarios-2-and-3"></a>

While we recommend using Organizations so that you can leverage the benefits of automated monitoring and automated deployment, you might have use cases where you are not using Organizations.

When you are not using Organizations and your monitoring account is not an organization member account—​rather, an independent standalone account—​use the supplemental `quota-monitor-hub-no-ou.template`.

**Note**  
You are responsible for the cost of the AWS services used while running this solution. Review the [Cost](cost.md) section for more details. For full details, refer to the pricing webpage for each AWS service you will be using in this solution.

The following flowchart depicts which templates you need to deploy, depending on your deployment scenario.

![\[Image depicts a decision diagram for selecting the templates for your deployment scenario\]](http://docs.aws.amazon.com/solutions/latest/quota-monitor-for-aws/images/choose-deployment-scenario.png)


The following table summarizes the decision criteria for choosing templates, regions, and accounts for monitoring your quotas.


| Question | Using AWS Organizations | Using single accounts | 
| --- | --- | --- | 
|  Where do you deploy a prerequisite template?  |  Deploy in a management account  |  N/A  | 
|  Which AWS Region should you use for the prerequisite template?  |  Any AWS Region  |  N/A  | 
|  Which hub template should you use?  |   `quota-monitor-hub.template`   |   `quota-monitor-hub-no-ou.template`   | 
|  Which hub account should you use?  |  Any account  |  Any account  | 
|  Where do you the deploy spoke templates?  |  \$1 StackSets for Organizations and OU deployment scenarios \$1 StackSets and manual deployment for hybrid deployment scenarios  |  Manual deployment  | 
|  Which spoke account should you use?  |  Any  |  Any  | 
|  Which AWS Region should you use for the Trusted Advisor spoke template?  |   `us-east-1` or `us-gov-west-1` Region  |   `us-east-1` or `us-gov-west-1` Region  | 
|  Which AWS Region should you use for the Service Quota spoke template?  |  Any  |  Any  | 

# Step 2a. Launch the prerequisite stack (optional)
<a name="step-2a.-launch-the-prerequisite-stack-optional"></a>

**Note**  
Use the prerequisite stack only for Organizations deployments.

The solution provides a supplemental prerequisite template. When you deploy this automated CloudFormation template in an Organizations management account, a Lambda function checks for the following prerequisites:

1. Checks that the **AWS Organizations** **All Features** is activated.

1. Adds a member account as the designated administrator for CloudFormation StackSets.
**Note**  
The solution deploys service-managed StackSets. You must allow trusted access with AWS Organizations in the organization management account before you can use service-managed permissions on the AWS CloudFormation console (refer to [Enable trusted access with AWS Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html?icmpid=docs_cfn_console) in the *AWS CloudFormation User Guide*) or AWS Organizations console (refer to [Enabling trusted access with AWS CloudFormation Stacksets](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html#integrate-enable-ta-cloudformation) in the *AWS Organizations User Guide*).

The Lambda function installs the prerequisites. If there are errors during prerequisite installation, a stack rollback occurs with an error message.

Use the following procedures to deploy the `quota-monitor-prerequisite.template` CloudFormation template.

1. Sign in to the AWS Management Console and select the button to launch the `quota-monitor-prerequisite.template` CloudFormation template.

    [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fquota-monitor-for-aws%2Flatest%2Fquota-monitor-prerequisite.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fquota-monitor-for-aws%2Flatest%2Fquota-monitor-prerequisite.template&redirectId=ImplementationGuide) 
**Note**  
You must launch the template in the US East (N. Virginia) or AWS GovCloud (US-West) Region of the [organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) for the management account.

1. On the **Create stack** page, verify that the correct template URL is in the **Amazon S3 URL** text box and choose **Next**.

1. On the **Specify stack details** page, assign a name to your solution stack.

1. Under **Parameters**, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.


| Parameter | Default | Description | 
| --- | --- | --- | 
|   **Quota Monitor Monitoring Account**   |   *<Requires input>*   |  Account ID for the primary account. This account will also be configured as the StackSets administrator account.  | 

1. Choose **Next**.

1. On the **Configure stack options\$1page, choose \$1Next**.

1. On the **Review** page, review and confirm the settings. Select the box acknowledging that the template will create IAM resources.

1. Choose **Create stack** to deploy the stack.

You can view the status of the stack in the AWS CloudFormation Console in the **Status** column. You should receive a `CREATE_COMPLETE` status in less than two minutes.

# Step 2b. Fulfill prerequisites manually (optional)
<a name="step-2b.-achieve-prerequisites-manually-optional"></a>

**Note**  
Use this procedure only for Organizations deployments.

Use the following procedure to manually fulfill prerequisites for the solution in your Organizations.

1. Activate **AWS Organizations Full Feature**.

1. Designate a member account as the [StackSets administrator](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html). This account will be your hub account.

**Note**  
The solution deploys service-managed StackSets. You must allow trusted access with AWS Organizations in the organization management account before you can use service-managed permissions on the AWS CloudFormation console (refer to [Enable trusted access with AWS Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html?icmpid=docs_cfn_console) in the *AWS CloudFormation User Guide*) or AWS Organizations console (refer to [Enabling trusted access with AWS CloudFormation Stacksets](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html#integrate-enable-ta-cloudformation) in the *AWS Organizations User Guide*).

# Step 3a. Launch the hub stack for AWS Organizations
<a name="step-3a.-launch-the-hub-stack-for-aws-organizations"></a>

This CloudFormation template deploys the Quota Monitor for AWS into your primary account.

**Note**  
This template must be launched in a member account of your Organizations that is registered as delegated administrator for StackSets.  
You are responsible for the cost of the AWS services used while running this solution. Review the [Cost](cost.md) section for more details. For full details, refer to the pricing webpage for each AWS service you will be using in this solution.

1. Sign in to the AWS Management Console and select the button to launch the `quota-monitor-hub.template` CloudFormation template.

    [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fquota-monitor-for-aws%2Flatest%2Fquota-monitor-hub.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fquota-monitor-for-aws%2Flatest%2Fquota-monitor-hub.template&redirectId=ImplementationGuide) 

1. The template launches in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar.
**Note**  
You can launch this template in any AWS Region.

1. On the **Create stack** page, verify that the correct template URL shows in the **Amazon S3 URL** text box and choose **Next**.

1. On the **Specify stack details** page, assign a name to your solution stack.

1. Under **Parameters**, review the parameters for the template and modify them as necessary. This solution uses the following default values.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/quota-monitor-for-aws/step-3a.-launch-the-hub-stack-for-aws-organizations.html)

1. Choose **Next**.

1. On the **Configure stack options** page, choose **Next**.

1. On the **Review** page, review and confirm the settings. Select the box acknowledging that the template will create IAM resources.

1. Choose **Create stack** to deploy the stack.

   You can view the status of the stack in the AWS CloudFormation Console in the **Status** column. You should see a status of CREATE\$1COMPLETE in approximately five minutes.

1. In the subscription notification email, select the **SubscribeURL** link to turn on Amazon SNS email notifications.
   + Customizing SageMaker and Amazon Connect services monitoring \$1

Because monitoring SageMaker and Amazon Connect services can incur high costs, this solution allows you to enable or disable monitoring for these services at the hub template level. This setting applies to all spoke accounts in your deployment.

To change these settings:

1. Update the hub stack in CloudFormation.

1. Modify the **SageMaker Monitoring** and **Connect Monitoring** parameters as needed.

1. Apply the stack update.

**Note**  
Changing these parameters during a stack update affects all spoke accounts. If you leave them unchanged, the existing monitoring customizations in the spoke accounts remain intact.  
For spoke account-specific customization, you can modify the monitoring status in their Service DynamoDB table after deployment. The table includes entries for each service, such as SageMaker and Amazon Connect, with a **Monitored** field that can be set to `true` or `false`.

**Important**  
Steps 4a and 4b are critical for the solution to function correctly. Without updating these, the solution won’t know which accounts, OUs, or Regions to monitor.

# Step 3b. Launch the hub stack for single account deployment
<a name="step-3b.-launch-the-hub-stack-for-single-account-deployment"></a>

1. Sign in to the AWS Management Console and select the button to launch the `quota-monitor-hub-no-ou.template` CloudFormation template.

    [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fquota-monitor-for-aws%2Flatest%2Fquota-monitor-hub-no-ou.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fquota-monitor-for-aws%2Flatest%2Fquota-monitor-hub-no-ou.template&redirectId=ImplementationGuide) 

1. The template launches in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar.
**Note**  
You can launch this template in any AWS Region.

1. On the **Create stack** page, verify that the correct template URL shows in the **Amazon S3 URL** text box, and choose **Next**.

1. On the **Specify stack details** page, assign a name to your solution stack.

1. Under **Parameters**, review the parameter for the template and modify it as necessary. This solution uses the following default values.


| Parameter | Default | Description | 
| --- | --- | --- | 
|   **Email Notification**   |   *<Optional input>*   |  Provide an email address to receive alert notifications.  | 
|   **Slack Notification**   |   `No`   |  Choose `Yes` if you want to receive Slack notifications for quota utilization alerts.  | 
|   **Report OK Notifications**   |   `No`   |  Whether to save the `OK` notifications in the summary table on the hub account.  | 

1. Choose **Next**.

1. On the **Configure stack options** page, choose **Next**.

1. On the **Review** page, review and confirm the settings. Select the box acknowledging that the template will create IAM resources.

1. Choose **Create stack** to deploy the stack.

   You can view the status of the stack in the AWS CloudFormation Console in the **Status** column. You should see a status of CREATE\$1COMPLETE in approximately five minutes.

1. After the stack deploys, update the `/QuotaMonitor/Accounts` Systems Manager Parameter Store with list of targeted accounts. Once the parameter is updated:
   + The `helper` Lambda function updates the permissions on the centralized EventBridge bus so that all monitored accounts can send their quota utilization events to the primary account.
   + You can deploy `quota-monitor-ta-spoke` and `quota-monitor-sq-spoke` templates in the monitored accounts manually. Refer to [Step 6: Launch the spoke stacks](step-6.-launch-the-spoke-stacks-optional.md).

# Step 4a. Update Systems Manager Parameter Store (Regions List)
<a name="step-4a.-update-systems-manager-parameter-store-regions-list"></a>

Use the following procedure to update the Systems Manager Parameter Store with the list of AWS Regions where you want to deploy the spoke templates.

1. Open the [AWS Systems Manager console](https://console.aws.amazon.com/systems-manager/).

1. In the navigation pane, choose **Parameter Store**.

    **Parameter Store**   
![\[parameterstore\]](http://docs.aws.amazon.com/solutions/latest/quota-monitor-for-aws/images/parameterstore.png)

--Or--

If the Systems Manager home page opens first, choose the menu icon (![\[Horizontal black and white striped pattern forming a simple geometric design.\]](http://docs.aws.amazon.com/solutions/latest/quota-monitor-for-aws/images/image4.png) ) to open the navigation pane, then choose **Parameter Store**.

 **My Parameters** 

![\[myparameters\]](http://docs.aws.amazon.com/solutions/latest/quota-monitor-for-aws/images/myparameters.png)


1. On the **My parameters** tab, select the box next to the parameter to update.

1. Choose **Edit**. Update the **Value**. The value should be comma-separated with no spaces. For example, `/QuotaMonitor/RegionsToDeploy: us-east-1,us-east-2`. The default value is `ALL`.

1. Choose **Save changes**.

# Step 4b. Update Systems Manager Parameter Store (OUs)
<a name="step-4b.-update-systems-manager-parameter-store-ous"></a>

Follow these steps to update the Systems Manager Parameter Store for the AWS accounts (**Account-Ids**) and OUs (**OU-ids**) you want to monitor.

1. Open the [AWS Systems Manager console](https://console.aws.amazon.com/systems-manager/).

1. In the navigation pane, choose **Parameter Store**.

    **Parameter Store**   
![\[parameterstore\]](http://docs.aws.amazon.com/solutions/latest/quota-monitor-for-aws/images/parameterstore.png)

--Or--

If the Systems Manager home page opens first, choose the menu icon (![\[Horizontal black and white striped pattern forming a simple geometric design.\]](http://docs.aws.amazon.com/solutions/latest/quota-monitor-for-aws/images/image4.png)) to open the navigation pane, then choose **Parameter Store**.

 **My Parameters** 

![\[myparameters\]](http://docs.aws.amazon.com/solutions/latest/quota-monitor-for-aws/images/myparameters.png)


1. On the **My parameters** tab, select the box next to the parameter to update.

1. Choose **Edit**. Update the **Value**. The value should be comma-separated with no spaces For example, `/QuotaMonitor/OUs: ou-a1bc-d2efghij,ou-k1lm-n2opqrst`.

1. Choose **Save changes**.

1. Once you update the parameter, StackSets should start deploying solution templates in the targeted OUs or accounts. [Review StackSets operation and instances.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html#stacksets-concepts-ops) 

# Step 5. Launch the spoke SNS stacks when not using AWS Organizations or hybrid environments
<a name="step-5.-launch-the-spoke-sns-stacks-when-not-using-aws-organizations-or-hybrid-environments"></a>

Follow these steps to launch the components necessary for adding decentralized notifications to secondary accounts. Launch this stack in a single Region in every account where you want a separate SNS topic. Ensure that you launch this stack before the **sq spoke stacks** in [Step 6](step-6.-launch-the-spoke-stacks-optional.md).

**Note**  
You are responsible for the cost of the AWS services used while running this solution. Review the [Cost](cost.md) section for more details. For full details, refer to the pricing webpage for each AWS service you will be using in this solution.

1. Sign in to the AWS Management Console and select the button to launch the `quota-monitor-sns-spoke.template` CloudFormation template.

    [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fquota-monitor-for-aws/latest/quota-monitor-sns-spoke.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fquota-monitor-for-aws/latest/quota-monitor-sns-spoke.template&redirectId=ImplementationGuide) 

1. The template launches in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar.

1. On the **Create stack** page, verify that the correct template URL appears in the **Amazon S3 URL** text box, then choose **Next**.

1. On the **Specify stack details** page, assign a name to your solution stack.

1. Choose **Next**.

1. On the **Configure stack options** page, choose **Next**.

1. On the **Review** page, review and confirm the settings. Select the box acknowledging that the template will create IAM resources.

1. Choose **Create stack** to deploy the stack.

You can view the status of the stack in the AWS CloudFormation Console under the **Status** column. The status should show as `CREATE_COMPLETE`` in approximately five minutes.

# Step 6. Launch the spoke stacks when not using AWS Organizations or hybrid environments
<a name="step-6.-launch-the-spoke-stacks-optional"></a>

Use the following procedure to launch the components necessary to monitor quotas in secondary accounts. You must launch the spoke stack in every account you want to monitor (including the account where the hub stack is deployed). You can deploy the Service Quotas spoke stack in all Regions, but only deploy the Trusted Advisor spoke stack in the Regions where the service’s data plane resides, specifically, US East 1 (N. Virginia) and AWS GovCloud (US-West).

Enter the secondary account IDs in the `/QuotaMonitor/Accounts` Systems Manager Parameter Store provisioned by the primary template before you launch this template in secondary accounts. If you are using Organizations or a hybrid deployment mode, spoke template deployments are managed by CloudFormation StackSets.

**Note**  
You are responsible for the cost of the AWS services used while running this solution. Review the [Cost](cost.md) section for more details. For full details, refer to the pricing webpage for each AWS service you will be using in this solution.

1. Sign in to the AWS Management Console and select the button to launch the `quota-monitor-sq-spoke.template` CloudFormation template.

    [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fquota-monitor-for-aws%2Flatest%2Fquota-monitor-sq-spoke.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fquota-monitor-for-aws%2Flatest%2Fquota-monitor-sq-spoke.template&redirectId=ImplementationGuide) 

1. The template is launched in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar.
**Note**  
You must launch `quota-monitor-ta-spoke.template` in the US East (N. Virginia) or AWS GovCloud (US-West) Region. You can launch the `quota-monitor-sq-spoke.template` in any AWS Region where you need quota monitoring.

1. On the **Create stack** page, verify that the correct template URL shows in the **Amazon S3 URL** text box, and choose **Next**.

1. On the **Specify stack details** page, assign a name to your solution stack.

1. Under **Parameters**, review the following parameter for the template and modify it as necessary.    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/quota-monitor-for-aws/step-6.-launch-the-spoke-stacks-optional.html)

1. Choose **Next**.

1. On the **Configure stack options** page, choose **Next**.

1. On the **Review** page, review and confirm the settings. Select the box acknowledging that the template will create IAM resources.

1. Choose **Create stack** to deploy the stack.

   You can view the status of the stack in the AWS CloudFormation Console in the **Status** column. The status should show as `CREATE_COMPLETE` in approximately five minutes.

# Step 7. Configure notifications (optional)
<a name="step-7.-configure-notifications-optional"></a>

Follow these steps to configure and mute specific notifications for the Quota Monitor solution.

1. Open the [AWS Systems Manager console](https://console.aws.amazon.com/systems-manager/).

1. In the navigation pane, choose **Parameter Store**.

   --Or--

   If the AWS Systems Manager home page opens first, choose the menu icon (![\[Horizontal black and white striped pattern forming a simple geometric design.\]](http://docs.aws.amazon.com/solutions/latest/quota-monitor-for-aws/images/image4.png)) to open the navigation pane, and then choose **Parameter Store**.

1. On the **My parameters** tab, select the check box next to the parameter to update.

1. Choose **Edit**. Update the **Value**. The value should be comma-separated with no spaces The schema is `ServiceCode[:QuotaCode|QuotaName|Resource]`. Quotas matching that pattern will be muted such that no notification will be sent to the Amazon SNS topic or the Slack web hook. The following is an example:

   ```
   /QuotaMonitor/NotificationConfiguration: ec2:L-1216C47A,ec2:Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances,dynamodb,logs:*,geo:L-05EFD12D.
   ```

   In this example, the following items occur:
   + The quotas `L-1216C47A` and `Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances` from Amazon EC2 are muted.
   + All quotas from the DynamoDB are muted.
   + All quotas from the service logs are muted.
   + The quota `L-05EFD12D` from the service geo is muted.

1. Choose **Save changes**.
**Note**  
You can get the values for the service code, quota code, quota name or resource from the notification email or slack message.

## Muting Specific Notifications
<a name="muting-specific-notifications"></a>

If you receive notifications for quotas that are not useful or have very low limits, you can mute these notifications to avoid unnecessary alerts. As an example, this guide will walk you through the process of muting notifications for the `StartAutomationExecution` API in SSM, which has a limit of 1, using the Quota Monitor solution.

 **Identify the Quota to Mute:** The quota in question is Transactions per second (TPS) for the `StartAutomationExecution` API with the limit code `L-99469188`.

 **Update the Notification Configuration:** Follow the steps above to edit the **/QuotaMonitor/NotificationConfiguration** parameter and add `SSM:L-99469188` to the list.

### Identifying Quotas with Limit 1
<a name="identifying-quotas-with-limit-1"></a>

Service quotas in AWS set a limit of 1 for certain resources to provide highly available and reliable service to all customers. These limits are designed to protect customers from unintentional spend and excessive provisioning. There are two ways to identify which quotas have a limit of 1:

 **1. Check the ServiceQuotas Table:** Go to the `SQQuotaTable` DynamoDB table and see the `Value` column for quotas, then sort it.

 **2. Run a Script:** Run this script from our [Github](https://github.com/aws-solutions/quota-monitor-for-aws/blob/main/scripts/listQuotasWithLimitOne.ts) repo to get the list of quotas which have a limit of 1.

# Step 8. Configure Slack notifications (optional)
<a name="step-8.-configure-slack-notifications-optional"></a>

1. Navigate to your workspace’s Slack app.

   If required, sign in to Slack.

1. Choose **Create New App**.

1. Choose **From Scratch**.

1. Give the app a name and assign it to your workspace.

1. In the **Add features and functionality** section, select **Incoming Webhooks**.

1. Allow the feature and choose **Add New Webhook to Workspace**.

1. In the **Post to Channel** dropdown menu, select a channel.

1. Copy the WebHook URL.

1. In the AWS Systems Manager console, under **Shared Resources** in the left pane, select **Parameter Store**.

1. Select the `/QuotaMonitor/SlackHook` parameter, then choose **Edit**.

1. Update the value with your WebHook URL and choose **Save changes**.

# Global China Region (GCR) deployment
<a name="global-china-region-gcr-deployment"></a>

You can deploy the Quota Monitor for AWS solution in AWS China Regions (Beijing and Ningxia) with certain regional limitations and considerations.

Limitations in China Regions:
+ EventBridge does not support cross-region event routing.
+ The Trusted Advisor (TA) stack is not supported in China Regions.

## Deployment strategy for China Regions
<a name="deployment-strategy-for-china-regions"></a>

To accommodate these limitations, follow this deployment strategy for the hybrid/OU model:

1. Hub deployment:
   + Deploy the hub stack separately in `cn-north-1` (Beijing) and `cn-northwest-1` (Ningxia) if you want to monitor services in both Regions.
   + Use the `quota-monitor-hub.template` CloudFormation template for the hub deployment.

1. Spoke deployment:
   + Deploy spoke stacks in the same Region as their corresponding hub.
   + Use the `quota-monitor-spoke.template` CloudFormation template for spoke deployment.

**Important**  
All deployments are Region-specific and do not support cross-region monitoring.
The hub and associated spoke stacks must be deployed in the same Region.
To monitor supported services in both China Regions, deploy the solution twice - once in each Region.

 **Deployment models** 

1. Account model:
   + Use the `quota-monitor-hub-no-ou.template` CloudFormation template for single account deployments.
   + Use this model when deploying Quota Monitor for individual accounts.
   + Deploy spoke stacks manually in the same Region as the hub using the GCR-specific spoke template.
   + Follow the steps in the [Deploy the solution](deploy-the-solution.md) section for more information.

1. Hybrid/OU model:
   + Use this model when deploying across an AWS Organization or a mix of Organization and individual accounts.
   + In the CloudFormation template, specify the Region where you’re deploying the hub in the Region parameter.
   + If you leave the default value `ALL` for the Regions parameter, the solution will attempt to deploy StackSets in both China Regions. The deployment will succeed in the current hub Region but fail in the other Region. The solution will still function correctly, monitoring services in the current hub Region for all spoke stacks.

**Note**  
All monitored accounts must be in the same China Region as the hub.

For detailed steps on deploying hub and spoke stacks, refer to the [Deploy the solution](deploy-the-solution.md) section. Follow those steps for each China Region where you want to deploy, using the GCR-specific templates provided above.

**Note**  
Some features available in global Regions might not be supported in China Regions. Always refer to the AWS documentation for the most up-to-date information on service availability in China Regions.