# Plan your deployment
This section provides an overview of the cost, security, service quotas, and other key factors to consider prior to deploying the solution in your AWS account.
**Topics**
+ [Cost](cost.md)
+ [Security](security-1.md)
+ [Service quotas](quotas.md)
**Supported AWS regions**
DeepRacer on AWS is available in the following AWS Regions.
| Region Name | Region Code |
| --- | --- |
| US East (N. Virginia) | us-east-1 |
| US East (Ohio) | us-east-2 |
| US West (Oregon) | us-west-2 |
| Africa (Cape Town) | af-south-1 |
| Asia Pacific (Hong Kong) | ap-east-1 |
| Asia Pacific (Mumbai) | ap-south-1 |
| Asia Pacific (Seoul) | ap-northeast-2 |
| Asia Pacific (Singapore) | ap-southeast-1 |
| Asia Pacific (Sydney) | ap-southeast-2 |
| Asia Pacific (Tokyo) | ap-northeast-1 |
| Canada (Central) | ca-central-1 |
| Europe (Frankfurt) | eu-central-1 |
| Europe (Ireland) | eu-west-1 |
| Europe (London) | eu-west-2 |
| Europe (Paris) | eu-west-3 |
| Europe (Spain) | eu-south-2 |
| Middle East (Bahrain) | me-south-1 |
| South America (São Paulo) | sa-east-1 |
For the most current availability of AWS services by Region, see the [AWS Regional Services List](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).
**Important**
**CloudFront Access Logging Limitation**
CloudFront access logging is automatically disabled in the following regions due to lack of support for standard logging (legacy):
Africa (Cape Town) - `af-south-1`
Asia Pacific (Hong Kong) - `ap-east-1`
Europe (Spain) - `eu-south-2`
Middle East (Bahrain) - `me-south-1`
If you deploy the solution in one of these regions, the CloudFront distribution will function normally but will not generate access logs. If access logging is required for your use case, you can manually configure CloudFront Standard Logging V2 after deployment. For more information, refer to the [CloudFront Standard Logging V2 documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/standard-logging.html).
# Cost
You are responsible for the cost of AWS services that are used while operating this solution. As of this revision, the monthly cost of operating this solution for a small group of 25 users with limited model training and evaluation demand is about \$17.78 per user (or \$1194.37 total).
**Note**
The cost of operating DeepRacer on AWS depends on how you choose to use the solution. The following examples provide cost breakdown for single instance and multiple instances deployment configurations in the US East (N. Virginia) Region. AWS services listed in the example tables below are billed on a monthly basis.
The cost of operating the solution is dependent on the number of users registered to the system, the number of models they train, the number of evaluations they run, and the number of race submissions they perform. The cost of the solution is also dependent on the amount of time each model is trained for and the underlying instance type that is used for these jobs. The solution is configured to use an instance of type `ml.c5.4xlarge` by default. However, you may choose to change this based on your desired performance profile by updating the appropriate field in the solution’s CloudFormation template or CDK project and deploying that configuration.
Operating cost is figured and expressed on a monthly basis. The estimates provided in this section are only accurate for use cases in which all training jobs, evaluations, and submissions occur within the same month. This is an important consideration to account for when planning usage over the course of a quarter, semester, or other longer timeframe.
We recommend creating a [budget](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html) through [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/) to help manage costs. Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this solution.
## Compute usage formula
The training job compute usage for the examples in this section is figured using the following formula:
+ Training hours per month = (25 users) \$1 (3 models/user) \$1 (1.5 hrs/training) = 112.5 hours
+ Evaluation hours per month = [(25 users) \$1 (3 models/user) \$1 (3 evaluations/model)] \$1 (20 mins/evaluation) = 75 hours
+ Submission hours per month = [(25 users) \$1 (3 submissions/user)] \$1 (20 mins/submission) = 25 hours
+ Total hours = (training hours) \$1 (evaluation hours) \$1 (submission hours) = 212.5 hours
Total SageMaker cost = [(212.5 hours) \$1 (\$10.816/instance hour)] \$1 (\$11.40 storage cost) = \$1174.80
## Example 1 (25 users)
You are planning a deployment of DeepRacer on AWS that will serve 25 users, with each user creating and training 3 models. Each user will then evaluate each of their models 3 times, before submitting them to a race. With a training time of 90 minutes, the cost will be \$1194.37, or \$17.78 per user.
**Cost summary**
| AWS service | Dimensions | Cost per month (USD) |
| --- | --- | --- |
| Amazon SageMaker | [(212.5 hours) \$1 (\$10.816/instance hour)] \$1 (\$11.40 storage cost) | \$1174.80 |
| AWS WAF | 1 Web ACL | \$15.00 |
| Amazon S3 | (0.33GB average model size) \$1 (75 models) \$1 (\$10.023/GB) | \$10.57 |
| Other services | AWS Lambda, Amazon DynamoDB, Amazon CloudWatch, AWS CodeBuild, Amazon ECR | \$114.00 |
| **Monthly total** | **\$17.78/user** | **\$1194.37** |
## Example 2 (100 users)
You are planning a deployment of DeepRacer on AWS that will serve 100 users, with each user creating and training 3 models. Each user will then evaluate each of their models 3 times, before submitting them to a race. With a training time of 90 minutes, the cost will be \$1716.28, or \$17.17 per user.
**Cost summary**
| AWS service | Dimensions | Cost per month (USD) |
| --- | --- | --- |
| Amazon SageMaker | [(850 hours) \$1 (\$10.816/instance hour)] \$1 (\$11.40 storage cost) | \$1695.00 |
| AWS WAF | 1 Web ACL | \$15.00 |
| Amazon S3 | (0.33GB average model size) \$1 (300 models) \$1 (\$10.023/GB) | \$12.28 |
| Other services | AWS Lambda, Amazon DynamoDB, Amazon CloudWatch, AWS CodeBuild, Amazon ECR | \$114.00 |
| **Monthly total** | **\$17.17/user** | **\$1716.28** |
## Example 3 (250 users)
You are planning a deployment of DeepRacer on AWS that will serve 250 users, with each user creating and training 3 models. Each user will then evaluate each of their models 3 times, before submitting them to a race. With a training time of 90 minutes, the cost will be \$11,760.09, or \$17.04 per user.
**Cost summary**
| AWS service | Dimensions | Cost per month (USD) |
| --- | --- | --- |
| Amazon SageMaker | [(2,125 hours) \$1 (\$10.816/instance hour)] \$1 (\$11.40 storage cost) | \$11,735.40 |
| AWS WAF | 1 Web ACL | \$15.00 |
| Amazon S3 | (0.33GB average model size) \$1 (750 models) \$1 (\$10.023/GB) | \$15.69 |
| Other services | AWS Lambda, Amazon DynamoDB, Amazon CloudWatch, AWS CodeBuild, Amazon ECR | \$114.00 |
| **Monthly total** | **\$17.04/user** | **\$11,760.09** |
# Security
When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about security on AWS, visit [AWS Cloud Security](https://aws.amazon.com/security/)
## Security best practices
DeepRacer on AWS is designed with security best practices in mind. However, the security of a solution differs based on your specific use case. The following are additional recommendations to enhance the security posture of DeepRacer on AWS.
### Use a dedicated account for deployment
We strongly recommend using a dedicated account that’s separate from any production workloads for deploying and hosting DeepRacer on AWS. This separation helps prevent mixing different levels of data sensitivity, and reduces the potential blast radius in the event of a security incident.
### Activate Ubuntu Pro to apply ESM patches
See [Mitigate OS vulnerabilities with Ubuntu Pro](#mitigate-vulns-with-ubuntu-pro).
## Infrastructure security
### Console UI
This solution deploys a web console [hosted](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html) in an Amazon S3 bucket. To enhance security and reduce latency, the solution configures an Amazon CloudFront distribution with an origin access control (OAC). This OAC provides controlled public access to the solution’s website bucket contents, ensuring that users can only access the web console through CloudFront and not directly from S3. For more information, see [Restricting access to an Amazon S3 origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the *Amazon CloudFront Developer Guide*.
The CloudFront distribution is configured to only accept HTTPS requests. If an HTTP request is received, it will redirect it to HTTPS to promote encryption in-transit.
CloudFront activates additional security mitigations to append HTTP security headers to each viewer response. For additional details, please see [Adding or removing HTTP headers in CloudFront responses](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html).
This solution uses the default CloudFront certificate, which has a minimum supported security protocol of TLS v1.0. To enforce the use of TLS v1.2 or TLS v1.3, you must use a custom SSL certificate instead of the default CloudFront certificate. For more information, refer to [How do I configure my CloudFront distribution to use an SSL/TLS certificate](https://aws.amazon.com/premiumsupport/knowledge-center/install-ssl-cloudfront/).
### Authentication and authorization
This solution uses Amazon Cognito and several other services for managing authentication and authorization. Authentication is handled by an Amazon Cognito user pool, which is configured with three user pool groups, one for each user type (i.e. admins, race facilitators, and racers). The AWS Amplify Auth plugin is used for authenticating users from the console and managing sessions.
Each user pool group has a dedicated IAM role mapped to it using rule-based role mapping in the identity pool. These roles define what resources a user in a given user pool group can or cannot access.
Authorization is handled via the issuance of temporary credentials from an Amazon Cognito identity pool, based on the role associated with their user pool group. These credentials are assumed by the user upon successful authentication into the console, and are used for signing requests to the back-end. When a request is received by the API, an IAM authorizer is used to authorize the request before proxying it to the appropriate Lambda function for servicing.
### Identity and access management
AWS Identity and Access Management (IAM) roles are used to grant specific permissions to various resources that comprise DeepRacer on AWS. The following IAM roles are created:
1. Lambda execution roles: Allows AWS Lambda functions to access other AWS services such as Amazon S3, Amazon DynamoDB, and Amazon CloudWatch Logs.
1. SageMaker execution role: Allows SageMaker AI training jobs to access necessary resources like ECR images and S3 buckets.
1. Step Functions execution roles: Permits Step Functions to invoke Lambda functions and manage SageMaker jobs.
1. API Gateway execution roles: Enables Amazon API Gateway to invoke AWS Lambda functions in response to requests.
1. User roles: Allows for granular access control to be applied by user type.
These roles follow the principle of least privilege, granting only the permissions necessary for each component to perform its functions.
### Log retention and monitoring
By default, DeepRacer on AWS retains all security-relevant logs for 10 years, which aligns with AWS security best practices. Security-relevant logs include logs emitted by AWS Lambda functions that support API services as well as authentication and authorization services. All other logs are retained for 2 years. You can customize the log retention period for one or more logs through the CloudWatch Logs console.
All logs are encrypted at-rest using AWS KMS customer-managed keys.
### Amazon API Gateway
This solution deploys an Amazon API Gateway REST API and uses the default API endpoint and SSL certificate. The default API endpoint supports TLSv1 security policy. It is recommended to use the TLS\$11\$12 security policy to enforce TLSv1.2\$1 with your own custom domain name and custom SSL certificate.
For more information:
+ [Choose a security policy for your custom domain in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html)
+ [Custom domain name for public REST APIs in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html)
## AWS CloudTrail
AWS CloudTrail is not automatically enabled by DeepRacer on AWS. AWS recommends enabling CloudTrail to monitor API calls and administrative actions in your account.
### Amazon DynamoDB
All user data stored in Amazon DynamoDB is encrypted at-rest using customer managed keys (CMK) stored in AWS KMS.
### AWS Key Management System
This solution creates one KMS Customer Managed Key (CMK) for the purpose of log encryption.
### AWS Lambda functions
By default, all AWS Lambda functions that are configured by this solution use the most recent, stable version of the language runtime. No sensitive data or secrets are logged. Service interactions are carried out with the least required privilege. Roles that define these privileges are not shared between functions.
### Amazon SageMaker
This solution uses the Amazon SDK to create Amazon SageMaker training jobs. These training jobs are responsible for servicing requests from users to train models, evaluate models, and simulate models in a competition.
### Amazon S3
This solution deploys S3 buckets with default S3 bucket security configurations. For encryption of objects at rest, consider using customer managed CMKs instead of the default key for encrypting objects. Customer managed keys are recommended for customers who want full control over the lifecycle and usage of their keys.
It’s a best practice to use modern encryption protocols for data in transit. To enforce the use of TLS version 1.2 or later for connections to S3, update your bucket’s security policy.
It is recommended that S3 server access logging provides detailed records for the requests that are made to a bucket. [Amazon S3 server access logging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html) provides detailed records for the requests made to the bucket. S3 Access Logs can be enabled and saved in another S3 bucket.
For more information:
+ [Using server-side encryption with customer-provided keys (SSE-C)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html)
+ [How do I enforce TLS 1.2 or later for my S3 buckets?](https://repost.aws/knowledge-center/s3-enforce-modern-tls)
+ [Security best practices for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)
### AWS Web application firewall (WAF)
The solution deploys AWS WAF to protect against common web exploits and bot traffic. It includes rules to mitigate against common vulnerabilities and allows for custom rule creation.
## Data protection
DeepRacer on AWS uses an Amazon DynamoDB table and Amazon S3 buckets for storing models, profiles, training and evaluation outputs, and other assets uploaded to or generated by the solution. The following data protection settings are configured by default to mitigate against loss of data, unauthorized access, and other issues:
+ For the **table**, point-in-time recovery is enabled with a backup recovery period of 35 days, allowing for the table to be rolled back seamlessly in the event of a data issue. In addition, the table is configured to be retained in the event of a stack deletion or update-replace event. Data is also encrypted at rest using an AWS managed key.
+ For the model storage and upload **buckets**, bucket encryption, logging, and versioning are enabled by default. Access logging is also configured and all public access is blocked.
## Vulnerability analysis and management
DeepRacer on AWS and its dependencies are continuously monitored by AWS for security vulnerabilities. Customers may choose to use Amazon Inspector or other automated vulnerability management product for monitoring their deployments.
### Mitigate OS vulnerabilities with Ubuntu Pro
DeepRacer on AWS uses a container image that is based on Ubuntu 24.04 and it is possible for Common Vulnerabilities and Exposures “CVEs” to appear. Customers may at their sole option, obtain an [Ubuntu Pro 24.04](https://ubuntu.com/pro) license which may provide additional security assurance and follow the provided instructions linked below to modify the solution to use Ubuntu Pro 24.04 as the operating system for applicable containers.
Choosing to obtain and use Ubuntu Pro 24.04 is solely at the customer’s option and is not required to use any features of DeepRacer on AWS. Obtaining the Ubuntu Pro 24.04 license may only provide access to patched versions of core Ubuntu packages and may not provide access to patched versions of third-party or open-source dependencies. Use of Ubuntu Pro 24.04 may reduce the number of CVEs reported against core packages by providing access to patched versions and does not guarantee a reduction of CVEs at any given time.
Customers are solely responsible for securing and complying with any Ubuntu Pro 24.04 licenses and AWS is not responsible for any licensing or support of Ubuntu Pro 24.04. For instructions on implementing Ubuntu Pro 24.04, please see below.
#### Activating Ubuntu Pro
To take advantage of ESM patches offered by Ubuntu Pro, please follow the procedure outlined below which will activate Ubuntu Pro on the SageMaker image that has been deployed for you by DeepRacer on AWS.
**Prerequisites**
+ A laptop or cloud workstation that has access to the AWS account where DeepRacer on AWS is deployed
+ Installed copies of Docker and the AWS CLI
+ A valid Ubuntu Pro token
**Procedure**
1. Log in to access the ECR repositories in your AWS account:
```
aws ecr get-login-password --region $REGION | \
docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com
```
1. Pull the image from the remote repository to your local machine:
```
docker pull $ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/$REPOSITORY_NAME\:$IMAGE_VERSION
```
1. Create a temporary Dockerfile with Ubuntu Pro activation commands:
```
cat << EOF > Dockerfile.ubuntu-pro
FROM $ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/$REPOSITORY_NAME\:$IMAGE_VERSION
# Install ubuntu-advantage-tools and attach token
RUN apt-get update && \
apt-get install -y ubuntu-advantage-tools && \
ua attach $UBUNTU_PRO_TOKEN && \
apt-get update && \
apt full-upgrade -y && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
EOF
```
1. Build a new image with Ubuntu Pro activated:
```
docker build -t $ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/$REPOSITORY_NAME\:$IMAGE_VERSION -f Dockerfile.ubuntu-pro .
```
1. Push the new image back to your ECR repository:
```
docker push $ACCOUNT_ID.dkr.ecr.$REGION.amazonaws.com/$REPOSITORY_NAME\:$IMAGE_VERSION
```
## Uploaded artifacts
DeepRacer on AWS allows users to upload models downloaded from other instances to promote portability and allow submission of externally-trained models to races. All artifacts that are uploaded to DeepRacer on AWS are thoroughly scanned and validated using functions that are isolated from the rest of your AWS account using a VPC with least privilege permissions. Only after an artifact package passes these validations is it allowed to be stored in the system.
# Service quotas
Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account.
## Request a service quota increase based on anticipated usage
DeepRacer on AWS uses a combination of Amazon SageMaker AI training jobs and AWS Lambda functions for servicing compute-related tasks, including but not limited to creating, training, and evaluating models. AWS Lambda functions are also used for servicing general requests, such as creating a new account, making changes to account settings, and running/participating in races.
Considering your anticipated usage in advance and right-sizing your service quotas can improve user experience by reducing the amount of time it takes for training and evaluation jobs to be run. If your deployment is expected to serve consistently high demand (i.e. large number of users) or is subject to burst traffic (i.e. used for events, classes, workshops etc.), training and evaluation jobs will be constrained by the service quota that is in place, and those jobs will remain in the queue until capacity is available to run them.
**Note**
If you are operating or plan to operate multiple deployments of DeepRacer on AWS in the same account or same region (within the same account), it is important to consider the total anticipated usage across all deployments when evaluating the amount to increase the service quota by.
**Note**
For some services, smaller increases are automatically approved, while larger requests are submitted to AWS Support. AWS Support can approve, deny, or partially approve your requests. Larger increase requests take more time to process.
### Amazon SageMaker AI training jobs
Amazon SageMaker AI training jobs are responsible for running training and evaluation jobs, and also support community races. At the time of writing, the default applied account-level quota value is 8. This means that DeepRacer on AWS can dispatch up to 8 training jobs, evaluation jobs, or race submissions (i.e. evaluating one model in a given race) at a time. If demand exceeds this limit at any point, jobs will remain queued until an actively-running job is completed and capacity becomes available. The queue for jobs in DeepRacer on AWS is managed in FIFO (first-in-first-out) order, and the amount of time that a job spends in the queue depends on the number of jobs that can be processed currently (i.e. the service quota), and the number of jobs that have entered the queue ahead of it.
As a result, it is recommended to consider in advance the number of jobs that may need to be run concurrently at any given point in time in order to deliver preferable throughput. If you decide that you would like to request a service quota increase, you may do so by:
1. Accessing the **AWS Management Console**
1. Searching for and selecting **Service Quotas** from the search bar at the top
1. Selecting **Amazon SageMaker** from the list of services
1. Searching for and selecting **ml.c5.4xlarge for training job usage** in the Service quotas table, and clicking **Request increase at account level**
1. Enter the number of jobs that you would like to be able to service concurrently into the **Increase quota value** box, and, if applicable, review it against the value provided for **Utilization**. If you are working with a new deployment, this value will most likely appear as 0.
1. When you are ready to submit the request, click **Request**.
### AWS Lambda functions
AWS Lambda functions are the primary compute resource used for servicing requests in DeepRacer on AWS, including dispatching and monitoring training and evaluation jobs. Similar to that of the Amazon SageMaker AI training jobs noted in the previous section, AWS Lambda functions have an applied account-level quota of 1,000 concurrent executions. This represents the maximum number of events that functions can process simultaneously in the current region. In the event that this limit is reached, requests will be queued and serviced once capacity becomes available.
If you anticipate needing to be able to service more than 1,000 requests concurrently, requesting a service quota increase for the number of requests that you would like to be able to handle at any given point is recommended. This will allow requests to be serviced as soon as they are received, or with minimal wait time in the queue. If you decide that you would like to request a service quota increase, you may do so by:
1. Accessing the **AWS Management Console**
1. Searching for and selecting **Service Quotas** from the search bar at the top
1. Selecting **AWS Lambda** from the list of services
1. Searching for and selecting **Concurrent executions** in the Service quotas table, and clicking **Request increase at account level**
1. Enter the number of requests that you would like to be able to service concurrently into the **Increase quota value** box, and, if applicable, review it against the value provided for **Utilization**. If you are working with a new deployment, this value will most likely appear as 0.
1. When you are ready to submit the request, click **Request**.
### Amazon Virtual Private Cloud (VPC)
DeepRacer on AWS configures one Amazon Virtual Private Cloud (VPC) per deployment to provide network isolation for functions that handle imported models and other user-supplied artifacts. At the time of writing, the default account-level quota is 5 VPCs per region. If you plan to host more than 5 deployments of DeepRacer on AWS in a single region, requesting a service quota increase for at least the number of deployments you expect to host is recommended.
1. Accessing the **AWS Management Console**
1. Searching for and selecting **Service Quotas** from the search bar at the top
1. Selecting **Amazon Virtual Private Cloud (VPC)** from the list of services
1. Searching for and selecting **VPCs per Region** in the Service quotas table, and clicking **Request increase at account level**
1. Enter the number of VPCs that you would like to be able to deploy into the **Increase quota value** box, and, if applicable, review it against the value provided for **Utilization**. If you are working with a new deployment, this value will most likely appear as 0.
1. When you are ready to submit the request, click **Request**.
## Quotas for AWS services in this solution
Make sure you have sufficient quota for each of the [services implemented in this solution](architecture-overview.md#aws-services-in-this-solution). For more information, see [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws-service-limits.html).
Use the following links to go to the page for that service. To view the service quotas for all AWS services in the documentation without switching pages, view the information in the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf) page in the PDF instead.
| AWS Service | Documentation Link |
| --- | --- |
| AWS Lambda | [AWS Lambda service quotas](https://docs.aws.amazon.com/general/latest/gr/lambda-service.html) |
| Amazon S3 | [Amazon S3 service quotas](https://docs.aws.amazon.com/general/latest/gr/s3.html) |
| Amazon SageMaker | [Amazon SageMaker service quotas](https://docs.aws.amazon.com/general/latest/gr/sagemaker.html) |
| Amazon DynamoDB | [Amazon DynamoDB service quotas](https://docs.aws.amazon.com/general/latest/gr/ddb.html) |
| Amazon API Gateway | [Amazon API Gateway service quotas](https://docs.aws.amazon.com/general/latest/gr/apigateway.html) |
| Amazon CloudFront | [Amazon CloudFront service quotas](https://docs.aws.amazon.com/general/latest/gr/cloudfront.html) |
| Amazon Cognito | [Amazon Cognito service quotas](https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html) |
| AWS Step Functions | [AWS Step Functions service quotas](https://docs.aws.amazon.com/general/latest/gr/step-functions.html) |
| Amazon SQS | [Amazon SQS service quotas](https://docs.aws.amazon.com/general/latest/gr/sqs-service.html) |
| Amazon Kinesis Video Streams | [Amazon Kinesis Video Streams service quotas](https://docs.aws.amazon.com/general/latest/gr/kinesisvideo.html) |