# Plan your deployment
<a name="plan-your-deployment"></a>

This section covers cost, security, quotas, AWS Regions, and other considerations for planning your deployment.

## Supported AWS Regions
<a name="supported-aws-regions"></a>

You can deploy the primary hub template (`quota-monitor-hub.template`), the Service Quotas spoke template (`quota-monitor-sq-spoke.template`), and supplemental prerequisite AWS CloudFormation templates in any AWS Region. You can deploy the Trusted Advisor template (`quota-monitor-ta-spoke.template`) only in the US East (N. Virginia) Region or the AWS GovCloud (US-West) Region.

# Cost
<a name="cost"></a>

The following tables provide a sample cost breakdown for deploying this solution with the default parameters in the US East (N. Virginia) Region for one month. There are additional minimal costs for a hub stack and a spoke stack.

**Note**  
The monthly cost was estimated for a quota size of 2,000, as of this revision. If more quotas are supported by Service Quotas for additional resource types, the quota size would increase and monthly estimated cost could be higher. The costs provided are estimates based on a 6-hour monitoring frequency.  
The scalable costs (Amazon SQS and DynamoDB) increase with the number of accounts and Regions.

 **Monthly cost by number of accounts** 


| Deployment size | Number of accounts | Number of AWS Regions | Cost per month [USD] | 
| --- | --- | --- | --- | 
|   **Small**   |  10  |  8  |  \$111.01 \$1 0.00355\$110\$18 \$1 0.01\$110 \$1 \$15.24\$110\$18 = **\$1430.39**   | 
|   **Medium**   |  100  |  10  |  \$111.01 \$1 0.00355\$1100\$110 \$1 \$10.01\$1100 \$1 5.24\$1100\$110 = **\$15,253.55**   | 
|   **Large**   |  1000  |  15  |  \$111.01 \$1 0.00355\$11000\$115 \$1 0.01\$11000 \$1 5.24\$11000\$115 = **\$178,641.25**   | 

**Note**  
We calculated cost per month with the following formula: [monthly fixed cost for a hub stack] \$1 [monthly scalable cost for a hub stack] \$1 [number of accounts] \$1 [number of regions] \$1 [monthly cost for a Trusted Advisor spoke stack] \$1 [number of accounts] \$1 [monthly cost for a Service Quotas spoke stack] \$1 [number of accounts] \$1 [number of regions]

 **Monthly Fixed cost for a hub stack** 


| AWS service | Cost per month [USD] | 
| --- | --- | 
|   **Amazon SNS topic**   |  <\$10.01  | 
|  \$1 AWS Lambda\$1  |  \$110.00  | 
|  \$1 AWS KMS\$1  |  \$11.00  | 
|   **Total cost:**   |   **\$111.01**   | 

 **Monthly Scalable cost for a hub stack** 


| AWS service | Cost per month [USD] | 
| --- | --- | 
|   **Amazon SQS queue**   |  \$10.00178  | 
|   **Amazon DynamoDB**   |  \$10.00177  | 
|   **Total cost:**   |   **\$10.00355**   | 

 **Monthly cost for a Trusted Advisor spoke stack** 


| AWS service | Cost per month [USD] | 
| --- | --- | 
|   **Amazon EventBridge**   |  Free 1   | 
|   **AWS Lambda**   |  \$1 \$10.01 2   | 
|   **Total cost:**   |   **\$1 0.01**   | 

 1 AWS default service events are free. For more information, refer to [Amazon EventBridge Pricing](https://aws.amazon.com/eventbridge/pricing/).

 2 The stack uses Support APIs which are not available under the free developer plan. For more information, refer to [Compare Support Plans](https://aws.amazon.com/premiumsupport/plans).

 **Monthly cost for a Service Quotas spoke stack** 


| AWS service | Cost per month [USD] | 
| --- | --- | 
|   **Amazon EventBridge**   |  \$10.01  | 
|   **Amazon CloudWatch (`GetMetricData` API)**   |  \$15.12  | 
|   **AWS Lambda**   |  \$1 \$10.02  | 
|   **Amazon DynamoDB**   |  \$1 \$10.09  | 
|   **Total cost:**   |   **\$15.24**   | 

Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this solution.

**Note**  
When you delete a stack, the DynamoDB table on the hub account is not deleted. DynamoDB will continue to incur costs until the you delete the table.

# Security
<a name="security"></a>

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about security on AWS, visit [AWS Cloud Security](https://aws.amazon.com/security/).

## IAM roles
<a name="iam-roles"></a>

AWS Identity and Access Management (IAM) roles allow you to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution’s Lambda functions access to create Regional resources.

# Quotas
<a name="quotas"></a>

The solution uses Trusted Advisor and Service Quotas to check quotas against resource utilization.
+  **Trusted Advisor** - This solution supports 50 quota checks offered by Trusted Advisor. For more information, refer to [Quota checks with Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/service-limits.html).
+  **Service Quotas** - This solution supports all quotas that allow resource usage monitoring using Amazon CloudWatch. When more quotas from different services start supporting resource usage monitoring, the solution automatically updates to support these new quotas. For details, refer to [Service Quotas and Amazon CloudWatch alarms](https://docs.aws.amazon.com/servicequotas/latest/userguide/configure-cloudwatch.html).

# Slack integration
<a name="slack-integration"></a>

This solution includes an optional configuration to send notifications to your existing Slack channel. To use this feature, you must have an existing Slack channel and specify Slack webhook URL on the Systems Manager Parameter Store `/QuotaMonitor/SlackHook`.

The following figure depicts an example of using Slack notifications with the solution.

 **Image depicts an example Quota Monitor Notification in Slack** 

![\[slack integration\]](http://docs.aws.amazon.com/solutions/latest/quota-monitor-for-aws/images/slack-integration.png)


# Amazon SQS dead-letter queue
<a name="amazon-sqs-dead-letter-queue"></a>

The Quota Monitor for AWS solution deploys an Amazon SQS [dead-letter queue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html). The `Summarizer` Lambda function, and other Lambda functions in the spoke accounts, attempt to process messages three times. If it cannot process the message after three attempts, it sends the message to the dead-letter queue where you can debug.

# About Node.js versions
<a name="about-node.js-versions"></a>

Quota Monitor for AWS version 5.3.0 and earlier versions use the Node.js 8.10 runtime, which reached end-of-life on December 31, 2019. Lambda now blocks both the create operation and the `update` operation. For more information, refer to [Runtime Support Policy](https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html) in the *AWS Lambda Developer Guide*. To continue using this solution with the latest features and improvements, update the stack as described in [Update the solution](update-the-solution.md).

# Deployment scenarios
<a name="deployment-scenarios"></a>

The solution supports different deployment scenarios for:
+ Customers who use AWS Organizations
+ Customers who don’t use AWS Organizations
+ Customers who just use individual AWS accounts
+ Customers who use both AWS Organizations and individual AWS accounts.

For more information, refer to [Choose your deployment scenario](step-1.-choose-your-deployment-scenario.md).

If you are deploying this solution in an environment with AWS Organizations, refer to [Best practices for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices.html) 

# Spoke templates
<a name="spoke-templates"></a>

The spoke templates packaged with the solution are standalone templates, and you can deploy them independently. To determine which templates to deploy, ask the following questions:
+ Do you have a hub or monitoring account?
+ Do you need the entire solution deployment with all of its features?

If you answered `No` to any of the questions above, then you can deploy just the spoke templates in the account to be monitored:
+  `quota-monitor-ta-spoke.template` to support quota checks offered by Trusted Advisor
+  `quota-monitor-sq-spoke.template` to support quota checks offered by Service Quotas

Additionally, the spoke templates offer extensions (such as sending notifications to different destinations). The spoke templates provision EventBridge rules for capturing OK, WARN, or ERROR quota events. You can configure these rules to send the events to destinations according to your requirements. For more details, refer to [Amazon EventBridge targets](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html).