AWS has different types of limits per AWS account.  These include limits on resource size, API rate limiting, and number of resources in an AWS account or per region.  While AWS provides services to assist with managing limits and visibility of limits including Service Quotas and Trusted Advisor, not all limits in AWS are covered by Service Quotas and Trusted Advisor.

We developed aws-size, an open source CLI tool to help AWS users manage and identify these difficult to manage resource limits.

Github Repository: https://github.com/FogSecurity/aws-size

Coverage

We started with coverage for the following 11 resources and their limits across IAM, S3, EC2, and Organizations:

• IAM Managed Policy Size
• IAM Role Trust Policy Length
• EC2 User Data Size
• S3 Bucket Policy Size
• Service Control Policy Size
• Resource Control Policy Size
• Declarative Policy Size
• AI Services Opt-Out Policy Size
• Tag Policies
• Backup Policies
• Chat Applications Policies

If you have feedback or requests, we can be reached at info@fogsecurity.io or create an issue or pull request at our GitHub repository.

Managing Limits in AWS

In late 2019, AWS released Service Quotas - a centralized service to manage and view service limits (quotas).  At least since 2017, AWS Trusted Advisor had a service limit dashboard to help customers view and monitor service limits to help with managing resources prior to the limit being reached.

While Trusted Advisor and Service Quotas help with managing and viewing certain service limits, there are still inconsistencies that make managing other limits complex.

‍

Limits for Individual Resources Are Difficult to Manage

Some of these limits are not covered by AWS's Service Quotas or AWS Trusted Advisor. For example, Service Control Policy document size is covered by Service Quota (Quota Code: L-C48BCE79) but the corresponding document size limit for Resource Control Policies is not in Service Quotas today despite being the same 5,120 character limit and similar resources.

‍

Service Limit coverage by Trusted Advisor primarily covers resource limits per account.

Examples include RDS instances per region per account, VPCs per region per account, IAM roles per account.  Trusted Advisor does not cover limits per resource. Thus, visibility into individual resources and usage of the corresponding limit is difficult to find.

‍

Error Messages and size limits are inconsistent across resources

Size Limits for resources are inconsistent across resources:

• Some limits are measured in bytes and others in character count.
• Some limits are normalized while others are not.

Below are screenshots from different services and error messages from AWS's Management Console when limits are exceeded.

S3 Bucket Policies's limit is calculated in bytes and also from the normalized policy document.  We did not see any language on how AWS normalizes their policy document.

EC2 User Data's limit is calculated in bytes.

IAM's Managed Policy size limit is calculated in character count and non-whitespace.

Resources

‍Fog Security GitHub: aws-size

Previous Research on Visibility of AWS Service Limits

‍AWS Trusted Advisor: Service Limit Visibility

AWS: Service Quotas Announcement

AWS: Using Trusted Advisor to Monitor Service Limits