Need to monitor quota limits and setup alarms

Question

Hi,
looking for a way to monitor service quotas and set up alarm when it gets close to the quota.
For instance, there is a hard limit on how many rules can be in SG, so i would like to alert when it get to 70%, 90% etc.

Sergiy Shevchenko · Answer

This is good framework for all the quotas that support CloudWatch, however, security groups, NACLs don't have integration with cloudwatch so the solution will not work

re:Post Agent · Answer

You can monitor AWS service quotas and set up alarms when usage approaches limits using several methods:

For supported services, you can use Amazon CloudWatch to set up alarms that notify you when you're approaching quota limits. Here's how to set this up:

1. Open the CloudWatch console
2. Find the relevant service quota metric
3. Add a math expression to display usage as a percentage of the quota
4. Set up an alarm with the following configuration:
- Set threshold type to "Static"
- Configure the condition as "Greater than" (e.g., 80% of quota)
- Select or create an Amazon SNS topic for notifications
- Provide a name and description for the alarm

This will create an alarm that triggers when your usage exceeds the specified percentage of the quota (like 70% or 90% for security group rules).

Additionally, you can use other methods to monitor quotas:

- AWS Service Quotas console provides visibility into current quotas
- AWS Trusted Advisor can monitor service limits at various thresholds
- You can build dashboards of your current service quota usage across accounts and regions
- Tools like Quota Monitor for AWS provide automated monitoring of service quotas

For comprehensive monitoring, consider implementing automated systems that not only alert you but also have defined processes for responding to alerts, including submitting quota increase requests when necessary.  
**Sources**  
[REL01-BP04 Monitor and manage quotas - AWS Well-Architected Framework (2022-03-31)](https://docs.aws.amazon.com/wellarchitected/2022-03-31/framework/rel_manage_service_limits_monitor_manage_limits.html)  
[Visualizing your service quotas and setting alarms - Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Quotas-Visualize-Alarms.html)  
[REL01-BP04 Monitor and manage quotas - Reliability Pillar](https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/rel_manage_service_limits_monitor_manage_limits.html)  
[REL01-BP05 Automate quota management - AWS Well-Architected Framework](https://docs.aws.amazon.com/wellarchitected/latest/framework/rel_manage_service_limits_automated_monitor_limits.html)

qinyang.wang · Answer

Hello

You can try use cloudwatch to monitor first:

[Visualizing your service quotas and setting alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Quotas-Visualize-Alarms.html)

AWS also provides a custom solution for deployment

[Quota Monitor for AWS](https://aws.amazon.com/solutions/implementations/quota-monitor/?nc1=h_ls)

qinyang.wang · Answer

It might be a good idea for you to use EventBridge's EC2 security group change API call event to trigger AWS Lambda to check the corresponding Security Group quota usage.

[How do I use EventBridge and Amazon SNS to monitor changes to my EC2 Linux instance security groups?](https://repost.aws/knowledge-center/monitor-security-group-changes-ec2)

[describe_security_group_rules](https://boto3.amazonaws.com/v1/documentation/api/1.28.29/reference/services/ec2/client/describe_security_group_rules.html)

Need to monitor quota limits and setup alarms

Add your answer

Relevant content