Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Alerts for Supported Service Quotas

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Configure Amazon CloudWatch alarms to notify you automatically whenever a specified AWS service quota reaches a percentage of the maximum supported quota or reaches the maximum level. Setting a CloudWatch alarm for an Amazon Service Quotas quota can help you know if you need to request a quota increase. Amazon Service Quotas enables you to easily raise and track quota increase requests and integrates with AWS Organizations to save you time and effort in setting up quotas for new accounts in a consistent manner.

Reliability
Operational
excellence

Monitoring the status of your AWS service quotas will help you to better manage your cloud infrastructure and avoid resource starvation in case your application needs to scale up quickly for example if you need to provision multiple resources, such as EC2 instances, in a short period of time.

Audit

To determine if there are Amazon CloudWatch alarms configured for supported service quotas within your AWS cloud account, perform the following operations:

Note: Verifying the CloudWatch monitoring configuration for the Service Quotas service is not currently supported by the AWS Command Line Interface (AWS CLI).

Using the AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Service Quotas console at https://console.aws.amazon.com/servicequotas/.

03 In the navigation panel, under Dashboard, choose AWS services to access the list of AWS services supported by Amazon Service Quotas.

04 Click on the name (link) of the AWS service that you want to examine. You can also use the Search box to find the AWS cloud service that you want to examine.

05 On the Service quotas page, click on the name of the adjustable service quota that you want to access, available for the selected AWS service. An adjustable service quota is marked with Yes in the Adjustable column. You can't request a quota increase for a service if the particular quota isn't adjustable.

06 Check for any Amazon CloudWatch alarms created for the selected service quota, listed in the Amazon CloudWatch alarms section. If there are no alarms listed in the Amazon CloudWatch alarms section, the selected service quota is not configured to send notification alerts when the specified quota reaches either the maximum or a percentage of the maximum level.

07 Repeat steps no. 5 and 6 for each adjustable service quota created for the selected AWS service.

08 Repeat steps no. 4 – 7 for each AWS service supported by Amazon Service Quotas.

09 Change the AWS cloud region from the console navigation bar and repeat the audit process for other AWS regions.

Remediation / Resolution

Amazon CloudWatch helps you monitor quota usage over time and send alerts when your service quotas are approaching a limit. To configure Amazon CloudWatch alarms for your AWS service quotas, perform the following operations:

Note: Enabling and configuring Amazon CloudWatch alarms for service quotas using AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to the Amazon Service Quotas console at https://console.aws.amazon.com/servicequotas/.

03 In the navigation panel, under Dashboard, choose AWS services to access the list of AWS services supported by Amazon Service Quotas.

04 Click on the name (link) of the AWS service that you want to access.

05 On the Service quotas page, click on the name of the supported service quota that you want to reconfigure (see Audit section to identify the right quota).

06 In the Amazon CloudWatch alarms section, choose Create to initiate the setup process.

07 On the setup panel, provide a unique name for the new alarm in the Alarm name box, and choose the appropriate threshold (percentage of the applied quota value) from the Alarm threshold dropdown list. The alarm will notify you based on the selected threshold. Choose Create to create an Amazon CloudWatch alarm for the selected AWS service quota.

08 To configure notifications, click on the name of the newly created CloudWatch alarm, and perform the following actions:

  1. Click on the Actions dropdown menu and choose Edit.
  2. On the Specify metric and conditions page, leave the configuration settings unchanged, then choose Next.
  3. On the Configure actions page, under Notification, choose Add notification to configure notifications for the selected alarm:
    • For the Alarm state trigger, select In alarm.
    • For the Select an SNS topic, choose whether to create a new Amazon SNS topic to manage notifications, or use an existing one.
    • Add the email endpoint(s) that will receive the alert notification when the selected service quota is approaching a limit.
    • Choose Add notification to create the alarm notification.
  4. Choose Update alarm to apply the configuration changes. Once your AWS service quota reaches the specified threshold, a notification alert is sent to the email address(es) configured at the previous step.

09 Repeat steps no. 5 – 8 for each service quota that you want to monitor with Amazon CloudWatch, available for the selected AWS service.

10 Repeat steps no. 4 – 9 for each AWS service supported by Amazon Service Quotas.

11 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other AWS regions.

References

Publication date Feb 6, 2021

Related ServiceQuotas rules