Home > Software design >  Which AWS account is responsible for cross-account SDK API limits?
Which AWS account is responsible for cross-account SDK API limits?

Time:03-27

Say I have an API call. It originates in a lambda that is in account 1234. It updates AWS resources in account 9876. Which account is hit for the SDK API limit? How is that determined?

I'm trying to see how scalable a management approach would be. I want to have a management account work against resources elsewhere. However, if the management account maxes out on API limits then I need to figure something else out. In thinking about AWS's existing multi-account systems, particularly Control Tower, it will stand up CloudFormation templates in other accounts. I'm not sure if that's a clue or just one of their products utilizing another one that naturally solves a kind of problem.

My use case doesn't let me simply utilize CloudFormation StackSets. The main reason for that is I need to manage 3rd party accounts and asking for delegated admin permissions is too permissive, and they only get 5 anyway.

CodePudding user response:

Whenever you use API calls to perform actions on resources, the limits in the account that the resources live in are used. In almost all cases (one exception: S3 in requester pays mode) that's also the account that will have to pay for any resource usage, so it makes sense to have the limits that protect the account there.

  • Related