What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS Service Quotas Monitoring: Preventing Limit-Induced Outages

Service quota limits are one of the most underestimated failure modes in AWS. Unlike infrastructure failures — which generate obvious errors and alerts — quota exhaustion often manifests as subtle degradation: API calls start returning throttling errors, new resources fail to provision with cryptic error messages, and the application appears to be malfunctioning when it's actually been walled off by an invisible ceiling.

The insidious part is the timing. Quotas are rarely a problem during development and testing. They become a problem at 3x your expected production traffic, or when a marketing campaign drives a usage spike, or when a batch job runs in a region that has lower default quotas than your primary region. By then, the quota increase process — which AWS typically processes in 24-72 hours — is too slow to prevent an outage.

The answer is proactive quota monitoring with headroom-based alerting: know what your current quota utilization is across critical services, get alerted at 70% utilization, and request increases long before you need them.

Understanding the Service Quotas Service

AWS Service Quotas is a central console and API for viewing and requesting changes to service limits across all AWS services. Before Service Quotas existed, limit information was scattered across individual service consoles and the only way to check utilization was to either know the limit from memory or file a support case asking what your limits were.

The Service Quotas console shows your current limit for each quota, whether it's adjustable, and what the default value is. For quotas that support CloudWatch monitoring, the console shows a link to the corresponding CloudWatch metric. Not all quotas have CloudWatch metrics — some can only be checked by querying the service directly — but coverage has expanded significantly in recent years.

The most important quotas to monitor fall into a few categories: compute (EC2 vCPUs, Lambda concurrency), API request rates (SES sending rates, DynamoDB read/write capacity), network (Elastic IPs, VPC limits), and storage (EBS volume counts, S3 bucket counts).

Setting Up CloudWatch Quota Alarms

For quotas with CloudWatch metric support, create utilization percentage alarms at 70% and 85% thresholds. The 70% alarm is your "request an increase now" signal — you have headroom but should proactively request more. The 85% alarm is your "this is urgent" signal — a moderate traffic spike could push you over the limit.

The Service Quotas CloudWatch metrics are in the AWS/Usage namespace. The metric dimension Type=Resource filters to resource count quotas (like number of running instances), while Type=API covers API request rate quotas. The specific metric name is ResourceCount for most services.

To express utilization as a percentage, use a CloudWatch metric math expression that divides the current usage metric by the quota limit. Service Quotas makes quota values available as CloudWatch metrics in the AWS/ServiceQuotas namespace for supported services, which enables math expressions that calculate utilization percentage dynamically rather than hardcoding the limit value.

Key Quotas to Monitor Per Service

EC2: Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instance vCPUs is the most important EC2 quota. It's a count of vCPUs, not instance count — a single c5.24xlarge consumes 96 vCPUs against this limit. Monitor this metric per region, not just in your primary region. Auto scaling groups that span regions will hit quotas in secondary regions first if you haven't proactively increased limits there.

Lambda: Concurrent executions is the critical Lambda quota. The default account limit is 1,000 concurrent executions per region. A Lambda-heavy application hitting the concurrency limit causes throttling with a 429 error and silent function invocation failures for event-driven architectures. Use reserved concurrency to allocate quota to critical functions and prevent non-critical functions from consuming the entire account limit.

SES: Sending rate (emails per second) and daily sending quota are the primary SES quotas. Monitor both against your peak sending patterns, not average. A scheduled batch email job that sends to 100,000 addresses within a few hours can easily exceed a default sending rate limit even if the daily quota has headroom.

DynamoDB: Table count and account-level read/write capacity are rarely hit but worth monitoring for accounts with many microservices each creating their own tables. The default limit of 10,000 tables per region sounds generous until a microservices proliferation over several years accumulates hundreds of tables per service environment.

Automated Quota Increase Requests

Service Quotas supports programmatic increase requests via the API. For quotas with a pattern of predictable growth, automate the increase request: when a CloudWatch alarm fires at 70% utilization, a Lambda function triggered by the alarm submits a quota increase request with a target value of 200% of current. This reduces the mean time from "approaching limit" to "increase requested" from days (waiting for an engineer to notice the alarm and file the request) to minutes.

Not all quota increases are automatically approved — some require AWS evaluation and may take 1-3 business days. Build this latency into your capacity planning. A quota increase request submitted at 70% utilization with a 2-day processing time is fine if your growth rate is measured in weeks. It's a problem if you have rapid growth where 70% becomes 100% in two days.

Cross-Account and Multi-Region Considerations

Quotas are per-account, per-region. A quota increase granted in us-east-1 doesn't apply to us-west-2. For multi-region architectures, audit quota utilization and increase requests for each region independently. AWS Organizations doesn't currently support organization-wide quota management — each member account's quotas are managed independently.

For organizations with multiple AWS accounts, each account has its own independent quota baseline. New accounts created in an organization start with the same default quotas as any new account — they don't inherit the increased quotas of existing accounts. Budget time for quota increase requests when spinning up new accounts for production workloads.

FAQ

How quickly does AWS process quota increase requests?

Auto-approved quota increases take effect within minutes. Quotas that require AWS review typically process in 1-3 business days for reasonable increases. Large increases (10x or more above default) may require additional justification and can take longer. For urgent situations, contacting AWS Support directly and explaining the business impact typically accelerates processing.

Do quota increases cost anything?

Quota increases themselves are free — you only pay for the resources you actually use. Increasing your EC2 vCPU limit from 1,000 to 5,000 doesn't change your bill; it just removes the ceiling on how many vCPUs you can run. You pay the standard EC2 hourly rate for instances you actually launch.

Can I see quota utilization across all accounts in my AWS Organization?

Not natively through Service Quotas. Each account's quota utilization is visible in that account's Service Quotas console or through the Service Quotas API. For organization-wide visibility, you'd need to aggregate this data through a central monitoring account — either by assuming a role in each account and querying the API, or by pushing metrics from each account to a central CloudWatch account using cross-account metrics sharing.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Vigilare Engineering

Platform Team