AWS

IAMLimitExceeded - IAM Limit Exceeded

Hitting an **IAMLimitExceeded** error means you've exceeded the maximum number of IAM entities allowed in your AWS account—IAM enforces limits on users (5000), groups (300), roles (5000), and customer managed policies (1500) per account. This client-side error (4xx) happens when AWS validates IAM entity limits. Most common when too many IAM users exist, but also appears when too many groups, roles, or policies are created, or account-level IAM limits are reached.

#Common Causes

  • Identity: IAM account limits reached. Service Control Policy (SCP) enforces IAM limits.
  • Network: VPC endpoint IAM entity restrictions. Account-level IAM limits.
  • Limits: Too many IAM users (limit: 5000 per account). Too many IAM groups (limit: 300 per account). Too many IAM roles (limit: 5000 per account). Too many IAM policies (limit: 1500 customer managed per account). Account-level IAM limit reached.

Solutions

  1. 1Step 1: Diagnose - Check current IAM entity counts: aws iam list-users --query 'length(Users)' --output text. Check groups: aws iam list-groups --query 'length(Groups)' --output text. Check roles: aws iam list-roles --query 'length(Roles)' --output text. Check policies: aws iam list-policies --scope Local --query 'length(Policies)' --output text.
  2. 2Step 2: Diagnose - Find unused IAM users: List users with no access keys: aws iam list-users --query 'Users[*].UserName' --output text | while read user; do aws iam list-access-keys --user-name $user --query 'length(AccessKeyMetadata)' --output text; done. Identify users to delete.
  3. 3Step 3: Diagnose - Check IAM limits: Default limits: Users (5000), Groups (300), Roles (5000), Policies (1500). Compare current counts with limits.
  4. 4Step 4: Fix - Delete unused IAM entities: Delete user: aws iam delete-user --user-name USER_NAME. Or consolidate users into groups: aws iam add-user-to-group --user-name USER_NAME --group-name GROUP_NAME.
  5. 5Step 5: Fix - Request limit increase or optimize: Contact AWS Support for limit increase. Or use roles instead of users where possible. Review and optimize IAM structure.

</>Code Examples

Check Current IAM Entity Counts and Limits
1#!/bin/bash
2echo "=== Current IAM Entity Counts ==="
3USER_COUNT=$(aws iam list-users --query 'length(Users)' --output text)
4GROUP_COUNT=$(aws iam list-groups --query 'length(Groups)' --output text)
5ROLE_COUNT=$(aws iam list-roles --query 'length(Roles)' --output text)
6POLICY_COUNT=$(aws iam list-policies --scope Local --query 'length(Policies)' --output text)
7
8echo "Users: ${USER_COUNT} / 5000"
9echo "Groups: ${GROUP_COUNT} / 300"
10echo "Roles: ${ROLE_COUNT} / 5000"
11echo "Policies: ${POLICY_COUNT} / 1500"
12
13echo "\n=== IAM Account Limits ==="
14echo "Users: 5000 per account"
15echo "Groups: 300 per account"
16echo "Roles: 5000 per account"
17echo "Policies: 1500 customer managed per account"
18
19# Check if any limit is reached
20if [ ${USER_COUNT} -ge 5000 ] || [ ${GROUP_COUNT} -ge 300 ] || [ ${ROLE_COUNT} -ge 5000 ] || [ ${POLICY_COUNT} -ge 1500 ]; then
21  echo "\n✗ IAM limit reached (IAMLimitExceeded)"
22else
23  echo "\n✓ All counts within limits"
24fi
Find Unused IAM Users
1#!/bin/bash
2echo "=== Finding Unused IAM Users ==="
3echo "Users with no access keys:"
4
5aws iam list-users --query 'Users[*].UserName' --output text | while read USER; do
6  KEY_COUNT=$(aws iam list-access-keys \
7    --user-name ${USER} \
8    --query 'length(AccessKeyMetadata)' \
9    --output text 2>/dev/null || echo "0")
10  
11  if [ "${KEY_COUNT}" = "0" ]; then
12    echo "  ✗ ${USER} - No access keys"
13    
14    # Check if user has console login
15    LOGIN_PROFILE=$(aws iam get-login-profile --user-name ${USER} 2>/dev/null)
16    if [ $? -ne 0 ]; then
17      echo "    No console login - candidate for deletion"
18    fi
19  fi
20done
21
22echo "\n=== Delete Unused User ==="
23echo "aws iam delete-user --user-name unused-user"
Consolidate Users into Groups
1#!/bin/bash
2echo "=== Consolidating Users into Groups ==="
3echo "This reduces the need for individual user policies"
4
5USER_NAME="my-user"
6GROUP_NAME="my-group"
7
8# Check if group exists
9if aws iam get-group --group-name ${GROUP_NAME} &>/dev/null; then
10  echo "Group ${GROUP_NAME} exists"
11else
12  echo "Creating group: ${GROUP_NAME}"
13  aws iam create-group --group-name ${GROUP_NAME}
14fi
15
16# Add user to group
17echo "\n=== Adding User to Group ==="
18aws iam add-user-to-group \
19  --user-name ${USER_NAME} \
20  --group-name ${GROUP_NAME}
21
22if [ $? -eq 0 ]; then
23  echo "✓ User ${USER_NAME} added to group ${GROUP_NAME}"
24  echo "\nBenefits:"
25  echo "1. Reduces individual user management"
26  echo "2. Policies attached to group apply to all members"
27  echo "3. Helps avoid IAMLimitExceeded"
28else
29  echo "✗ Failed to add user to group"
30fi

Related Errors

LimitExceededExceptionServiceQuotaExceededException

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

IAMLimitExceeded - IAM Limit Exceeded | AWS Error Reference | Error Code Reference