I was running a mass account provisioning script to create 50 accounts for a new division, and on the 11th account, everything ground to a halt: “You have exceeded the allowed number of AWS accounts.” I was shocked—the default quota is 10 accounts, and new organizations hit rate limits of 5 accounts per 24 hours. In this post, I’ll walk through exactly why account creation fails and how to overcome quota and rate limits.
The Problem
Your AWS Organizations account creation is failing with quota-related errors:
aws organizations create-accountfails with: “You have exceeded the allowed number of AWS accounts”- AWS Control Tower Account Factory complains about reaching quota limits
- Account creation starts but hangs mid-process
- Email address validation fails: “This email is already in use”
- Attempts to create multiple accounts in parallel are rejected
Why Does This Happen?
- Default soft quota is 10 accounts: New organizations have a default soft limit of 10 accounts. Requesting more requires a support case and AWS approval.
- Rate limit on account creation: AWS Organizations limits the rate of account creation: typically 5 accounts per 24 hours for new organizations, increasing over time as organizations mature.
- Email address globally unique: Every AWS account needs a unique email address. If you reuse an email that’s been associated with any AWS account globally (even deleted accounts), creation fails.
- Concurrent account creation attempts: If you submit multiple account creation requests in rapid succession, AWS may reject some due to rate limits or system constraints.
- Organization in grace period: After creating a burst of accounts, organizations are placed in a grace period. No new accounts can be created until the period expires.
The Fix
Step 1: Check Current Account Count and Quota
First, see how many accounts you have and what your current quota is:
# Count accounts in the organization
aws organizations list-accounts \
--query 'Accounts | length'
# Check the service quota for account creation
aws service-quotas get-service-quota \
--service-code organizations \
--quota-code L-29A0C5DF \
--query 'Quota.{QuotaName:QuotaName,Value:Value,UsageMetric:UsageMetric}'
# If that fails, list all quotas for Organizations
aws service-quotas list-service-quotas \
--service-code organizations \
--query 'Quotas[?contains(QuotaName, `account`)]'
Step 2: Request a Service Quota Increase
To increase the account limit, submit a quota increase request:
# Request increase to 100 accounts (example)
aws service-quotas request-service-quota-increase \
--service-code organizations \
--quota-code L-29A0C5DF \
--desired-value 100
# Monitor the request status
aws service-quotas list-requested-service-quota-change-history \
--service-code organizations \
--query 'RequestedQuotaChangeHistoryDetails[0].{RequestId:Id,Status:Status,DesiredValue:DesiredValue}'
AWS typically approves quota increases within 1–2 business days. You’ll receive an email confirmation.
Step 3: Implement Account Creation Queuing for Rate Limits
Since you can only create 5 accounts per 24 hours (initially), implement a queue with retry logic:
#!/bin/bash
# account-creation-queue.sh
# Simple account creation queue respecting rate limits
QUEUE_FILE="account_creation_queue.txt"
MAX_ACCOUNTS_PER_DAY=5
CREATED_TODAY=0
LAST_CREATION_TIME=0
# Read queue from file (one email per line)
while IFS= read -r email; do
# Check rate limit
if [ $CREATED_TODAY -ge $MAX_ACCOUNTS_PER_DAY ]; then
echo "Rate limit reached. Deferring: $email"
continue
fi
# Create account
echo "Creating account for: $email"
aws organizations create-account \
--email "$email" \
--account-name "Account-$email" \
--query 'CreateAccountStatus.CreateAccountRequestId' \
--output text
((CREATED_TODAY++))
LAST_CREATION_TIME=$(date +%s)
# Log success
echo "Created: $email at $(date)" >> account_creation.log
# Delay between accounts (optional, helps with propagation)
sleep 5
done < "$QUEUE_FILE"
echo "Completed $CREATED_TODAY account creations today"
Run this script daily, and it will respect the rate limit.
Step 4: Monitor Account Creation Status
Check the status of accounts being created:
# List in-progress account creations
aws organizations list-create-account-status \
--states IN_PROGRESS \
--query 'CreateAccountStatuses[*].{RequestId:Id,Email:Email,Status:State,AccountId:AccountId}'
# Get details of a specific creation request
aws organizations describe-create-account_status \
--create-account-request-id car-0123456789abcdef0 \
--query 'CreateAccountStatus.{Status:State,Email:Email,AccountId:AccountId,Message:FailureReason}'
# List failed creations
aws organizations list-create-account_status \
--states FAILED \
--query 'CreateAccountStatuses[*].{Email:Email,FailureReason:FailureReason}'
If a creation fails, retry with a different email or account name.
Step 5: Handle Email Address Conflicts
If account creation fails because the email is already in use:
# Generate a unique email alias (if using Gmail or similar)
# Example: yourname+awsaccount1@example.com
EMAIL="yourname+awsaccount$(date +%s)@example.com"
# Retry account creation with the new email
aws organizations create-account \
--email "$EMAIL" \
--account-name "Account-$EMAIL"
Alternatively, use email forwarding services or create new email addresses for each account.
Step 6: Use Control Tower for Large-Scale Provisioning
If creating many accounts, AWS Control Tower’s Account Factory is better optimized:
- Ensure Control Tower is initialized in your organization
- Use the Account Factory API to create accounts:
aws servicecatalog provision-product \
--product-name "AWS Control Tower Account Factory" \
--provisioning-artifact-id "prod-0123456789abcdef0" \
--provisioned-product-name "NewAccount-prod" \
--provisioning-parameters Key=Email,Value=user@example.com Key=AccountName,Value=prod-account
Control Tower handles email uniqueness and rate limiting better than raw Organizations API.
How to Run This
- Check current account count:
aws organizations list-accounts | jq '.Accounts | length' - Check quota:
aws service-quotas get-service-quota --service-code organizations --quota-code L-29A0C5DF - If hitting limit, request increase:
aws service-quotas request-service-quota-increase --service-code organizations --quota-code L-29A0C5DF --desired-value 100 - Implement queuing script to respect rate limits
- Monitor creation status:
aws organizations list-create-account_status - For unique emails, use aliases or forwarding addresses
- Consider AWS Control Tower for large-scale provisioning
Is This Safe?
Yes, completely safe. These commands check quotas, submit quota requests, and create accounts. No existing accounts are modified or deleted.
Key Takeaway
AWS Organizations has default soft quotas (10 accounts) and rate limits (5 accounts per 24 hours). Always request quota increases early, implement queuing logic to respect rate limits, and use unique email addresses for each account. For large-scale account provisioning, AWS Control Tower Account Factory is more robust than direct Organizations API.