Quotas and limits

Free analysis query limit

Policy Analyzer limits the number of queries that you can make if you don't have an organization-level activation of the Premium or Enterprise tier of Security Command Center.

Quota Value
Analysis queries per organization per day1 20

1 This quota only applies for organizations that don't have an organization-level activation of the Premium or Enterprise tier of Security Command Center. This limit is shared among all Policy Analyzer tools.

For more details, see Billing questions in the Policy Intelligence documentation.

Project quota

Cloud Asset Inventory enforces the rate of incoming requests based on the consumer project. The default quotas are as follows:

Quota Value
AnalyzeIamPolicy 100 per minute per consumer project
1000 per day per consumer project
AnalyzeIamPolicyLongrunning 100 per minute per consumer project
1000 per day per consumer project
BatchGetAssetsHistory 100 per minute per consumer project
BatchGetEffectiveIamPolicies 100 per minute per consumer project
ExportAssets 60 per minute per consumer project
6000 per day per consumer project
ListAssets 100 per minute per consumer project
Real-time feed APIs 600 per minute per consumer project
Saved Query APIs 600 per minute per consumer project
SearchAllIamPolicies 400 per minute per consumer project
SearchAllResources 400 per minute per consumer project

You can use the APIs and services quotas dashboard to view current quotas and usage for your project.

Resource organization quota

In addition to the per-project quota, Cloud Asset Inventory also enforces rate limits on incoming requests based on resource organization. The limits are as follows:

Quota Value
BatchGetAssetsHistory 180 per minute per organization
195,000 per day per organization
ExportAssets 75 per minute per organization
13,000 per day per organization
ListAssets 800 per minute per organization
650,000 per day per organization
QueryAssets 20 per minute per organization for requests with a query statement
200 per minute per organization for requests with a job reference
Real-time feed APIs 30 per minute per organization
SearchAllIamPolicies 3,000 per minute per organization
SearchAllResources 1,500 per minute per organization

Policy Analyzer expansion limits

The Policy Analyzer limits group expansion in the group memberships and resource expansion in the resource hierarchy to the following values.

Limit Value
AnalyzeIamPolicy group expansion 1000 per group
AnalyzeIamPolicy resource expansion 1000 per resource
AnalyzeIamPolicyLongrunning resource expansion 100000 per resource

Downstream services

In addition to limits enforced by Cloud Asset Inventory, the number of incoming requests is also capped by the rate and quota of the downstream services that Cloud Asset Inventory depends on.

BigQuery

  • Table operations: BigQuery has a quota limit for table operations, which defines the maximum number of ExportAssets API requests to the same BigQuery table that can be performed daily. ExportAssets issues 2 table operations per table per request.

  • Query jobs: BigQuery has a concurrent rate limit for query job, which defines the maximum number of concurrent ExportAssets API requests that can be issued per project.

Pub/Sub

Request a quota increase

If you have access to the Security Command Center Premium or Enterprise tier at the organization level, you can contact your account representative to request a Cloud Asset Inventory quota increase. Activating Security Command Center Premium or Enterprise at the project level only might not be qualified to get additional quota.

Access to the Security Command Center Premium or Enterprise tier also automatically grants an unlimited number of analysis queries per organization per day.