This document contains current content limits and request quotas for the Security Command Center API. This page will be updated to reflect any changes to these restrictions and usage limits.
Content limits
The Security Command Center API enforces the following usage limits:
| Content Limit | Value |
|---|---|
| Findings uploads | 500 MB per day |
Request quotas
The current API usage quotas for the Security Command Center API are as follows (and are subject to change):
| Request Quota | Value |
|---|---|
| Reads per minute | 1,000 |
| Writes per minute | 1,000 |
These limits apply to each Google Cloud console project and are shared across all applications and IP addresses using that project.
Attack path simulation limits
The attack path simulation feature of Security Command Center is subject to the following limits:
- You can define up to 100 resource value configurations in an organization
- A high-value resource set can contain no more that 1,000 instances of high-value resources. For more information, see Limit on resources in a high-value resource set.
Notifications
Calls that use the Security Command Center API for notifications are subject to the following quotas:
| API Call Type | Limit |
|---|---|
Read Calls (get, list) |
1000 API calls per minute per organization. |
Write Calls (create, update,
delete)
|
1000 API calls per minute per organization. |
The following additional limits apply to Security Command Center API notifications:
| Usage | Limit |
|---|---|
Number of NotificationConfig files |
500 per organization. |
Security posture service limitations
The security posture service includes the following limits:
- A maximum of 100 postures in an organization.
- A maximum of 400 policies in a posture.
- A maximum of 1000 posture deployments in an organization.
Infrastructure as code validation limitations
The infrastructure as code (IaC) validation feature has the following limitations:
- A maximum input file size of 2 MB or 1,000 assets.
- A maximum output file size of 2 MB.
- A maximum of 5 requests per minute per organization.
- A maximum of 1,000 requests per day per organization.
Export configurations to BigQuery
The following limit applies to export configurations to BigQuery:
| Usage limit | Value |
|---|---|
| Number of export configurations to BigQuery | 500 per organization. |
Custom module quotas
Both the number of custom detection modules you can create and the number of API calls custom modules can make are subject to the quotas described in the following sections.
Quotas for the creation of custom modules
The following table shows the quotas for the creation of custom modules.
| Custom module type | Quota |
|---|---|
| Security Health Analytics custom modules | 100 custom modules per organization. |
API call quotas for custom modules
API calls to custom module methods are also subject to quota limits. The following table shows the default quota limits for custom module API calls.
| API Call Type | Limit |
|---|---|
| CustomModules Read Requests (Get, List) | 1,000 API calls per minute, per organization |
| CustomModules Write Requests (Create, Update, Delete) | 60 API calls per minute, per organization |
| CustomModules Test Requests | 12 API calls per minute, per organization |
For more information about custom modules, see the following:
Quota increases
If you want to transfer more than 5 GB per day or more than 1,000 reads or writes per minute, we would like to understand more about your needs and we might be able to build custom solutions. Submit a Security Command Center API Quota Request for your project in the Google Cloud console.