Integrate IPAM with accounts in an Amazon Organization - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Integrate IPAM with accounts in an Amazon Organization

Optionally, you can follow the steps in this section to integrate IPAM with Amazon Organizations and delegate a member account as the IPAM account.

The IPAM account is responsible for creating an IPAM and using it to manage and monitor IP address usage.

Integrating IPAM with Amazon Organizations and delegating an IPAM admin has the following benefits:

  • Share your IPAM pools with your organization: When you delegate an IPAM account, IPAM enables other Amazon Organizations member accounts in the organization to allocate CIDRs from IPAM pools that are shared using Amazon Resource Access Manager (RAM). For more information on setting up an organization, see What is Amazon Organizations? in the Amazon Organizations User Guide.

  • Monitor IP address usage in your organization: When you delegate an IPAM account, you give IPAM permission to monitor IP usage across all of your accounts. As a result, IPAM automatically imports CIDRs that are used by existing VPCs across other Amazon Organizations member accounts into IPAM.

If you do not delegate an Amazon Organizations member account as an IPAM account, IPAM will monitor resources only in the Amazon account that you use to create the IPAM.

Important

  • You must enable integration with Amazon Organizations by using IPAM in the Amazon management console or the enable-ipam-organization-admin-account Amazon CLI command. This ensures that the AWSServiceRoleForIPAM service-linked role is created. If you enable trusted access with Amazon Organizations by using the Amazon Organizations console or the register-delegated-administrator Amazon CLI command, the AWSServiceRoleForIPAM service-linked role isn't created, and you can't manage or monitor resources within your organization.

Note

When integrating with Amazon Organizations:

  • IPAM charges you for each active IP address that it monitors in your organization's member accounts. For more information about pricing, see IPAM pricing.

  • You must have an account in Amazon Organizations and a management account set up with one or more member accounts. For more information about account types, see Terminology and concepts in the Amazon Organizations User Guide. For more information on setting up an organization, see Getting started with Amazon Organizations.

  • The IPAM account must be an Amazon Organizations member account. You cannot use the Amazon Organizations management account as the IPAM account.

  • The IPAM account must use an IAM role that has an IAM policy attached to it that permits the iam:CreateServiceLinkedRole action. When you create the IPAM, you automatically create the AWSServiceRoleForIPAM service-linked role.

  • The user associated with the Amazon Organizations management account must use an IAM role that has the following IAM policy actions attached:

    • ec2:EnableIpamOrganizationAdminAccount

    • organizations:EnableAwsServiceAccess

    • organizations:RegisterDelegatedAdministrator

    • iam:CreateServiceLinkedRole

    For more information on creating IAM roles, see Creating a role to delegate permissions to an IAM user in the IAM User Guide.

  • The user associated with the Amazon Organizations management account may use an IAM role that has the following IAM policy actions attached to list your current AWS Orgs delegated administrators: organizations:ListDelegatedAdministrators

Amazon Management Console
To select an IPAM account

  1. Using the Amazon Organizations management account, open the IPAM console at https://console.amazonaws.cn/ipam/.

  2. In the Amazon Management Console, choose the Amazon Region in which you want to work with IPAM.

  3. In the navigation pane, choose Organization settings.

  4. The Delegate option is only available if you've logged in to the console as the Amazon Organizations management account. Choose Delegate.

  5. Enter the Amazon account ID for an IPAM account. The IPAM administrator must be an Amazon Organizations member account.

  6. Choose Save changes.

Command line

The commands in this section link to the Amazon CLI Reference documentation. The documentation provides detailed descriptions of the options that you can use when you run the commands.

When you delegate an Organizations member account as an IPAM account, IPAM automatically creates a service-linked IAM role in all member accounts in your organization. IPAM monitors the IP address usage in these accounts by assuming the service-linked IAM role in each member account, discovering the resources and their CIDRs, and integrating them with IPAM. The resources within all member accounts will be discoverable by IPAM regardless of their Organizational Unit. If there are member accounts that have created a VPC, for example, you’ll see the VPC and its CIDR in the Resources section of the IPAM console.

Important

The role of the Amazon Organizations management account that delegated the IPAM admin is now complete. To continue using IPAM, the IPAM admin account must log into Amazon VPC IPAM and create an IPAM.