Amazon managed policies for IPAM - Amazon Virtual Private Cloud
Updates to the Amazon managed policy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for IPAM

If you are using IPAM with a single Amazon account and you create an IPAM, the AWSIPAMServiceRolePolicy managed policy is automatically created in your IAM account and attached to the AWSServiceRoleForIPAM service-linked role.

If you enable IPAM integration with Amazon Organizations, the AWSIPAMServiceRolePolicy managed policy is automatically created in your IAM account and in each of your Amazon Organizations member accounts, and the managed policy is attached to the AWSServiceRoleForIPAM service-linked role.

This managed policy enables IPAM to do the following:

  • Monitor CIDRs associated with networking resources across all members of your Amazon Organization.

  • Store metrics related to IPAM in Amazon CloudWatch, such as the IP address space available in your IPAM pools and the number of resource CIDRs that comply with allocation rules.

The following example shows the details of the managed policy that's created.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IPAMDiscoveryDescribeActions",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeByoipCidrs",
                "ec2:DescribeIpv6Pools",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePublicIpv4Pools",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSecurityGroupRules",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpnConnections",
                "ec2:GetIpamDiscoveredAccounts",
                "ec2:GetIpamDiscoveredPublicAddresses",
                "ec2:GetIpamDiscoveredResourceCidrs",
                "globalaccelerator:ListAccelerators",
                "globalaccelerator:ListByoipCidrs",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:ListAccounts",
                "organizations:ListDelegatedAdministrators"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchMetricsPublishActions",
            "Effect": "Allow",
            "Action": "cloudwatch:PutMetricData",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "AWS/IPAM"
                }
            }
        }
    ]
}

The first statement in the preceding example enables IPAM to monitor the CIDRs used by your single Amazon account or by the members of your Amazon Organization.

The second statement in the preceding example uses the cloudwatch:PutMetricData condition key to allow IPAM to store IPAM metrics in your AWS/IPAM Amazon CloudWatch namespace. These metrics are used by the Amazon Management Console to display data about the allocations in your IPAM pools and scopes. For more information, see Monitor CIDR usage with the IPAM dashboard.

Updates to the Amazon managed policy

View details about updates to Amazon managed policies for IPAM since this service began tracking these changes.

Change Description Date

AWSIPAMServiceRolePolicy

Action added to the AWSIPAMServiceRolePolicy managed policy (ec2:GetIpamDiscoveredPublicAddresses) to enable IPAM to get public IP addresses during resource discovery.

 November 13, 2023

AWSIPAMServiceRolePolicy

 Actions added to the AWSIPAMServiceRolePolicy managed policy (ec2:DescribeAccountAttributes, ec2:DescribeNetworkInterfaces, ec2:DescribeSecurityGroups, ec2:DescribeSecurityGroupRules, ec2:DescribeVpnConnections, globalaccelerator:ListAccelerators, and globalaccelerator:ListByoipCidrs) to enable IPAM to get public IP addresses during resource discovery. November 1, 2023

AWSIPAMServiceRolePolicy

Two actions added to the AWSIPAMServiceRolePolicy managed policy (ec2:GetIpamDiscoveredAccounts and ec2:GetIpamDiscoveredResourceCidrs) to enable IPAM to get the Amazon accounts and resource CIDRs being monitored during resource discovery.

 January 25, 2023
IPAM started tracking changes

IPAM started tracking changes for its Amazon managed policies.

 December 2, 2021