Enforce IPAM use for VPC creation with SCPs - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enforce IPAM use for VPC creation with SCPs

Note

This section is only applicable to you if you've enabled IPAM to integrate with Amazon Organizations. For more information, see Integrate IPAM with accounts in an Amazon Organization.

This section describes how to create a service control policy in Amazon Organizations that requires members in your organization to use IPAM when they create a VPC. Service control policies (SCPs) are a type of organization policy that enable you to manage permissions in your organization. For more information, see Service control policies in the Amazon Organizations User Guide.

Enforce IPAM when creating VPCs

Follow the steps in this section to require members in your organization to use IPAM when creating VPCs.

To create an SCP and restrict VPC creation to IPAM
  1. Follow the steps in Creating an SCP in the Amazon Organizations User Guide and enter the following text in the JSON editor:

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": ["ec2:CreateVpc", "ec2:AssociateVpcCidrBlock"], "Resource": "arn:aws:ec2:*:*:vpc/*", "Condition": { "Null": { "ec2:Ipv4IpamPoolId": "true" } } }] }
  2. Attach the policy to one or more organizational units in your organization. For more information, see Attaching and detaching service control policies in the Amazon Organizations User Guide.

Enforce an IPAM pool when creating VPCs

Follow the steps in this section to require members in your organization to use a specific IPAM pool when creating VPCs.

To create an SCP and restrict VPC creation to an IPAM pool
  1. Follow the steps in Creating an SCP in the Amazon Organizations User Guide and enter the following text in the JSON editor:

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": ["ec2:CreateVpc", "ec2:AssociateVpcCidrBlock"], "Resource": "arn:aws:ec2:*:*:vpc/*", "Condition": { "StringNotEquals": { "ec2:Ipv4IpamPoolId": "ipam-pool-0123456789abcdefg" } } }] }
  2. Change the ipam-pool-0123456789abcdefg example value to the IPv4 pool ID you would like to restrict users to.

  3. Attach the policy to one or more organizational units in your organization. For more information, see Attaching and detaching service control policies in the Amazon Organizations User Guide.

Enforce IPAM for all but a given list of OUs

Follow the steps in this section to enforce IPAM for all but a given list of Organizational Units (OUs). The policy described in this section requires OUs in the organization except for the OUs that you specify in aws:PrincipalOrgPaths to use IPAM to create and expand VPCs. The listed OUs can either use IPAM when creating VPCs or specify an IP address range manually.

To create an SCP and enforce IPAM for all but a given list of OUs
  1. Follow the steps in Creating an SCP in the Amazon Organizations User Guide and enter the following text in the JSON editor:

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": ["ec2:CreateVpc", "ec2:AssociateVpcCidrBlock"], "Resource": "arn:aws:ec2:*:*:vpc/*", "Condition": { "Null": { "ec2:Ipv4IpamPoolId": "true" }, "ForAllValues:StringNotLike": { "aws:PrincipalOrgPaths": [ "o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/", "o-a1b2c3d4e5/r-ab12/ou-ab13-22222222/ou-ab13-33333333/" ] } } }] }
  2. Remove the example values (like o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/) and add the Amazon Organizations entity paths of the OUs that you want to have the option (but not require) to use IPAM. For more information about entity path, see Understand the Amazon Organizations entity path and aws:PrincipalOrgPaths in the Amazon Identity and Access Management User Guide.

  3. Attach the policy to your organization root. For more information, see Attaching and detaching service control policies in the Amazon Organizations User Guide.