Integrate IPAM with AWS Organizations - Amazon Virtual Private Cloud

Integrate IPAM with AWS Organizations

Optionally, you can follow the steps in this section to integrate IPAM with AWS Organizations and delegate a member account as the IPAM account.

The IPAM account is responsible for creating an IPAM and using it to manage and monitor IP address usage.

Integrating IPAM with AWS Organizations and delegating an IPAM admin has the following benefits:

  • Share your IPAM pools with your organization: When you delegate an IPAM account, IPAM enables other AWS Organizations member accounts in the organization to allocate CIDRs from IPAM pools that are shared using AWS Resource Access Manager (RAM). For more information on setting up an organization, see What is AWS Organizations? in the AWS Organizations User Guide.

  • Monitor IP address usage in your organization: When you delegate an IPAM account, you give IPAM permission to monitor IP usage across all of your accounts. As a result, IPAM automatically imports CIDRs that are used by existing VPCs across other AWS Organizations member accounts into IPAM.

If you do not delegate an AWS Organizations member account as an IPAM account, IPAM will monitor resources only in the AWS account that you use to create the IPAM.

Important
  • You must enable integration with AWS Organizations by using IPAM in the AWS management console or the enable-ipam-organization-admin-account AWS CLI command. This ensures that the AWSServiceRoleForIPAM service-linked role is created. If you enable trusted access with AWS Organizations by using the AWS Organizations console or the register-delegated-administrator AWS CLI command, the AWSServiceRoleForIPAM service-linked role isn't created, and you can't manage or monitor resources within your organization.

Note

When integrating with AWS Organizations:

  • You cannot use IPAM to manage IP addresses across multiple AWS Organizations.

  • IPAM charges you for each active IP address that it monitors in your organization's member accounts. For more information about pricing, see IPAM pricing.

  • You must have an account in AWS Organizations and a management account set up with one or more member accounts. For more information about account types, see Terminology and concepts in the AWS Organizations User Guide. For more information on setting up an organization, see Getting started with AWS Organizations.

  • The IPAM account must be an AWS Organizations member account. You cannot use the AWS Organizations management account as the IPAM account.

  • The IAM user account associated with the AWS Organizations management account must have the following IAM policy actions attached:

    • ec2:EnableIpamOrganizationAdminAccount

    • organizations:EnableAwsServiceAccess

    • organizations:RegisterDelegatedAdministrator

    • iam:CreateServiceLinkedRole

AWS Management Console

To select an IPAM account

  1. Open the IPAM console at https://console.aws.amazon.com/ipam/.

  2. In the AWS Management Console, choose the AWS Region in which you want to work with IPAM.

  3. In the navigation pane, choose Settings.

  4. Enter the AWS account ID for an IPAM account. The IPAM administrator must be an AWS Organizations member account.

  5. Choose Delegate.

Command line

The commands in this section link to the AWS CLI Reference documentation. The documentation provides detailed descriptions of the options that you can use when you run the commands.

When you delegate an Organizations member account as an IPAM account, IPAM automatically creates a service-linked IAM role in all member accounts in your organization. IPAM monitors the IP address usage in these accounts by assuming the service-linked IAM role in each member account, discovering the resources and their CIDRs, and integrating them with IPAM. The resources within all member accounts will be discoverable by IPAM regardless of their Organizational Unit. If there are member accounts that have created a VPC, for example, you’ll see the VPC and its CIDR in the Resources section of the IPAM console.

Important

The role of the AWS Organizations management account that delegated the IPAM admin is now complete. To continue using IPAM, the IPAM admin account must log into Amazon VPC IPAM and create an IPAM.