AWS managed policies for IPAM - Amazon Virtual Private Cloud

AWS managed policies for IPAM

If you are using IPAM with a single AWS account and you create an IPAM, the AWSIPAMServiceRolePolicy managed policy is automatically created in your IAM account and attached to the AWSServiceRoleForIPAM service-linked role.

If you enable IPAM integration with AWS Organizations, the AWSIPAMServiceRolePolicy managed policy is automatically created in your IAM account and in each of your AWS Organizations member accounts, and the managed policy is attached to the AWSServiceRoleForIPAM service-linked role.

This managed policy enables IPAM to do the following:

  • Monitor CIDRs associated with EC2 networking resources across all members of your AWS Organization.

  • Store metrics related to IPAM in Amazon CloudWatch, such as the IP address space available in your IPAM pools and the number of resource CIDRs that comply with allocation rules.

The following example shows the details of the managed policy that's created.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAddresses", "ec2:DescribeByoipCidrs", "ec2:DescribeIpv6Pools", "ec2:DescribePublicIpv4Pools", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:GetIpamDiscoveredAccounts", "ec2:GetIpamDiscoveredResourceCidrs", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAccounts", "organizations:ListDelegatedAdministrators" ], "Resource": "*" }, { "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/IPAM" } } } ] }

The first statement in the preceding example enables IPAM to monitor the CIDRs used by your single AWS account or by the members of your AWS Organization.

The second statement in the preceding example uses the cloudwatch:PutMetricData condition key to allow IPAM to store IPAM metrics in your AWS/IPAM Amazon CloudWatch namespace. These metrics are used by the AWS Management Console to display data about the allocations in your IPAM pools and scopes. For more information, see Monitor CIDR usage with the IPAM dashboard.

Updates to the AWS managed policy

View details about updates to AWS managed policies for IPAM since this service began tracking these changes.

Change Description Date

AWSIPAMServiceRolePolicy

Two actions (ec2:GetIpamDiscoveredAccounts and ec2:GetIpamDiscoveredResourceCidrs) were added to the AWSIPAMServiceRolePolicy managed policy to enable IPAM to get the AWS accounts and resource CIDRs being monitored during resource discovery.

January 25, 2023
IPAM started tracking changes

IPAM started tracking changes for its AWS managed policies.

December 2, 2021