Enforce IPAM use for VPC creation with SCPs
Note
This section is only applicable to you if you've enabled IPAM to integrate with AWS Organizations. For more information, see Integrate IPAM with accounts in an AWS Organization.
This section describes how to create a service control policy in AWS Organizations that requires members in your organization to use IPAM when they create a VPC. Service control policies (SCPs) are a type of organization policy that enable you to manage permissions in your organization. For more information, see Service control policies in the AWS Organizations User Guide.
Enforce IPAM when creating VPCs
Follow the steps in this section to require members in your organization to use IPAM when creating VPCs.
To create an SCP and restrict VPC creation to IPAM
Follow the steps in Creating an SCP in the AWS Organizations User Guide and enter the following text in the JSON editor:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": ["ec2:CreateVpc", "ec2:AssociateVpcCidrBlock"], "Resource": "arn:aws:ec2:*:*:vpc/*", "Condition": { "Null": { "ec2:Ipv4IpamPoolId": "true" } } }] }-
Attach the policy to one or more organizational units in your organization. For more information, see Attaching and detaching service control policies in the AWS Organizations User Guide.
Enforce an IPAM pool when creating VPCs
Follow the steps in this section to require members in your organization to use a specific IPAM pool when creating VPCs.
To create an SCP and restrict VPC creation to an IPAM pool
Follow the steps in Creating an SCP in the AWS Organizations User Guide and enter the following text in the JSON editor:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": ["ec2:CreateVpc", "ec2:AssociateVpcCidrBlock"], "Resource": "arn:aws:ec2:*:*:vpc/*", "Condition": { "StringNotEquals": { "ec2:Ipv4IpamPoolId": "ipam-pool-0123456789abcdefg" } } }] }Change the
ipam-pool-0123456789abcdefgexample value to the IPv4 pool ID you would like to restrict users to.-
Attach the policy to one or more organizational units in your organization. For more information, see Attaching and detaching service control policies in the AWS Organizations User Guide.
Enforce IPAM for all but a given list of OUs
Follow the steps in this section to enforce IPAM for all but a given list of
Organizational Units (OUs). The policy described in this section requires OUs in the
organization except
for the OUs that you specify in
aws:PrincipalOrgPaths to use IPAM to create and expand VPCs. The listed
OUs can either use IPAM when creating VPCs or specify an IP address range
manually.
To create an SCP and enforce IPAM for all but a given list of OUs
-
Follow the steps in Creating an SCP in the AWS Organizations User Guide and enter the following text in the JSON editor:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Action": ["ec2:CreateVpc", "ec2:AssociateVpcCidrBlock"], "Resource": "arn:aws:ec2:*:*:vpc/*", "Condition": { "Null": { "ec2:Ipv4IpamPoolId": "true" }, "ForAllValues:StringNotLike": { "aws:PrincipalOrgPaths": [ "o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/", "o-a1b2c3d4e5/r-ab12/ou-ab13-22222222/ou-ab13-33333333/" ] } } }] } -
Remove the example values (like
o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/) and add the AWS Organizations entity paths of the OUs that you want to have the option (but not require) to use IPAM. For more information about entity path, see Understand the AWS Organizations entity path and aws:PrincipalOrgPaths in the AWS Identity and Access Management User Guide. -
Attach the policy to your organization root. For more information, see Attaching and detaching service control policies in the AWS Organizations User Guide.
