# Identity and access management in IPAM
AWS uses security credentials to identify you and to grant you access to your AWS resources. You can use features of AWS Identity and Access Management (IAM) to allow other users, services, and applications to use your AWS resources fully or in a limited way, without sharing your security credentials.
This section describes the AWS service-linked roles that are created specifically for IPAM and the managed policies attached to the IPAM service-linked roles. For more information about AWS IAM roles and policies, see [Roles terms and concepts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) in the *IAM User Guide*.
For more information about identity and access management for VPC, see [Identity and access management for Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/security-iam.html) in the *Amazon VPC User Guide*.
**Topics**
+ [Service-linked roles for IPAM](iam-ipam-slr.md)
+ [AWS managed policies for IPAM](iam-ipam-managed-pol.md)
+ [Example policy](iam-ipam-policy-examples.md)
# Service-linked roles for IPAM
IPAM uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role. Service-linked roles are predefined by IPAM and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up IPAM easier because you don’t have to manually add the necessary permissions. IPAM defines the permissions of its service-linked roles, and unless defined otherwise, only IPAM can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
## Service-linked role permissions
IPAM uses the **AWSServiceRoleForIPAM** service-linked role to call the actions in the attached **AWSIPAMServiceRolePolicy** managed policy. For more information on the allowed actions in that policy, see [AWS managed policies for IPAM](iam-ipam-managed-pol.md).
Also attached to the service-linked role is an [IAM trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) that allows the `ipam.amazonaws.com` service to assume the service-linked role.
## Create the service-linked role
IPAM monitors the IP address usage in one or more accounts by assuming the service-linked role in an account, discovering the resources and their CIDRs, and integrating the resources with IPAM.
The service-linked role is created in one of two ways:
+ **When you integrate with AWS Organizations**
If you [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md) using the IPAM console or using the `enable-ipam-organization-admin-account` AWS CLI command, the **AWSServiceRoleForIPAM** service-linked role is automatically created in each of your AWS Organizations member accounts. As a result, the resources within all member accounts are discoverable by IPAM.
**Important**
For IPAM to create the service-linked role on your behalf:
The AWS Organizations management account that enables IPAM integration with AWS Organizations must have an IAM policy attached to it that permits the following actions:
`ec2:EnableIpamOrganizationAdminAccount`
`organizations:EnableAwsServiceAccess`
`organizations:RegisterDelegatedAdministrator`
`iam:CreateServiceLinkedRole`
The IPAM account must have an IAM policy attached to it that permits the `iam:CreateServiceLinkedRole` action.
+ **When you create an IPAM using a single AWS account**
If you [Use IPAM with a single account](enable-single-user-ipam.md), the **AWSServiceRoleForIPAM** service-linked role is automatically created when you create an IPAM as that account.
**Important**
If you use IPAM with a single AWS account, before you create an IPAM, you must ensure that the AWS account you are using has an IAM policy attached to it that permits the `iam:CreateServiceLinkedRole` action. When you create the IPAM, you automatically create the **AWSServiceRoleForIPAM** service-linked role. For more information on managing IAM policies, see [Editing a service-linked role description](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-service-linked-role.html#edit-service-linked-role-iam-console) in the *IAM User Guide*.
## Edit the service-linked role
You can't edit the **AWSServiceRoleForIPAM** service-linked role.
## Delete the service-linked role
If you no longer need to use IPAM, we recommend that you delete the **AWSServiceRoleForIPAM** service-linked role.
**Note**
You can delete the service-linked role only after you delete all IPAM resources in your AWS account. This ensures that you can't inadvertently remove the monitoring capability of IPAM.
Follow these steps to delete the service-linked role using the AWS CLI:
1. Delete your IPAM resources using [deprovision-ipam-pool-cidr](https://docs.aws.amazon.com/cli/latest/reference/ec2/deprovision-ipam-pool-cidr.html) and [delete-ipam](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-ipam.html). For more information, see [Deprovision CIDRs from a pool](depro-pool-cidr-ipam.md) and [Delete an IPAM](delete-ipam.md).
1. Disable the IPAM account with [disable-ipam-organization-admin-account](https://docs.aws.amazon.com/cli/latest/reference/ec2/disable-ipam-organization-admin-account.html).
1. Disable the IPAM service with [disable-aws-service-access](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/servicecatalog/disable-aws-organizations-access.html) using the `--service-principal ipam.amazonaws.com` option.
1. Delete the service-linked role: [delete-service-linked-role](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-service-linked-role.html). When you delete the service-linked role, the IPAM managed policy is also deleted. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#id_roles_manage_delete_slr) in the *IAM User Guide*.
# AWS managed policies for IPAM
If you are using IPAM with a single AWS account and you create an IPAM, the **AWSIPAMServiceRolePolicy** managed policy is automatically created in your IAM account and attached to the **AWSServiceRoleForIPAM** [service-linked role](iam-ipam-slr.md).
If you enable IPAM integration with AWS Organizations, the **AWSIPAMServiceRolePolicy** managed policy is automatically created in your IAM account and in each of your AWS Organizations member accounts, and the managed policy is attached to the **AWSServiceRoleForIPAM** service-linked role.
This managed policy enables IPAM to do the following:
+ Monitor CIDRs associated with networking resources across all members of your AWS Organization.
+ Store metrics related to IPAM in Amazon CloudWatch, such as the IP address space available in your IPAM pools and the number of resource CIDRs that comply with allocation rules.
+ Modify and read managed prefix lists.
The following example shows the details of the managed policy that's created.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "IPAMDiscoveryDescribeActions",
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeByoipCidrs",
"ec2:DescribeIpv6Pools",
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePublicIpv4Pools",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:GetIpamDiscoveredAccounts",
"ec2:GetIpamDiscoveredPublicAddresses",
"ec2:GetIpamDiscoveredResourceCidrs",
"ec2:GetManagedPrefixListEntries",
"ec2:ModifyManagedPrefixList",
"globalaccelerator:ListAccelerators",
"globalaccelerator:ListByoipCidrs",
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:ListDelegatedAdministrators",
"organizations:ListChildren",
"organizations:ListParents",
"organizations:DescribeOrganizationalUnit"
],
"Resource": "*"
},
{
"Sid": "CloudWatchMetricsPublishActions",
"Effect": "Allow",
"Action": "cloudwatch:PutMetricData",
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "AWS/IPAM"
}
}
}
]
}
```
------
The first statement in the preceding example enables IPAM to monitor the CIDRs used by your single AWS account or by the members of your AWS Organization.
The second statement in the preceding example uses the `cloudwatch:PutMetricData` condition key to allow IPAM to store IPAM metrics in your `AWS/IPAM` [Amazon CloudWatch namespace](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html). These metrics are used by the AWS Management Console to display data about the allocations in your IPAM pools and scopes. For more information, see [Monitor CIDR usage with the IPAM dashboard](monitor-cidr-usage-ipam.md).
## Updates to the AWS managed policy
View details about updates to AWS managed policies for IPAM since this service began tracking these changes.
| Change | Description | Date |
| --- | --- | --- |
| AWSIPAMServiceRolePolicy | Actions added to the AWSIPAMServiceRolePolicy managed policy (ec2:ModifyManagedPrefixList, ec2:DescribeManagedPrefixLists, and ec2:GetManagedPrefixListEntries) to enable IPAM to modify and read managed prefix lists. | October 31, 2025 |
| AWSIPAMServiceRolePolicy | Actions added to the AWSIPAMServiceRolePolicy managed policy (`organizations:ListChildren`,`organizations:ListParents`, and `organizations:DescribeOrganizationalUnit`) to enable IPAM to get the details of Organizational Units (OUs) in AWS Organizations so that customers can use IPAM at the OU level. | November 21, 2024 |
| AWSIPAMServiceRolePolicy | Action added to the AWSIPAMServiceRolePolicy managed policy (`ec2:GetIpamDiscoveredPublicAddresses`) to enable IPAM to get public IP addresses during resource discovery. | November 13, 2023 |
| AWSIPAMServiceRolePolicy | Actions added to the AWSIPAMServiceRolePolicy managed policy (ec2:DescribeAccountAttributes, ec2:DescribeNetworkInterfaces, ec2:DescribeSecurityGroups, ec2:DescribeSecurityGroupRules, ec2:DescribeVpnConnections, globalaccelerator:ListAccelerators, and globalaccelerator:ListByoipCidrs) to enable IPAM to get public IP addresses during resource discovery. | November 1, 2023 |
| AWSIPAMServiceRolePolicy | Two actions added to the AWSIPAMServiceRolePolicy managed policy (`ec2:GetIpamDiscoveredAccounts` and `ec2:GetIpamDiscoveredResourceCidrs`) to enable IPAM to get the AWS accounts and resource CIDRs being monitored during resource discovery. | January 25, 2023 |
| IPAM started tracking changes | IPAM started tracking changes for its AWS managed policies. | December 2, 2021 |
# Example policy
The example policy in this section contains all the relevant AWS Identity and Access Management (IAM) actions for full IPAM usage. Depending on how you are using IPAM, you may not need to include all of the IAM actions. For a full experience using the IPAM console, you may need to include additional IAM actions for services such as AWS Organizations, AWS Resource Access Manager (AWS RAM), and Amazon CloudWatch.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AssociateIpamByoasn",
"ec2:DeprovisionIpamByoasn",
"ec2:DescribeIpamByoasn",
"ec2:DisassociateIpamByoasn",
"ec2:ProvisionIpamByoasn",
"ec2:CreateIpam",
"ec2:DescribeIpams",
"ec2:ModifyIpam",
"ec2:DeleteIpam",
"ec2:CreateIpamScope",
"ec2:DescribeIpamScopes",
"ec2:ModifyIpamScope",
"ec2:DeleteIpamScope",
"ec2:CreateIpamPool",
"ec2:DescribeIpamPools",
"ec2:ModifyIpamPool",
"ec2:DeleteIpamPool",
"ec2:ProvisionIpamPoolCidr",
"ec2:GetIpamPoolCidrs",
"ec2:DeprovisionIpamPoolCidr",
"ec2:AllocateIpamPoolCidr",
"ec2:GetIpamPoolAllocations",
"ec2:ReleaseIpamPoolAllocation",
"ec2:CreateIpamResourceDiscovery",
"ec2:DescribeIpamResourceDiscoveries",
"ec2:ModifyIpamResourceDiscovery",
"ec2:DeleteIpamResourceDiscovery",
"ec2:AssociateIpamResourceDiscovery",
"ec2:DescribeIpamResourceDiscoveryAssociations",
"ec2:DisassociateIpamResourceDiscovery",
"ec2:GetIpamResourceCidrs",
"ec2:ModifyIpamResourceCidr",
"ec2:GetIpamAddressHistory",
"ec2:GetIpamDiscoveredResourceCidrs",
"ec2:GetIpamDiscoveredAccounts",
"ec2:GetIpamDiscoveredPublicAddresses"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/ipam.amazonaws.com/AWSServiceRoleForIPAM",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "ipam.amazonaws.com"
}
}
}
]
}
```
------