# Configure integration options for your IPAM
<a name="choose-single-user-or-orgs-ipam"></a>

This section describes your options for how you can integrate IPAM with AWS Organizations, other AWS accounts, or use it with a single AWS account.

Before you begin using IPAM, you must choose one of the options in this section to enable IPAM to monitor CIDRs associated with EC2 networking resources and store metrics:
+ To enable IPAM to integrate with AWS Organizations to enable the Amazon VPC IPAM service to manage and monitor networking resources created by all AWS Organizations member accounts, see [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md).
+ After you integrate with AWS Organizations, to integrate IPAM with accounts outside of your organization, see [Integrate IPAM with accounts outside of your organization](enable-integ-ipam-outside-org.md).
+ To use a single AWS account with IPAM and enable the Amazon VPC IPAM service to manage and monitor the networking resources you create with the single account, see [Use IPAM with a single account](enable-single-user-ipam.md).

If you do not choose one of these options, you can still create IPAM resources, such as pools, but you won't see metrics in your dashboard and you will not be able to monitor the status of resources.

**Topics**
+ [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md)
+ [Integrate IPAM with accounts outside of your organization](enable-integ-ipam-outside-org.md)
+ [Use IPAM with a single account](enable-single-user-ipam.md)

# Integrate IPAM with accounts in an AWS Organization
<a name="enable-integ-ipam"></a>

Optionally, you can follow the steps in this section to integrate IPAM with AWS Organizations and delegate a member account as the IPAM account.

The IPAM account is responsible for creating an IPAM and using it to manage and monitor IP address usage.

Integrating IPAM with AWS Organizations and delegating an IPAM admin has the following benefits:
+ **Share your IPAM pools with your organization**: When you delegate an IPAM account, IPAM enables other AWS Organizations member accounts in the organization to allocate CIDRs from IPAM pools that are shared using AWS Resource Access Manager (RAM). For more information on setting up an organization, see [What is AWS Organizations?](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) in the *AWS Organizations User Guide*.
+ **Monitor IP address usage in your organization**: When you delegate an IPAM account, you give IPAM permission to monitor IP usage across all of your accounts. As a result, IPAM automatically imports CIDRs that are used by existing VPCs across other AWS Organizations member accounts into IPAM.

If you do not delegate an AWS Organizations member account as an IPAM account, IPAM will monitor resources only in the AWS account that you use to create the IPAM.

**Note**  
When integrating with AWS Organizations:  
You must enable integration with AWS Organizations by using IPAM in the AWS management console or the [enable-ipam-organization-admin-account](https://docs.aws.amazon.com/cli/latest/reference/ec2/enable-ipam-organization-admin-account.html) AWS CLI command. This ensures that the `AWSServiceRoleForIPAM` service-linked role is created. If you enable trusted access with AWS Organizations by using the AWS Organizations console or the [register-delegated-administrator](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/organizations/register-delegated-administrator.html) AWS CLI command, the `AWSServiceRoleForIPAM` service-linked role isn't created, and you can't manage or monitor resources within your organization.
**The IPAM account must be an AWS Organizations member account.** You cannot use the AWS Organizations management account as the IPAM account. To check whether your IPAM is already integrated with AWS Organizations, use the steps below and view the details of the integration in *Organization settings*.
IPAM charges you for each active IP address that it monitors in your organization's member accounts. For more information about pricing, see [IPAM pricing](https://aws.amazon.com/vpc/pricing/).
You must have an account in AWS Organizations and a management account set up with one or more member accounts. For more information about account types, see [ Terminology and concepts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) in the *AWS Organizations User Guide*. For more information on setting up an organization, see [Getting started with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started.html).
The IPAM account must use an IAM role that has an IAM policy attached to it that permits the `iam:CreateServiceLinkedRole` action. When you create the IPAM, you automatically create the AWSServiceRoleForIPAM service-linked role.
The user associated with the AWS Organizations management account must use an IAM role that has the following IAM policy actions attached:  
`ec2:EnableIpamOrganizationAdminAccount`
`organizations:EnableAwsServiceAccess`
`organizations:RegisterDelegatedAdministrator`
`iam:CreateServiceLinkedRole`
For more information on creating IAM roles, see [Creating a role to delegate permissions to an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
The user associated with the AWS Organizations management account may use an IAM role that has the following IAM policy actions attached to list your current AWS Orgs delegated administrators: `organizations:ListDelegatedAdministrators`

------
#### [ AWS Management Console ]

**To select an IPAM account**

1. Using the AWS Organizations management account, open the IPAM console at [https://console.aws.amazon.com/ipam/](https://console.aws.amazon.com/ipam/).

1. In the AWS Management Console, choose the AWS Region in which you want to work with IPAM.

1. In the navigation pane, choose **Organization settings**.

1. The **Delegate** option is only available if you've logged in to the console as the AWS Organizations management account. Choose **Delegate**. 

1. Enter the AWS account ID for an IPAM account. The IPAM administrator must be an AWS Organizations member account.

1. Choose **Save changes**.

------
#### [ Command line ]

The commands in this section link to the *AWS CLI Command Reference*. The documentation provides detailed descriptions of the options that you can use when you run the commands.
+ To delegate an IPAM admin account using AWS CLI, use the following command: [enable-ipam-organization-admin-account](https://docs.aws.amazon.com/cli/latest/reference/ec2/enable-ipam-organization-admin-account.html)

------

When you delegate an Organizations member account as an IPAM account, IPAM automatically creates a service-linked IAM role in all member accounts in your organization. IPAM monitors the IP address usage in these accounts by assuming the service-linked IAM role in each member account, discovering the resources and their CIDRs, and integrating them with IPAM. The resources within all member accounts will be discoverable by IPAM regardless of their Organizational Unit. If there are member accounts that have created a VPC, for example, you’ll see the VPC and its CIDR in the Resources section of the IPAM console.

**Important**  
The role of the AWS Organizations management account that delegated the IPAM admin is now complete. To continue using IPAM, the IPAM admin account must log into Amazon VPC IPAM and create an IPAM. 

# Integrate IPAM with accounts outside of your organization
<a name="enable-integ-ipam-outside-org"></a>

This section describes how to integrate your IPAM with AWS accounts outside of your organization. To complete steps in this section, you must have already completed the steps in [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md) and delegated an IPAM account.

Integrating IPAM with AWS accounts outside of your organization enables you to do the following:
+ Manage IP addresses outside of your organization from a single IPAM account.
+ Share IPAM pools with third-party services hosted by other AWS accounts in other AWS Organizations.

After you integrate IPAM with AWS accounts outside of your organization, you can share an IPAM pool directly with the desired accounts of other organizations.

**Topics**
+ [Considerations and limitations](enable-integ-ipam-outside-org-considerations.md)
+ [Process overview](enable-integ-ipam-outside-org-process.md)

# Considerations and limitations
<a name="enable-integ-ipam-outside-org-considerations"></a>

This section contains considerations and limitations for integrating IPAM with accounts outside of your organization:
+ When you share a resource discovery with another account, the only data that is exchanged is IP address and account status monitoring data. You can view this data before sharing using the [get-ipam-discovered-resource-cidrs](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-ipam-discovered-resource-cidrs.html) and [get-ipam-discovered-accounts](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-ipam-discovered-accounts.html) CLI commands or [GetIpamDiscoveredResourceCidrs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamDiscoveredResourceCidrs.html) and [GetIpamDiscoveredAccounts](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetIpamDiscoveredAccounts.html) APIs. For resource discoveries that monitor resources across an organization, no organization data (such as the names of Organizational Units in your organization) are shared.
+ When you create a resource discovery, the resource discovery monitors all visible resources in the owner account. If the owner account is a third-party service AWS account that creates resources for multiple of their own customers, those resources will be discovered by the resource discovery. If the third-party AWS service account shares the resource discovery with an end-user AWS account, the end-user will have visibility into the resources of the other customers of the third-party AWS service. For that reason, the third-party AWS service should exercise caution creating and sharing resource discoveries or use a separate AWS account for each customer. 

# Process overview
<a name="enable-integ-ipam-outside-org-process"></a>

This section explains how to integrate your IPAM with AWS accounts outside of your organization. It refers to topics that are covered in other sections of this guide. Keep this page visible, and open the topics linked below in a new window so that you can return to this page for guidance.

When you integrate IPAM with AWS accounts outside of your organization, there are 4 AWS accounts involved in the process:
+ **Primary Org Owner** - The AWS Organizations management account for organization 1.
+ **Primary Org IPAM Account** - The IPAM delegated administrator account for organization 1.
+ **Secondary Org Owner** - The AWS Organizations management account for organization 2.
+ **Secondary Org Admin Account** - The IPAM delegated administrator account for organization 2.

**Steps**

1. Primary Org Owner delegates a member of their organization as the Primary Org IPAM Account (see [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md)).

1. Primary Org IPAM Account creates an IPAM (see [Create an IPAM](create-ipam.md)).

1. Secondary Org Owner delegates a member of their organization as the Secondary Org Admin Account (see [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md)).

1. Secondary Org Admin Account creates a resource discovery and shares it with the Primary Org IPAM Account using AWS RAM (see [Create a resource discovery to integrate with another IPAMCreate a resource discovery](res-disc-work-with-create.md) and [Share a resource discovery with another AWS accountShare a resource discovery](res-disc-work-with-share.md)). The resource discovery must be created in the same home Region as the Primary Org IPAM. 

1. Primary Org IPAM Account accepts the resource share invitation using AWS RAM (see [Accepting and rejecting resource share invitations](https://docs.aws.amazon.com/ram/latest/userguide/working-with-shared-invitations.html) in the *AWS RAM User Guide*).

1. Primary Org IPAM Account associates the resource discovery with their IPAM (see [Associate a resource discovery with an IPAM](res-disc-work-with-associate.md)).

1. Primary Org IPAM Account can now monitor and/or manage IPAM resources created by the accounts in Secondary Org.

1. (Optional) Primary Org IPAM Account shares IPAM pools with member accounts in Secondary Org (see [Share an IPAM pool using AWS RAM](share-pool-ipam.md)).

1. (Optional) If Primary Org IPAM Account wants to stop discovering resources in Secondary Org, it can disassociate the resource discovery from the IPAM (see [Disassociate a resource discovery](res-disc-work-with-disassociate.md)).

1. (Optional) If the Secondary Org Admin Account wants to stop participating in the Primary Org’s IPAM, they can unshare the shared resource discovery (see [Update a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-update.html) in the *AWS RAM User Guide*) or delete the resource discovery (see [Delete a resource discovery](res-disc-work-with-delete.md)).

# Use IPAM with a single account
<a name="enable-single-user-ipam"></a>

If you choose not to [Integrate IPAM with accounts in an AWS Organization](enable-integ-ipam.md), you can use IPAM with a single AWS account.

When you create an IPAM in the next section, a service-linked role is automatically created for the Amazon VPC IPAM service in AWS Identity and Access Management (IAM). 

Service-linked roles are a type of IAM role that allows AWS services to access other AWS services on your behalf. They simplify the permission management process by automatically creating and managing the necessary permissions for specific AWS services to perform their required actions, streamlining the setup and administration of these services.

IPAM uses the service-linked role to monitor and store metrics for CIDRs associated with EC2 networking resources. For more information on the service-linked role and how IPAM uses it, see [Service-linked roles for IPAM](iam-ipam-slr.md).

**Important**  
If you use IPAM with a single AWS account, you must ensure that the AWS account you use to create the IPAM uses a IAM role with a policy attached to it that permits the `iam:CreateServiceLinkedRole` action. When you create the IPAM, you automatically create the AWSServiceRoleForIPAM service-linked role. For more information on managing IAM policies, see [Editing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html) in the *IAM User Guide*. 

Once the single AWS account has permission to create the IPAM service-linked role, go to [Create an IPAM](create-ipam.md).