How to Create IAM Policies That Grant Permissions to Billing Data

Create custom policies that grant both view and full access permissions to the pages within the Billing and Cost Management console. For general information about IAM permission policies, see Managed Policies and Inline Policies.

To create IAM polices that grant permissions to billing data

1. Sign in to the AWS Management Console as a user with administrator credentials. To adhere to IAM best practices, don’t sign in with your root account credentials. For more information, see Create individual IAM users.
2. Open the IAM console at https://console.aws.amazon.com/iam/.
3. In the navigation pane, choose Policies, and then choose Create Policy.
4. Next to Policy Generator, choose Select.
5. On the Edit Permissions page, for Effect choose Allow.
6. For AWS Service, choose AWS Billing.
7. Follow these steps to create two policies:

   Full access

   1. For Actions, choose All Actions (*).
   2. Choose Add Statement, and then choose Next Step.
   3. On the Review Policy page, next to Policy Name, type BillingFullAccess, and then choose Create Policy to save it.

   View-only access

   1. Repeat steps 3 through 6.
   2. For Actions, choose only those permissions that begin with View.
   3. Choose Add Statement, and then choose Next Step.
   4. On the Review Policy page, for Policy Name, type BillingViewAccess. Then choose Create Policy to save it.

   To review descriptions for each of the permissions available in IAM policies that grant users access to the Billing and Cost Management console, see Billing Permissions Descriptions.

Step 3: Attach Billing Policies to Your Groups

Now that you have custom billing policies available, you can attach them to their corresponding groups that you created earlier. Although you can attach a policy directly to a user or role, we recommend (in accordance with IAM best practices) that you use groups instead. For more information, see Use groups to assign permissions to IAM users.

To attach billing policies to your groups

1. In the navigation pane, choose Policies to display the full list of policies available to your AWS account. To attach each policy to its appropriate group, follow these steps:

   Full access

   1. In the search box, type BillingFullAccess, and then select the check box next to the policy name.
   2. Choose Policy actions, and then choose Attach.
   3. In the search box, type FullAccess, select the check box next to the name of the group, and then choose Attach policy.

   View-only access

   1. In the search box, type BillingViewAccess, and then select the check box next to the policy name.
   2. Choose Policy actions, and then choose Attach.
   3. For Filter, choose Groups. In the search box, type ViewAccess, select the check box next to the name of the group, and then choose Attach policy.
2. Sign out of the console, and then proceed to Step 4: Test Access to the Billing Console.

Step 4: Test Access to the Billing Console

You can test user access in a couple of ways. For this tutorial, we recommend that you test access by signing in as each of the test users so you can observe the results and see what your users might experience. Another (optional) way to test user access permissions is to use the IAM policy simulator. Use the following steps if you want to see another way to view the effective result of these actions.

Select either of the following procedures based on your preferred testing method. In the first one, you sign in using both test accounts to see the difference between access rights.

To test billing access by signing in with both test user accounts

1. Go to the sign-in URL for your AWS test account. For example, if your AWS account name is CompanyXYZ, your sign-in URL would look likehttps://companyxyz.signin.aws.amazon.com/console. If you did not assign an alias like CompanyXYZ, then use your account ID number as in this example:https://123456789012.signin.aws.amazon.com/console.
2. Sign-in with each account using the steps provided below so you can compare the different user experiences.

   Full access

   1. Sign in to your AWS account as the user FinanceManager.
   2. On the navigation bar, choose FinanceManager@<account alias or ID number> , and then choose Billing & Cost Management.
   3. Browse through the pages and choose the various buttons to ensure you have full modify permissions.

   View-only access

   1. Sign in to your AWS account as the user FinanceUser.
   2. On the navigation bar, choose FinanceUser@<account alias or ID number>, and then choose Billing & Cost Management.
   3. Browse through the pages. Notice that you can display costs, reports, and billing data with no problems. However, if you choose an option to modify a value, you receive an Access Denied message. For example, on the Preferences page, choose any of the check boxes on the page, and then choose Save preferences. The console message informs you that you need ModifyBilling permissions to make changes to that page.

The following optional procedure demonstrates how you could alternatively use the IAM policy simulator to test your delegated user’s effective permissions to billing pages.

To test billing access by viewing effective permissions in the IAM policy simulator

1. Open the IAM policy simulator at https://policysim.aws.amazon.com/. (If you are not already signed in to AWS, you are prompted to sign in).
2. Under Users, Groups, and Roles, select one of the users that is a member of the group you recently attached the policy to.
3. Under Policy Simulator, choose Select service, and then choose Billing.
4. Next to Select actions, choose Select All.
5. Choose Run Simulation and compare the user’s listed permissions with all possible billing-related permission options to make sure that the correct rights have been applied.

Related Resources

For related information found in the AWS Billing and Cost Management User Guide, see the following resources:

For related information in the IAM User Guide, see the following resources:

Summary

You’ve now successfully completed all of the steps necessary to delegate user access to the Billing and Cost Management console. As a result, you’ve seen firsthand what your users billing console experience will be like and can now proceed to implement this logic in your production environment at your convenience.