Example 1: Allow IAM users to view your billing information
To allow an IAM user to view your billing information without giving the IAM user access to sensitive account information, such as your password and account activity reports, use a policy similar to the following example policy. This policy allows IAM users to view the following Billing and Cost Management console pages, without giving them access to the Account Settings or Reports console pages:
- Dashboard
- Cost Explorer
- Bills
- Payment History
- Consolidated Billing
- Preferences
- Credits
- Advance Payment
1 2 3 4 5 6 7 8 9 10 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-portal:ViewBilling", "Resource": "*" } ] } |
Example 2: Allow IAM users to access the Reports console page
To allow an IAM user to access the Reports console page and to view the usage reports that contain account activity information, use a policy similar to this example policy.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-portal:ViewUsage", "aws-portal:ViewBilling" ], "Resource": "*" } ] } |
Example 3: Deny IAM users access to the Billing and Cost Management console
To explicitly deny an IAM user access to the all Billing and Cost Management console pages, use a policy similar to this example policy.
1 2 3 4 5 6 7 8 9 10 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "aws-portal:*", "Resource": "*" } ] } |
Example 4: Allow full access to AWS services but deny IAM users access to the Billing and Cost Management console
To enable full access to all AWS services but deny the IAM user access to everything on the Billing and Cost Management console, use the following policy. In this case, you should also deny user access to AWS Identity and Access Management (IAM) so that the users can’t access the policies that control access to billing information and tools.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": [ "aws-portal:*", "iam:*" ], "Resource": "*" } ] } |
Example 5: Allow IAM users to view the Billing and Cost Management console, except Account Settings
To protect your account password, contact information, and security questions, you can deny user access to Account Settings while still enabling read-only access to the rest of the functionality in the Billing and Cost Management console. Applying this policy to an IAM user allows the user to view all the Billing and Cost Management console pages, including the Payments Method and Reports console pages, but denies the user access to Account Settings.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-portal:View*", "Resource": "*" }, { "Effect": "Deny", "Action": "aws-portal:*Account", "Resource": "*" } ] } |
Example 6: Allow IAM users to modify billing information
To allow IAM users to modify account billing information in the Billing and Cost Management console, you must also allow IAM users to view your billing information. The following policy example allows an IAM user to modify the Consolidated Billing, Preferences, and Credits console pages. It also allows an IAM user to view the following Billing and Cost Management console pages:
- Dashboard
- Cost Explorer
- Bills
- Payment History
- Advance Payment
1 2 3 4 5 6 7 8 9 10 11 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-portal:*Billing", "Resource": "*" } ] } |
Example 7: Allow IAM users to create budgets
To apply this policy, the user must have IAM permissions to view your Billing and Cost Management console.
If you are in an organization, only the master account can create and manage budgets. Individual member accounts can’t create and manage budgets. You can grant member accounts read-only access to your budgets using an IAM policy. For more information, see Controlling Access.
To allow IAM users to create budgets in the Billing and Cost Management console, you must also allow IAM users to view your billing information, create CloudWatch alarms, and create Amazon SNS notifications. The following policy example allows an IAM user to modify the Budget console page:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1435216493000", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "aws-portal:ModifyBilling", "budgets:ViewBudget", "budgets:ModifyBudget" ], "Resource": [ "*" ] }, { "Sid": "Stmt1435216514000", "Effect": "Allow", "Action": [ "cloudwatch:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1435216552000", "Effect": "Allow", "Action": [ "sns:*" ], "Resource": [ "arn:aws:sns:us-east-1" ] } ] } |
Example 8: Deny access to Account Settings, but allow full access to all other billing and usage information
To protect your account password, contact information, and security questions, you can deny IAM user access to Account Settings while still enabling full access to the rest of the functionality in the Billing and Cost Management console, as shown in the following example.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-portal:*Billing", "aws-portal:*Usage", "aws-portal:*PaymentMethods" ], "Resource": "*" }, { "Effect": "Deny", "Action": "aws-portal:*Account", "Resource": "*" } ] } |
Example 9: Deposit reports into an Amazon S3 bucket
The following policy allows Billing and Cost Management to save your detailed AWS bills to an Amazon S3 bucket, as long as you own both the AWS account and the Amazon S3 bucket. Note that this policy must be applied to the Amazon S3 bucket, instead of to an IAM user. That is, it’s a resource-based policy, not a user-based policy. You should deny IAM user access to the bucket for IAM users who don’t need access to your bills.
Replace bucketname
with the name of your bucket.
For more information, see Using Bucket Policies and User Policies.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "386209384616" }, "Action": [ "s3:GetBucketAcl", "s3:GetBucketPolicy" ], "Resource": "arn:aws:s3:::<em class="replaceable"><code class="">bucketname</code></em>" }, { "Effect": "Allow", "Principal": { "AWS": "386209384616" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<em class="replaceable"><code class="">bucketname</code></em>/*" } ] } |
Example 10: Create, view, or delete an AWS Cost and Usage report
This policy allows an IAM user to create, view, or delete an AWS Cost and Usage report using the API.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cur:PutReportDefinitions", "cur:DescribeReportDefinition", "cur:DeleteReportDefinition" ], "Resource": [ "*" ] } ] } |
Example 11: Find products and prices
To allow an IAM user to use the AWS Price List Service API, use the following policy to grant them access.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "pricing:DescribeServices", "pricing:GetAttributeValues", "pricing:GetProducts" ], "Resource": [ "*" ] } ] } |
Example 12: View costs and usage
To allow IAM users to use the AWS Cost Explorer API, use the following policy to grant them access.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ce:*" ], "Resource": [ "*" ] } ] } |