Prerequisites
Create a test AWS account to use with this tutorial. In this account create two test users and two test groups as summarized in the following table. Be sure to assign a password to each user so that you can sign in later in Step 4.
Create user accounts | Create and configure group accounts | |
---|---|---|
User Name | Group Name | Add user as a member |
FinanceManager | FullAccess | FinanceManager |
FinanceUser | ViewAccess | FinanceUser |
Step 1: Enable Access to Billing Data on Your AWS Test Account
Sign into your test account and turn on billing access. For information about how to follow this process in a production environment, see Activate Access to the AWS Website in the AWS Billing and Cost Management User Guide.
To enable access to billing data on your AWS test account
- Use your AWS account email address and password to sign in to the AWS Management Console as the AWS account root user.
- On the navigation bar, choose your account name, and then choose My Account.
- Next to IAM User and Role Access to Billing Information, choose Edit, and then select the check box to activate IAM user and federated user access to the Billing and Cost Management pages.
- Sign out of the console, and then proceed to Step 2: Create IAM Policies That Grant Permissions to Billing Data.
Step 2: Create IAM Policies That Grant Permissions to Billing Data
Next, create custom policies that grant both view and full access permissions to the pages within the Billing and Cost Management console. For general information about IAM permission policies, see Managed Policies and Inline Policies.
To create IAM policies that grant permissions to billing data
- Sign in to the AWS Management Console as a user with administrator credentials. To adhere to IAM best practices, don’t sign in with your root user credentials. For more information, see Create individual IAM users.
- Open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane, choose Policies, and then choose Create policy.
- On the Visual editor tab, choose Choose a service to get started. Then choose Billing.
- Follow these steps to create two policies:
Full access
- Choose Select actions and then select the check box next to All Actions (*). You do not need to select a resource or condition for this policy.
- Choose Review policy.
- On the Review page, next to Name, type
BillingFullAccess
, and then choose Create policy to save it.
Read-only access
- Repeat steps 3 and 4.
- Choose Select actions and then select the check box next to Read. You do not need to select a resource or condition for this policy.
- Choose Review policy.
- On the Review page, for Name, type
BillingViewAccess
. Then choose Create policy to save it.
To review descriptions for each of the permissions available in IAM policies that grant users access to the Billing and Cost Management console, see Billing Permissions Descriptions.
Step 3: Attach Billing Policies to Your Groups
Now that you have custom billing policies available, you can attach them to their corresponding groups that you created earlier. Although you can attach a policy directly to a user or role, we recommend (in accordance with IAM best practices) that you use groups instead. For more information, see Use groups to assign permissions to IAM users.
To attach billing policies to your groups
- In the navigation pane, choose Policies to display the full list of policies available to your AWS account. To attach each policy to its appropriate group, follow these steps:
Full access
- In the search box, type
BillingFullAccess
, and then select the check box next to the policy name. - Choose Policy actions, and then choose Attach.
- In the search box, type
FinanceManager
, select the check box next to the name of the group, and then choose Attach policy.
Read-only access
- In the search box, type
BillingViewAccess
, and then select the check box next to the policy name. - Choose Policy actions, and then choose Attach.
- For Filter, choose Groups. In the search box, type
FinanceUser
, select the check box next to the name of the group, and then choose Attach policy.
- In the search box, type
- Sign out of the console, and then proceed to Step 4: Test Access to the Billing Console.
Step 4: Test Access to the Billing Console
You can test user access in a couple of ways. For this tutorial, we recommend that you test access by signing in as each of the test users so you can see what your users might experience. Another (optional) way to test user access permissions is to use the IAM policy simulator. Use the following steps if you want to see another way to view the effective result of these actions.
Select either of the following procedures based on your preferred testing method. In the first one, you sign in using both test accounts to see the difference between access rights.
To test billing access by signing in with both test user accounts
- Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.
Note
For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.
- Sign-in with each account using the steps provided below so you can compare the different user experiences.
Full access
- Sign in to your AWS account as the user FinanceManager.
- On the navigation bar, choose FinanceManager@
<account alias or ID number>
, and then choose Billing & Cost Management. - Browse through the pages and choose the various buttons to ensure that you have full modify permissions.
Read-only access
- Sign in to your AWS account as the user FinanceUser.
- On the navigation bar, choose FinanceUser@
<account alias or ID number>
, and then choose Billing & Cost Management. - Browse through the pages. Notice that you can display costs, reports, and billing data with no problems. However, if you choose an option to modify a value, you receive an Access Denied message. For example, on the Preferences page, choose any of the check boxes on the page, and then choose Save preferences. The console message informs you that you need ModifyBilling permissions to make changes to that page.
The following optional procedure demonstrates how you could alternatively use the IAM policy simulator to test your delegated user’s effective permissions to billing pages.
To test billing access by viewing effective permissions in the IAM policy simulator
- Open the IAM policy simulator at https://policysim.aws.amazon.com/. (If you are not already signed in to AWS, you are prompted to sign in).
- Under Users, Groups, and Roles, select one of the users that is a member of the group you recently attached the policy to.
- Under Policy Simulator, choose Select service, and then choose Billing.
- Next to Select actions, choose Select All.
- Choose Run Simulation and compare the user’s listed permissions with all possible billing-related permission options to make sure that the correct rights have been applied.