Using identity-based policies (IAM policies) for AWS Account Management - AWS Account Management

Using identity-based policies (IAM policies) for AWS Account Management

Important

The following AWS Identity and Access Management (IAM) actions will reach the end of standard support on July 2023: aws-portal:ModifyAccount and aws-portal:ViewAccount. See the Using fine-grained AWS Billing actions to replace these actions with fine-grained actions so you have access to AWS Billing, AWS Cost Management, and AWS accounts consoles.

If you created your AWS account or AWS Organizations Management account before March 6, 2023, the fine-grained actions will be effective starting July 2023. We recommend you to add the fine-grained actions, but not remove your existing permissions with aws-portal or purchase-orders prefixes.

If you created your AWS account or AWS Organizations Management account on or after March 6, 2023, the fine-grained actions are effective immediately.

For a full discussion of AWS accounts and IAM users, see What Is IAM? in the IAM User Guide.

For instructions on how you can update customer managed policies, see Editing customer managed policies (console) in the IAM User Guide.

AWS Account Management actions policies

This table summarizes the permissions that allow or deny IAM users access to your account settings. For examples of policies that use these permissions, see AWS Account Management policy examples.

Permission name Description

aws-portal:ViewAccount

Allow or deny IAM users permission to view Account Settings.

aws-portal:ModifyAccount

Allow or deny IAM users permission to modify Account Settings.

To allow IAM users to modify account settings, you must allow both ModifyAccount and ViewAccount.

For an example of a policy that explicitly denies an IAM user access to the Account Settings console page, see Deny access to account settings, but allow full access to all other billing and usage information.