Overview of managing access permissions
Granting access to your billing information and tools
By default, IAM users don't have access to the AWS Billing and Cost Management console
When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials in the IAM User Guide.
As an administrator, you can create roles under your AWS account that your users can assume. After you create roles, you can attach your IAM policy to them, based on the access needed. For example, you can grant some users limited access to some of your billing information and tools, and grant others complete access to all of the information and tools.
To grant IAM entities access to the Billing and Cost Management console, complete the following:
-
Activate IAM Access as the AWS account root user. You only need to complete this action once for your account.
-
Create your IAM identities, such as a user, group, or role.
-
Use an AWS managed policy or create a customer managed policy that grants permission to specific actions on the Billing and Cost Management console. For more information, see Using identity-based policies for Billing.
For more information, see the IAM tutorial: Grant access to the Billing console in the IAM User Guide.
Note
Permissions for Cost Explorer apply to all accounts and member accounts, regardless of the IAM policies. For more information, see Controlling access to AWS Cost Explorer.
Activating access to the Billing and Cost Management console
IAM users and roles in an AWS account can't access the Billing and Cost Management console by default. This is true even if they have IAM policies that grant access to certain Billing features. To grant access, the AWS account root user can use the Activate IAM Access setting.
If you use AWS Organizations, activate this setting in each management or member account where you want to allow IAM user and role access to the Billing and Cost Management console. For more information, see Activating IAM access to the AWS Billing and Cost Management console.
On the Billing console, the Activate IAM Access setting controls access to the following pages:
-
Home
-
Budgets
-
Budgets Reports
-
AWS Cost and Usage Reports
-
Cost categories
-
Cost allocation tags
-
Bills
-
Payments
-
Credits
-
Purchase Order
-
Billing preferences
-
Payment methods
-
Tax settings
Cost Explorer
Reports
Rightsizing recommendations
Savings Plans recommendations
Savings Plans utilization report
Savings Plans coverage report
Reservations overview
Reservations recommendations
Reservations utilization report
Reservations coverage report
Preferences
For a list of pages the Activate IAM Access setting controls for the Billing console, see Activating access to the Billing console in the Billing User Guide.
Important
Activating IAM access alone doesn't grant roles the necessary permissions for these Billing and Cost Management console pages. In addition to activating IAM access, you must also attach the required IAM policies to those roles. For more information, see Using identity-based policies for Billing.
The Activate IAM Access setting doesn't control access to the following pages and resources:
The console pages for AWS Cost Anomaly Detection, Savings Plans overview, Savings Plans inventory, Purchase Savings Plans, and Savings Plans cart
The Cost Management view in the AWS Console Mobile Application
The Billing and Cost Management SDK APIs (AWS Cost Explorer, AWS Budgets, and AWS Cost and Usage Reports APIs)
AWS Systems Manager Application Manager
The cost analysis capability in Amazon Q (preview)
