Billing and Cost Management policy examples - AWS Billing and Cost Management

Billing and Cost Management policy examples

This topic contains example policies that you can attach to your IAM user or group to control access to your account's billing information and tools. The following basic rules apply to IAM policies for Billing and Cost Management:

  • Version is always 2012-10-17.

  • Effect is always Allow or Deny.

  • Action is the name of the action or a wildcard (*).

    The action prefix is budgets for AWS Budgets, cur for AWS Cost and Usage Reports, aws-portal for AWS Billing, or ce for Cost Explorer.

  • Resource is always * for AWS Billing.

    For actions that are performed on a budget resource, specify the budget Amazon Resource Name (ARN).

  • It's possible to have multiple statements in one policy.

Note

These policies require that you activate IAM user access to the Billing and Cost Management console on the Account Settings console page. For more information, see Activating access to the Billing and Cost Management console.

Allow IAM users to view your billing information

To allow an IAM user to view your billing information without giving the IAM user access to sensitive account information, use a policy similar to the following example policy. Such a policy prevents users from accessing your password and account activity reports. This policy allows IAM users to view the following Billing and Cost Management console pages, without giving them access to the Account Settings or Reports console pages:

  • Dashboard

  • Cost Explorer

  • Bills

  • Orders and invoices

  • Consolidated Billing

  • Preferences

  • Credits

  • Advance Payment

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-portal:ViewBilling", "Resource": "*" } ] }

Allow IAM users to access the reports console page

To allow an IAM user to access the Reports console page and to view the usage reports that contain account activity information, use a policy similar to this example policy.

For definitions of each action, see Billing and Cost Management actions policies.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-portal:ViewUsage", "aws-portal:ViewBilling", "cur:DescribeReportDefinitions", "cur:PutReportDefinition", "cur:DeleteReportDefinition", "cur:ModifyReportDefinition" ], "Resource": "*" } ] }

Deny IAM users access to the Billing and Cost Management console

To explicitly deny an IAM user access to the all Billing and Cost Management console pages, use a policy similar to this example policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "aws-portal:*", "Resource": "*" } ] }

Allow full access to AWS services but deny IAM users access to the Billing and Cost Management console

To deny IAM users access to everything on the Billing and Cost Management console, use the following policy. Deny user access to AWS Identity and Access Management (IAM) to prevent access to the policies that control access to billing information and tools.

Important

This policy doesn't allow any actions. Use this policy in combination with other policies that allow specific actions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "aws-portal:*", "iam:*" ], "Resource": "*" } ] }

Allow IAM users to view the Billing and Cost Management console except for account settings

This policy allows read-only access to all of the Billing and Cost Management console. This includes the Payments Method and Reports console pages. However, this policy denies access to the Account Settings page. This means it protects the account password, contact information, and security questions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-portal:View*", "Resource": "*" }, { "Effect": "Deny", "Action": "aws-portal:*Account", "Resource": "*" } ] }

Allow IAM users to modify billing information

To allow IAM users to modify account billing information in the Billing and Cost Management console, allow IAM users to view your billing information. The following policy example allows an IAM user to modify the Consolidated Billing, Preferences, and Credits console pages. It also allows an IAM user to view the following Billing and Cost Management console pages:

  • Dashboard

  • Cost Explorer

  • Bills

  • Orders and invoices

  • Advance Payment

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-portal:*Billing", "Resource": "*" } ] }

Allow IAM users to create budgets

To allow IAM users to create budgets in the Billing and Cost Management console, llow IAM users to view your billing information, create CloudWatch alarms, and create Amazon SNS notifications. The following policy example allows an IAM user to modify the Budget console page.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1435216493000", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "aws-portal:ModifyBilling", "budgets:ViewBudget", "budgets:ModifyBudget" ], "Resource": [ "*" ] }, { "Sid": "Stmt1435216514000", "Effect": "Allow", "Action": [ "cloudwatch:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1435216552000", "Effect": "Allow", "Action": [ "sns:*" ], "Resource": [ "arn:aws:sns:us-east-1" ] } ] }

Deny access to account settings, but allow full access to all other billing and usage information

To protect your account password, contact information, and security questions, deny IAM user access to Account Settings while still enabling full access to the rest of the functionality in the Billing and Cost Management console. The following is an example policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-portal:*Billing", "aws-portal:*Usage", "aws-portal:*PaymentMethods" ], "Resource": "*" }, { "Effect": "Deny", "Action": "aws-portal:*Account", "Resource": "*" } ] }

Deposit reports into an Amazon S3 bucket

The following policy allows Billing and Cost Management to save your detailed AWS bills to an Amazon S3 bucket if you own both the AWS account and the Amazon S3 bucket. This policy must be applied to the Amazon S3 bucket, rather than an IAM user. This is because it's a resource-based policy, not a user-based policy. We recommend that you deny IAM user access to the bucket for IAM users who don't need access to your bills.

Replace bucketname with the name of your bucket.

For more information, see Using Bucket Policies and User Policies in the Amazon Simple Storage Service Developer Guide.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "billingreports.amazonaws.com" }, "Action": [ "s3:GetBucketAcl", "s3:GetBucketPolicy" ], "Resource": "arn:aws:s3:::bucketname" }, { "Effect": "Allow", "Principal": { "Service": "billingreports.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucketname/*" } ] }

Find products and prices

To allow an IAM user to use the AWS Price List Service API, use the following policy to grant them access.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "pricing:DescribeServices", "pricing:GetAttributeValues", "pricing:GetProducts" ], "Resource": [ "*" ] } ] }

View costs and usage

To allow IAM users to use the AWS Cost Explorer API, use the following policy to grant them access.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ce:*" ], "Resource": [ "*" ] } ] }

Enable and disable AWS Regions

For an example IAM policy that allows users to enable and disable Regions, see AWS: Allows Enabling and Disabling AWS Regions in the IAM User Guide.

View and manage cost categories

To allow IAM users to use, view, and manage cost categories, use the following policy to grant them access.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "ce:DescribeCostCategoryDefinition", "ce:UpdateCostCategoryDefinition", "ce:CreateCostCategoryDefinition", "ce:DeleteCostCategoryDefinition", "ce:ListCostCategoryDefinitions", "pricing:DescribeServices" ], "Resource": "*" } ] }

Create, view, edit, or delete AWS Cost and Usage Reports

This policy allows an IAM user to create, view, edit, or delete sample-report using the API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ManageSampleReport", "Effect": "Allow", "Action": [ "cur:PutReportDefinition", "cur:DeleteReportDefinition", "cur:ModifyReportDefinition" ], "Resource": "arn:aws:cur:*:123456789012:definition/sample-report" }, { "Sid": "DescribeReportDefs", "Effect": "Allow", "Action": "cur:DescribeReportDefinitions", "Resource": "*" } ] }

View and manage purchase orders

This policy allows an IAM user to view and manage purchase orders, using the following policy to grant access.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "purchase-orders:ViewPurchaseOrders", "purchase-orders:ModifyPurchaseOrders" ], "Resource": "*" } ] }

View and update the Cost Explorer preferences page

This policy allows an IAM user to view and update using the Cost Explorer preferences page.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "ce:UpdatePreferences" ], "Resource": "*" } ] }

The following policy allows IAM users to view Cost Explorer, but deny permission to view or edit the Preferences page.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": [ "ce:GetPreferences", "ce:UpdatePreferences" ], "Resource": "*" } ] }

The following policy allows IAM users to view Cost Explorer, but deny permission to edit the Preferences page.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": [ "ce:UpdatePreferences" ], "Resource": "*" } ] }

View, create, update, and delete using the Cost Explorer reports page

This policy allows an IAM user to view, create, update, and delete using the Cost Explorer reports page.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "ce:CreateReport", "ce:UpdateReport", "ce:DeleteReport" ], "Resource": "*" } ] }

The following policy allows IAM users to view Cost Explorer, but deny permission to view or edit the Reports page.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": [ "ce:DescribeReport", "ce:CreateReport", "ce:UpdateReport", "ce:DeleteReport" ], "Resource": "*" } ] }

The following policy allows IAM users to view Cost Explorer, but deny permission to edit the Reports page.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": "ce:CreateReport", "ce:UpdateReport", "ce:DeleteReport" ], "Resource": "*" } ] }

View, create, update, and delete reservation and Savings Plans alerts

This policy allows an IAM user to view, create, update, and delete reservation expiration alerts and Savings Plans alerts. To edit reservation expiration alerts or Savings Plans alerts, a user needs all three granular actions: ce:CreateNotificationSubscription, ce:UpdateNotificationSubscription, and ce:DeleteNotificationSubscription.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "ce:CreateNotificationSubscription", "ce:UpdateNotificationSubscription", "ce:DeleteNotificationSubscription" ], "Resource": "*" } ] }

The following policy allows IAM users to view Cost Explorer, but denies permission to view or edit the Reservation Expiration Alerts and Savings Plans alert pages.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": [ "ce:DescribeNotificationSubscription", "ce:CreateNotificationSubscription", "ce:UpdateNotificationSubscription", "ce:DeleteNotificationSubscription" ], "Resource": "*" } ] }

The following policy allows IAM users to view Cost Explorer, but denies permission to edit the Reservation Expiration Alerts and Savings Plans alert pages.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": [ "ce:CreateNotificationSubscription", "ce:UpdateNotificationSubscription", "ce:DeleteNotificationSubscription" ], "Resource": "*" } ] }

Allow read-only access to AWS Cost Anomaly Detection

To allow IAM users read-only access to AWS Cost Anomaly Detection, use the following policy to grant them access. ce:ProvideAnomalyFeedback is optional as a part of the read-only access.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ce:Get*" ], "Effect": "Allow", "Resource": "*" } ] }

Allow AWS Budgets to apply IAM policies and SCPs

This policy allows AWS Budgets to apply IAM policies and service control policies (SCPs) on behalf of the user.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:AttachUserPolicy", "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", "organizations:AttachPolicy", "organizations:DetachPolicy" ], "Resource": "*" } ] }

Allow AWS Budgets to apply IAM policies and SCPs and target EC2 and RDS instances

This policy allows AWS Budgets to apply IAM policies and service control policies (SCPs), and to target Amazon EC2 and Amazon RDS instances on behalf of the user.

Trust policy

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "budgets.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Permissions policy

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstanceStatus", "ec2:StartInstances", "ec2:StopInstances", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:AttachUserPolicy", "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", "organizations:AttachPolicy", "organizations:DetachPolicy", "rds:DescribeDBInstances", "rds:StartDBInstance", "rds:StopDBInstance", "ssm:StartAutomationExecution" ], "Resource": "*" } ] }