AWS Documentation » AWS Billing and Cost Management » User Guide » Controlling Access » Billing and Cost Management Permissions Reference

Billing and Cost Management Permissions Reference

This reference summarizes the default actions that are permitted in Billing and Cost Management for each type of billing user and the billing permissions that you can apply to your IAM users. The reference also provides examples of policies that you can use to allow or deny an IAM user access to your billing information and tools.

For a full discussion of AWS accounts and IAM users, see What Is IAM? in the IAM User Guide.

User Types and Billing Permissions

This table summarizes the default actions that are permitted in Billing and Cost Management for each type of billing user.

User Type	Description	Billing Permissions
Account owner	The person or entity in whose name your account is set up.	Has full control of all Billing and Cost Management resources. Receives a monthly invoice of AWS charges.
IAM user	A person or application defined as a user in an account by an account owner or administrative user. Accounts can contain multiple IAM users.	Has permissions explicitly granted to the user or a group that includes the user. Can be granted permission to view Billing and Cost Management console pages. For more information, see Controlling Access. Can't close accounts.
Organization master account owner	The person or entity associated with an AWS Organizations master account. The master account pays for AWS usage that is incurred by a member account in an organization.	Has full control of all Billing and Cost Management resources for the master account only. Receives a monthly invoice of AWS charges for the master account and member accounts. Views the activity of member accounts in the billing reports for the master account.
Organization member account owner	The person or entity associated with an AWS Organizations member account. The master account pays for AWS usage that is incurred by a member account in an organization.	Doesn't have permission to review any usage reports or account activity except for its own. Doesn't have access to usage reports or account activity for other member accounts in the organization or for the master account. Doesn't have permission to view billing reports. Has permission to update account information only for its own account. Can't access other member accounts or the master account.

Note

For more information about organization master and member accounts, see the AWS Organizations User Guide.

Billing Actions

This table summarizes the permissions that allow or deny IAM users access to your billing information and tools. For examples of policies that use these permissions, see Billing and Cost Management Policy Examples.

Important

Starting August 19, 2019, the permissions cur:DescribeReportDefinitions, cur:PutReportDefinition, and cur:DeleteReportDefinition applies to all reports created using both the AWS Cost and Usage Report API and the Billing and Cost Management console. If you create reports using the Billing and Cost Management console, we recommend that you update the permissions for IAM users. Not updating the permissions will result in users losing access to viewing, editing, and removing reports on the console reports page.

Permission Name	Description
aws-portal:ViewBilling	Allow or deny IAM users permission to view the Billing and Cost Management console pages.
aws-portal:ModifyBilling	Allow or deny IAM users permission to modify the following Billing and Cost Management console pages: Budgets Consolidated Billing Preferences Credits To allow IAM users to modify these console pages, you must allow both ModifyBilling and ViewBilling. For an example policy, see Example 6: Allow IAM users to modify billing information.
aws-portal:ViewAccount	Allow or deny IAM users permission to view the following Billing and Cost Management console pages: Billing Dashboard Account Settings
aws-portal:ModifyAccount	Allow or deny IAM users permission to modify Account Settings. To allow IAM users to modify account settings, you must allow both ModifyAccount and ViewAccount. For an example of a policy that explicitly denies an IAM user access to the Account Settings console page, see Example 8: Deny access to Account Settings, but allow full access to all other billing and usage information.
budgets:ViewBudget	Allow or deny IAM users permission to view Budgets. To allow IAM users to view budgets, you must also allow ViewBilling.
budgets:ModifyBudget	Allow or deny IAM users permission to modify Budgets. To allow IAM users to view and modify budgets, you must also allow ViewBilling.
aws-portal:ViewPaymentMethods	Allow or deny IAM users permission to view Payment Methods.
aws-portal:ModifyPaymentMethods	Allow or deny IAM users permission to modify Payment Methods. To allow users to modify payment methods, you must allow both ModifyPaymentMethods and ViewPaymentMethods.
ce:CreateCostCategoryDefinition	Allow or deny IAM users permissions to create cost categories. For an example policy, see Example 14: View and manage Cost Categories.
ce:DeleteCostCategoryDefinition	Allow or deny IAM users permissions to delete cost categories. For an example policy, see Example 14: View and manage Cost Categories.
ce:DescribeCostCategoryDefinition	Allow or deny IAM users permissions to view cost categories. For an example policy, see Example 14: View and manage Cost Categories.
ce:ListCostCategoryDefinitions	Allow or deny IAM users permissions to list cost categories. For an example policy, see Example 14: View and manage Cost Categories.
ce:UpdateCostCategoryDefinition	Allow or deny IAM users permissions to update cost categories. For an example policy, see Example 14: View and manage Cost Categories.
cur:DescribeReportDefinitions	Allow or deny IAM users permission to view a AWS Cost and Usage Report using the API. Starting August 19, 2019, this permission applies to both API and Billing and Cost Management console. For an example policy, see Example 10: Create, view, edit, or delete an AWS Cost and Usage report.
cur:PutReportDefinition	Allow or deny IAM users permission to create a AWS Cost and Usage Report. Starting August 19, 2019, this permission applies to both API and Billing and Cost Management console. For an example policy, see Example 10: Create, view, edit, or delete an AWS Cost and Usage report.
cur:DeleteReportDefinition	Allow or deny IAM users permission to delete AWS Cost and Usage Report using the API. Starting August 19, 2019, this permission applies to both API and Billing and Cost Management console. For an example policy, see Example 10: Create, view, edit, or delete an AWS Cost and Usage report.
cur:ModifyReportDefinition	Allow or deny IAM users permission to modify AWS Cost and Usage Report using the API. This permission applies to both API and Billing and Cost Management console. For an example policy, see Example 10: Create, view, edit, or delete an AWS Cost and Usage report.
aws-portal:ViewUsage	Allow or deny IAM users permission to view AWS usage Reports. To allow IAM users to view usage reports, you must allow both ViewUsage and ViewBilling. For an example policy, see Example 2: Allow IAM users to access the Reports console page.
pricing:DescribeServices	Allow or deny IAM users permission to view AWS service products and pricing via the AWS Price List Service API. To allow IAM users to use AWS Price List Service API, you must allow DescribeServices, GetAttributeValues, and GetProducts. For an example policy, see Example 11: Find products and prices.
pricing:GetAttributeValues	Allow or deny IAM users permission to view AWS service products and pricing via the AWS Price List Service API. To allow IAM users to use AWS Price List Service API, you must allow DescribeServices, GetAttributeValues, and GetProducts. For an example policy, see Example 11: Find products and prices.
pricing:GetProducts	Allow or deny IAM users permission to view AWS service products and pricing via the AWS Price List Service API. To allow IAM users to use AWS Price List Service API, you must allow DescribeServices, GetAttributeValues, and GetProducts. For an example policy, see Example 11: Find products and prices.

Billing Region Actions

The following table summarizes the permissions that allow or deny IAM users the ability to enable or disable AWS Regions or to display a list of Regions and their current status. For examples of policies that use these permissions, see Managing an AWS Account.

Permission Name	Description
account:EnableRegion	Allow or deny users permissions to enable an Region.
account:DisableRegion	Allow or deny users permissions to disable an Region.
account:ListRegions	Allow users to list all Regions and the current enabled or disabled status.

Billing and Cost Management Policy Examples

This topic contains example policies that you can attach to your IAM user or group to control access to your account's billing information and tools. The following basic rules apply to IAM policies for Billing and Cost Management:

• Version is always 2012-10-17.

• Effect is always Allow or Deny.

• Action is the name of the action or a wildcard (*).

  For consoles, the action prefix in China is awsbillingconsole. Everywhere else, it's aws-portal.

  The action prefix is budgets for AWS Budgets, cur for AWS Cost and Usage reports, aws-portal for AWS Billing, or ce for Cost Explorer.

• Resource is always * for AWS Billing.

  For actions performed on a budget resource, specify the budget Amazon Resource Name (ARN).

• It's possible to have multiple statements in one policy.

Note

These policies require that you activate IAM user access to the Billing and Cost Management console on the Account Settings console page. For more information, see Activating Access to the Billing and Cost Management Console.

Example Topics

• Example 1: Allow IAM users to view your billing information

• Example 2: Allow IAM users to access the Reports console page

• Example 3: Deny IAM users access to the Billing and Cost Management console

• Example 4: Allow full access to AWS services but deny IAM users access to the Billing and Cost Management console

• Example 5: Allow IAM users to view the Billing and Cost Management console except for Account Settings

• Example 6: Allow IAM users to modify billing information

• Example 7: Allow IAM users to create budgets

• Example 8: Deny access to Account Settings, but allow full access to all other billing and usage information

• Example 9: Deposit reports into an Amazon S3 bucket

• Example 10: Create, view, edit, or delete an AWS Cost and Usage report

• Example 11: Find products and prices

• Example 12: View costs and usage

• Example 13: Enable and Disable Regions

• Example 14: View and manage Cost Categories

Example 1: Allow IAM users to view your billing information

To allow an IAM user to view your billing information without giving the IAM user access to sensitive account information, such as your password and account activity reports, use a policy similar to the following example policy. This policy allows IAM users to view the following Billing and Cost Management console pages, without giving them access to the Account Settings or Reports console pages:

• Dashboard

• Cost Explorer

• Bills

• Orders and invoices

• Consolidated Billing

• Preferences

• Credits

• Advance Payment

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "aws-portal:ViewBilling",
            "Resource": "*"
        }
    ]
}

Example 2: Allow IAM users to access the Reports console page

To allow an IAM user to access the Reports console page and to view the usage reports that contain account activity information, use a policy similar to this example policy.

For definitions of each action, see Billing Actions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewUsage",
                "aws-portal:ViewBilling",
                "cur:DescribeReportDefinitions",
                "cur:PutReportDefinition",
                "cur:DeleteReportDefinition",
                "cur:ModifyReportDefinition"
            ],
            "Resource": "*"
        }
    ]
}

Example 3: Deny IAM users access to the Billing and Cost Management console

To explicitly deny an IAM user access to the all Billing and Cost Management console pages, use a policy similar to this example policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "aws-portal:*",
            "Resource": "*"
        }
    ]
}

Example 4: Allow full access to AWS services but deny IAM users access to the Billing and Cost Management console

To deny IAM users access to everything on the Billing and Cost Management console, use the following policy. In this case, you should also deny user access to AWS Identity and Access Management (IAM) so that the users can't access the policies that control access to billing information and tools.

Important

This policy doesn't allow any actions. Use this policy in combination with other policies that allow specific actions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "aws-portal:*",
                "iam:*"
            ],
            "Resource": "*"
        }
    ]
}

Example 5: Allow IAM users to view the Billing and Cost Management console except for Account Settings

This policy allows read-only access to all of the Billing and Cost Management console, including the Payments Method and Reports console pages, but denies access to the Account Settings page, thus protecting the account password, contact information, and security questions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "aws-portal:View*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "aws-portal:*Account",
            "Resource": "*"
        }
    ]
}

Example 6: Allow IAM users to modify billing information

To allow IAM users to modify account billing information in the Billing and Cost Management console, you must also allow IAM users to view your billing information. The following policy example allows an IAM user to modify the Consolidated Billing, Preferences, and Credits console pages. It also allows an IAM user to view the following Billing and Cost Management console pages:

• Dashboard

• Cost Explorer

• Bills

• Orders and invoices

• Advance Payment

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "aws-portal:*Billing",
            "Resource": "*"
        }
    ]
}

Example 7: Allow IAM users to create budgets

To allow IAM users to create budgets in the Billing and Cost Management console, you must also allow IAM users to view your billing information, create CloudWatch alarms, and create Amazon SNS notifications. The following policy example allows an IAM user to modify the Budget console page.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1435216493000",
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewBilling",
                "aws-portal:ModifyBilling",
                "budgets:ViewBudget",
                "budgets:ModifyBudget"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1435216514000",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1435216552000",
            "Effect": "Allow",
            "Action": [
                "sns:*"
            ],
            "Resource": [
                "arn:aws:sns:us-east-1"
            ]
        }
    ]
}

Example 8: Deny access to Account Settings, but allow full access to all other billing and usage information

To protect your account password, contact information, and security questions, you can deny IAM user access to Account Settings while still enabling full access to the rest of the functionality in the Billing and Cost Management console, as shown in the following example.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "aws-portal:*Billing",
                "aws-portal:*Usage",
                "aws-portal:*PaymentMethods"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "aws-portal:*Account",
            "Resource": "*"
        }
    ]
}

Example 9: Deposit reports into an Amazon S3 bucket

The following policy allows Billing and Cost Management to save your detailed AWS bills to an Amazon S3 bucket, as long as you own both the AWS account and the Amazon S3 bucket. Note that this policy must be applied to the Amazon S3 bucket, instead of to an IAM user. That is, it's a resource-based policy, not a user-based policy. You should deny IAM user access to the bucket for IAM users who don't need access to your bills.

Replace bucketname with the name of your bucket.

For more information, see Using Bucket Policies and User Policies.

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Principal": {
      "Service": "billingreports.amazonaws.com"
    },
    "Action": [
      "s3:GetBucketAcl",
      "s3:GetBucketPolicy"
    ],
    "Resource": "arn:aws:s3:::bucketname"
  },
  {
    "Effect": "Allow",
    "Principal": {
      "Service": "billingreports.amazonaws.com"
    },
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::bucketname/*"
  }
  ]
}

Example 10: Create, view, edit, or delete an AWS Cost and Usage report

This policy allows an IAM user to create, view, edit, or delete sample-report using the API.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ManageSampleReport",
            "Action": [
                "cur:PutReportDefinition", 
                "cur:DeleteReportDefinition"
                "cur:ModifyReportDefinition"
            ],
            "Resource": "arn:aws:cur:*:123456789012:definition/sample-report"
        },
        {
            "Sid": "DescribeReportDefs",
            "Effect": "Allow",
            "Action": "cur:DescribeReportDefinitions",
            "Resource": "*"
        }
    ]
}

Example 11: Find products and prices

To allow an IAM user to use the AWS Price List Service API, use the following policy to grant them access.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "pricing:DescribeServices",
                "pricing:GetAttributeValues",
                "pricing:GetProducts"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Example 12: View costs and usage

To allow IAM users to use the AWS Cost Explorer API, use the following policy to grant them access.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ce:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Example 13: Enable and Disable Regions

For an example IAM policy that allows users to enable and disable Regions, see AWS: Allows Enabling and Disabling AWS Regions in the IAM User Guide.

Example 14: View and manage Cost Categories

To allow IAM users to use, view, and manage Cost Categories, use the following policy to grant them access.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "aws-portal:ViewBilling",
        "ce:DescribeCostCategoryDefinition",
        "ce:UpdateCostCategoryDefinition",
        "ce:CreateCostCategoryDefinition",
        "ce:DeleteCostCategoryDefinition",
        "ce:ListCostCategoryDefinitions"
      ],
      "Resource": "*"
    }
  ]
}