Using identity-based policies (IAM policies) for AWS Billing - AWS Billing

Using identity-based policies (IAM policies) for AWS Billing

Note

The following AWS Identity and Access Management (IAM) actions have reached the end of standard support on July 2023:

  • aws-portal namespace

  • purchase-orders:ViewPurchaseOrders

  • purchase-orders:ModifyPurchaseOrders

If you haven't migrated the old IAM actions to the new fine-grained actions, you have until December 2023 to do so.

If you're using AWS Organizations, you can use the bulk policy migrator scripts to update polices from your payer account. You can also use the old to granular action mapping reference to verify the IAM actions that need to be added.

For more information, see the Changes to AWS Billing, AWS Cost Management, and Account Consoles Permission blog.

If you have an AWS account, or are a part of an AWS Organizations created on or after March 6, 2023, 11:00 AM (PDT), the fine-grained actions are already in effect in your organization.

This topic provides examples of several identity-based policies. These policies demonstrate how an account administrator attaches permissions policies to IAM identities (users, groups, and roles) to grant permissions so that they can perform actions on Billing resources.

For more information about your AWS account, IAM identities, and customer managed policies, see the following topics in the IAM User Guide:

Important

In addition to IAM policies, you must grant IAM access to the Billing and Cost Management console on the Account Settings console page.

For more information, see the following topics:

AWS Billing actions

This table summarizes the permissions that allow or deny IAM users access to your billing information and tools. For examples of policies that use these permissions, see AWS Billing policy examples.

For a list of actions policies for the AWS Cost Management console, see AWS Cost Management actions policies in the AWS Cost Management User Guide.

Permission name Description

aws-portal:ViewBilling

Allow or deny IAM users permission to view the Billing and Cost Management console pages.

aws-portal:ModifyBilling

Allow or deny IAM users permission to modify the following Billing and Cost Management console pages:

To allow IAM users to modify these console pages, you must allow both ModifyBilling and ViewBilling. For an example policy, see Allow IAM users to modify billing information.

aws-portal:ViewAccount

Allow or deny IAM users permission to view Account Settings.

aws-portal:ModifyAccount

Allow or deny IAM users permission to modify Account Settings.

To allow IAM users to modify account settings, you must allow both ModifyAccount and ViewAccount.

For an example of a policy that explicitly denies an IAM user access to the Account Settings console page, see Deny access to account settings, but allow full access to all other billing and usage information.

aws-portal:ViewPaymentMethods

Allow or deny IAM users permission to view Payment Methods.

aws-portal:ModifyPaymentMethods

Allow or deny IAM users permission to modify Payment Methods.

To allow users to modify payment methods, you must allow both ModifyPaymentMethods and ViewPaymentMethods.

billing:ListBillingViews

Allow or deny users to get billing information for pro forma billing groups. This is made using AWS Billing Conductor on the Bills page, or AWS Cost and Usage Reports.

For more information about viewing your billing group details, see Viewing your billing group details in the AWS Billing Conductor User Guide.

sustainability:GetCarbonFootprintSummary

Allow or deny IAM users permission to view the AWS customer carbon footprint tool and data. This is accessible from the AWS Cost and Usage Reports page of the Billing and Cost Management console.

For an example of a policy, see Allow IAM users to view your billing information and carbon footprint report.

cur:DescribeReportDefinitions

Allow or deny IAM users permission to view AWS Cost and Usage Reports.

AWS Cost and Usage Reports permissions apply to all reports that are created using the AWS Cost and Usage Reports Service API and the Billing and Cost Management console. If you create reports using the Billing and Cost Management console, we recommend that you update the permissions for IAM users. Not updating the permissions will result in users losing access to viewing, editing, and removing reports on the console reports page.

For an example of a policy, see Allow IAM users to access the reports console page.

cur:PutReportDefinition

Allow or deny IAM users permission to create AWS Cost and Usage Reports.

AWS Cost and Usage Reports permissions apply to all reports that are created using the AWS Cost and Usage Reports Service API and the Billing and Cost Management console. If you create reports using the Billing and Cost Management console, we recommend that you update the permissions for IAM users. Not updating the permissions will result in users losing access to viewing, editing, and removing reports on the console reports page.

For an example of a policy, see Allow IAM users to access the reports console page.

cur:DeleteReportDefinition

Allow or deny IAM users permission to delete AWS Cost and Usage Reports.

AWS Cost and Usage Reports permissions apply to all reports that are created using the AWS Cost and Usage Reports Service API and the Billing and Cost Management console. If you create reports using the Billing and Cost Management console, we recommend that you update the permissions for IAM users. Not updating the permissions will result in users losing access to viewing, editing, and removing reports on the console reports page.

For an example of a policy, see Create, view, edit, or delete AWS Cost and Usage Reports.

cur:ModifyReportDefinition

Allow or deny IAM users permission to modify AWS Cost and Usage Reports.

AWS Cost and Usage Reports permissions apply to all reports that are created using the AWS Cost and Usage Reports Service API and the Billing and Cost Management console. If you create reports using the Billing and Cost Management console, we recommend that you update the permissions for IAM users. Not updating the permissions will result in users losing access to viewing, editing, and removing reports on the console reports page.

For an example of a policy, see Create, view, edit, or delete AWS Cost and Usage Reports.

ce:CreateCostCategoryDefinition

Allow or deny IAM users permissions to create cost categories.

For an example policy, see View and manage cost categories.

ce:DeleteCostCategoryDefinition

Allow or deny IAM users permissions to delete cost categories.

For an example policy, see View and manage cost categories.

ce:DescribeCostCategoryDefinition

Allow or deny IAM users permissions to view cost categories.

For an example policy, see View and manage cost categories.

ce:ListCostCategoryDefinitions

Allow or deny IAM users permissions to list cost categories.

For an example policy, see View and manage cost categories.

ce:UpdateCostCategoryDefinition

Allow or deny IAM users permissions to update cost categories.

For an example policy, see View and manage cost categories.

aws-portal:ViewUsage

Allow or deny IAM users permission to view AWS usage Reports.

To allow IAM users to view usage reports, you must allow both ViewUsage and ViewBilling.

For an example policy, see Allow IAM users to access the reports console page.

pricing:DescribeServices

Allow or deny IAM users permission to view AWS service products and pricing via the AWS Price List Service API.

To allow IAM users to use AWS Price List Service API, you must allow DescribeServices, GetAttributeValues, and GetProducts.

For an example policy, see Find products and prices.

pricing:GetAttributeValues

Allow or deny IAM users permission to view AWS service products and pricing via the AWS Price List Service API.

To allow IAM users to use AWS Price List Service API, you must allow DescribeServices, GetAttributeValues, and GetProducts.

For an example policy, see Find products and prices.

pricing:GetProducts

Allow or deny IAM users permission to view AWS service products and pricing via the AWS Price List Service API.

To allow IAM users to use AWS Price List Service API, you must allow DescribeServices, GetAttributeValues, and GetProducts.

For an example policy, see Find products and prices.

purchase-orders:ViewPurchaseOrders

Allow or deny IAM users permission to view Purchase Orders.

For an example policy, see View and manage purchase orders.

purchase-orders:ModifyPurchaseOrders

Allow or deny IAM users permission to modify Purchase Orders.

For an example policy, see View and manage purchase orders.

tax:GetExemptions

Allows IAM users read-only access to view exemptions and exemption types by tax console.

For an example policy, see Allow IAM users to view US tax exemptions and create AWS Support cases.

tax:UpdateExemptions

Allows IAM users to upload an exemption to the US tax exemptions console.

For an example policy, see Allow IAM users to view US tax exemptions and create AWS Support cases.

support:CreateCase

Allows IAM users to file support cases, required to upload exemption from tax exemptions console.

For an example policy, see Allow IAM users to view US tax exemptions and create AWS Support cases.

support:AddAttachmentsToSet

Allows IAM users to attach documents to support cases that are required to upload exemption certificates to the tax exemption console.

For an example policy, see Allow IAM users to view US tax exemptions and create AWS Support cases.

customer-verification:GetCustomerVerificationEligibility

(For customers with an India billing or contact address only)

Allow or deny IAM users permission to retrieve customer verification eligibility.

customer-verification:GetCustomerVerificationDetails

(For customers with an India billing or contact address only)

Allow or deny IAM users permission to retrieve customer verification data.

customer-verification:CreateCustomerVerificationDetails

(For customers with an India billing or contact address only)

Allow or deny IAM users permission to create customer verification data.

customer-verification:UpdateCustomerVerificationDetails

(For customers with an India billing or contact address only)

Allow or deny IAM users permission to update customer verification data.

AWS managed policies

Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account. You can use AWS managed policies to control access in Billing.

An AWS managed policy is a standalone policy that's created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases. AWS managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.

You can't change the permissions defined in AWS managed policies. AWS occasionally updates the permissions that are defined in an AWS managed policy. When this occurs, the update affects all principal entities (users, groups, and roles) that the policy is attached to.

Billing provides several AWS managed policies for common use cases.

AWSPurchaseOrdersServiceRolePolicy

This managed policy grants full access to the Billing console and to the purchase orders console. The policy allows the user to view, create, update, and delete the account's purchase orders.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "account:GetAccountInformation", "account:GetContactInformation", "aws-portal:*Billing", "consolidatedbilling:GetAccountBillingRole", "invoicing:GetInvoicePDF", "payments:GetPaymentInstrument", "payments:ListPaymentPreferences", "purchase-orders:AddPurchaseOrder", "purchase-orders:DeletePurchaseOrder", "purchase-orders:GetPurchaseOrder", "purchase-orders:ListPurchaseOrderInvoices", "purchase-orders:ListPurchaseOrders", "purchase-orders:ListTagsForResource", "purchase-orders:ModifyPurchaseOrders", "purchase-orders:TagResource", "purchase-orders:UntagResource", "purchase-orders:UpdatePurchaseOrder", "purchase-orders:UpdatePurchaseOrderStatus", "purchase-orders:ViewPurchaseOrders", "tax:ListTaxRegistrations" ], "Resource":"*" } ] }

AWSBillingReadOnlyAccess

This managed policy grants users access to view the AWS Billing console.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "account:GetAccountInformation", "aws-portal:ViewBilling", "billing:GetBillingData", "billing:GetBillingDetails", "billing:GetBillingNotifications", "billing:GetBillingPreferences", "billing:GetContractInformation", "billing:GetCredits", "billing:GetIAMAccessPreference", "billing:GetSellerOfRecord", "billing:ListBillingViews", "ce:ListCostAllocationTags", "consolidatedbilling:GetAccountBillingRole", "consolidatedbilling:ListLinkedAccounts", "cur:GetClassicReport", "cur:GetClassicReportPreferences", "cur:GetUsageReport", "freetier:GetFreeTierAlertPreference", "freetier:GetFreeTierUsage", "invoicing:GetInvoiceEmailDeliveryPreferences", "invoicing:GetInvoicePDF", "invoicing:ListInvoiceSummaries", "payments:GetPaymentInstrument", "payments:GetPaymentStatus", "payments:ListPaymentPreferences", "purchase-orders:GetPurchaseOrder", "purchase-orders:ListPurchaseOrderInvoices", "purchase-orders:ListPurchaseOrders", "purchase-orders:ListTagsForResource", "purchase-orders:ViewPurchaseOrders", "tax:GetTaxInheritance", "tax:GetTaxRegistrationDocument", "tax:ListTaxRegistrations" ], "Resource": "*" } ] }

Billing

This managed policy grants users permission to view and edit the Billing console and AWS Cost Management consoles. This includes viewing account usage, modifying budgets and payment methods.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "account:GetAccountInformation", "aws-portal:*Billing", "aws-portal:*PaymentMethods", "aws-portal:*Usage", "billing:GetBillingData", "billing:GetBillingDetails", "billing:GetBillingNotifications", "billing:GetBillingPreferences", "billing:GetContractInformation", "billing:GetCredits", "billing:GetIAMAccessPreference", "billing:GetSellerOfRecord", "billing:ListBillingViews", "billing:PutContractInformation", "billing:RedeemCredits", "billing:UpdateBillingPreferences", "billing:UpdateIAMAccessPreference", "budgets:ModifyBudget", "budgets:ViewBudget", "ce:CreateNotificationSubscription", "ce:CreateReport", "ce:DeleteNotificationSubscription", "ce:DeleteReport", "ce:ListCostAllocationTags", "ce:UpdateCostAllocationTagsStatus", "ce:UpdateNotificationSubscription", "ce:UpdatePreferences", "ce:UpdateReport", "consolidatedbilling:GetAccountBillingRole", "consolidatedbilling:ListLinkedAccounts", "cur:DeleteReportDefinition", "cur:DescribeReportDefinitions", "cur:GetClassicReport", "cur:GetClassicReportPreferences", "cur:GetUsageReport", "cur:ModifyReportDefinition", "cur:PutClassicReportPreferences", "cur:PutReportDefinition", "cur:ValidateReportDestination", "freetier:GetFreeTierAlertPreference", "freetier:GetFreeTierUsage", "freetier:PutFreeTierAlertPreference", "invoicing:GetInvoiceEmailDeliveryPreferences", "invoicing:GetInvoicePDF", "invoicing:ListInvoiceSummaries", "invoicing:PutInvoiceEmailDeliveryPreferences", "payments:CreatePaymentInstrument", "payments:DeletePaymentInstrument", "payments:GetPaymentInstrument", "payments:GetPaymentStatus", "payments:ListPaymentPreferences", "payments:MakePayment", "payments:UpdatePaymentPreferences", "purchase-orders:AddPurchaseOrder", "purchase-orders:DeletePurchaseOrder", "purchase-orders:GetPurchaseOrder", "purchase-orders:ListPurchaseOrderInvoices", "purchase-orders:ListPurchaseOrders", "purchase-orders:ListTagsForResource", "purchase-orders:ModifyPurchaseOrders", "purchase-orders:TagResource", "purchase-orders:UntagResource", "purchase-orders:UpdatePurchaseOrder", "purchase-orders:UpdatePurchaseOrderStatus", "purchase-orders:ViewPurchaseOrders", "tax:BatchPutTaxRegistration", "tax:DeleteTaxRegistration", "tax:GetExemptions", "tax:GetTaxInheritance", "tax:GetTaxInterview", "tax:GetTaxRegistration", "tax:GetTaxRegistrationDocument", "tax:ListTaxRegistrations", "tax:PutTaxInheritance", "tax:PutTaxInterview", "tax:PutTaxRegistration", "tax:UpdateExemptions" ], "Resource": "*" } ] }

AWSAccountActivityAccess

This managed policy grants users permission to view the Account activity page.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "account:GetRegionOptStatus", "account:GetAccountInformation", "account:GetAlternateContact", "account:GetChallengeQuestions", "account:GetContactInformation", "account:ListRegions", "aws-portal:ViewBilling", "billing:GetIAMAccessPreference", "billing:GetSellerOfRecord", "payments:ListPaymentPreferences" ], "Resource": "*" } ] }

Updates to AWS managed policies for AWS Billing

View details about updates to AWS managed policies for AWS Billing since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Billing Document history page.

Change Description Date

Billing and AWSBillingReadOnlyAccess – Update to existing policies

We added the following cost allocation tag-related permissions to Billing:

  • ce:ListCostAllocationTags

  • ce:UpdateCostAllocationTagsStatus

We added the following cost allocation tag-related permission to AWSBillingReadOnlyAccess:

  • ce:ListCostAllocationTags

July 26, 2023

AWSPurchaseOrdersServiceRolePolicy, Billing, and AWSBillingReadOnlyAccess – Update to existing policies

We added the following purchase order tag-related permissions to Billing and AWSPurchaseOrdersServiceRolePolicy:

  • purchase-orders:ListTagsForResource

  • purchase-orders:TagResource

  • purchase-orders:UntagResource

We added the following tag-related permission to AWSBillingReadOnlyAccess:

  • purchase-orders:ListTagsForResource

July 17, 2023

AWSPurchaseOrdersServiceRolePolicy, Billing, and AWSBillingReadOnlyAccess – Update to existing policies

AWSAccountActivityAccess – New AWS managed policy documented for AWS Billing

Added updated action set across all policies. March 06, 2023

AWSPurchaseOrdersServiceRolePolicy – Update to an existing policy

AWS Billing removed unnecessary permissions.

November 18, 2021

AWS Billing started tracking changes

AWS Billing started tracking changes for its AWS managed policies.

November 18, 2021