Using Identity-Based Policies (IAM Policies) for Billing and Cost Management

This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) and thereby grant permissions to perform operations on Billing and Cost Management resources.

For a full discussion of AWS accounts and IAM users, see What Is IAM? in the IAM User Guide.

Billing Actions

This table summarizes the permissions that allow or deny IAM users access to your billing information and tools. For examples of policies that use these permissions, see Billing and Cost Management Policy Examples.

Permission Name	Description
`aws-portal:ViewBilling`	Allow or deny IAM users permission to view the Billing and Cost Management console pages.
`aws-portal:ModifyBilling`	Allow or deny IAM users permission to modify the following Billing and Cost Management console pages: Budgets Consolidated Billing Preferences Credits To allow IAM users to modify these console pages, you must allow both `ModifyBilling` and `ViewBilling`. For an example policy, see Example 6: Allow IAM users to modify billing information.
`aws-portal:ViewAccount`	Allow or deny IAM users permission to view the following Billing and Cost Management console pages: Billing Dashboard Account Settings
`aws-portal:ModifyAccount`	Allow or deny IAM users permission to modify Account Settings. To allow IAM users to modify account settings, you must allow both `ModifyAccount` and `ViewAccount`. For an example of a policy that explicitly denies an IAM user access to the Account Settings console page, see Example 8: Deny access to Account Settings, but allow full access to all other billing and usage information.
`budgets:ViewBudget`	Allow or deny IAM users permission to view Budgets. To allow IAM users to view budgets, you must also allow `ViewBilling`.
`budgets:ModifyBudget`	Allow or deny IAM users permission to modify Budgets. To allow IAM users to view and modify budgets, you must also allow `ViewBilling`.
`aws-portal:ViewPaymentMethods`	Allow or deny IAM users permission to view Payment Methods.
`aws-portal:ModifyPaymentMethods`	Allow or deny IAM users permission to modify Payment Methods. To allow users to modify payment methods, you must allow both `ModifyPaymentMethods` and `ViewPaymentMethods`.
`cur:DescribeReportDefinitions`	Allow or deny IAM users permission to view AWS Cost and Usage reports. AWS Cost and Usage reports permissions apply to all reports created using the Service API and the Billing and Cost Management console. If you create reports using the Billing and Cost Management console, we recommend that you update the permissions for IAM users. Not updating the permissions will result in users losing access to viewing, editing, and removing reports on the console reports page. For an example of a policy, see Example 2: Allow IAM users to access the Reports console page.
`cur:PutReportDefinition`	Allow or deny IAM users permission to create AWS Cost and Usage reports. AWS Cost and Usage reports permissions apply to all reports created using the Service API and the Billing and Cost Management console. If you create reports using the Billing and Cost Management console, we recommend that you update the permissions for IAM users. Not updating the permissions will result in users losing access to viewing, editing, and removing reports on the console reports page. For an example of a policy, see Example 2: Allow IAM users to access the Reports console page.
`cur:DeleteReportDefinition`	Allow or deny IAM users permission to delete AWS Cost and Usage reports. AWS Cost and Usage reports permissions apply to all reports created using the Service API and the Billing and Cost Management console. If you create reports using the Billing and Cost Management console, we recommend that you update the permissions for IAM users. Not updating the permissions will result in users losing access to viewing, editing, and removing reports on the console reports page. For an example of a policy, see Example 14: Create, view, edit, or delete AWS Cost and Usage Reports.
`cur:ModifyReportDefinition`	Allow or deny IAM users permission to modify AWS Cost and Usage reports. AWS Cost and Usage reports permissions apply to all reports created using the Service API and the Billing and Cost Management console. If you create reports using the Billing and Cost Management console, we recommend that you update the permissions for IAM users. Not updating the permissions will result in users losing access to viewing, editing, and removing reports on the console reports page. For an example of a policy, see Example 14: Create, view, edit, or delete AWS Cost and Usage Reports.
`ce:CreateCostCategoryDefinition`	Allow or deny IAM users permissions to create cost categories. For an example policy, see Example 13: View and manage Cost Categories.
`ce:DeleteCostCategoryDefinition`	Allow or deny IAM users permissions to delete cost categories. For an example policy, see Example 13: View and manage Cost Categories.
`ce:DescribeCostCategoryDefinition`	Allow or deny IAM users permissions to view cost categories. For an example policy, see Example 13: View and manage Cost Categories.
`ce:ListCostCategoryDefinitions`	Allow or deny IAM users permissions to list cost categories. For an example policy, see Example 13: View and manage Cost Categories.
`ce:UpdateCostCategoryDefinition`	Allow or deny IAM users permissions to update cost categories. For an example policy, see Example 13: View and manage Cost Categories.
`aws-portal:ViewUsage`	Allow or deny IAM users permission to view AWS usage Reports. To allow IAM users to view usage reports, you must allow both `ViewUsage` and `ViewBilling`. For an example policy, see Example 2: Allow IAM users to access the Reports console page.
`pricing:DescribeServices`	Allow or deny IAM users permission to view AWS service products and pricing via the AWS Price List Service API. To allow IAM users to use AWS Price List Service API, you must allow `DescribeServices`, `GetAttributeValues`, and `GetProducts`. For an example policy, see Example 10: Find products and prices.
`pricing:GetAttributeValues`	Allow or deny IAM users permission to view AWS service products and pricing via the AWS Price List Service API. To allow IAM users to use AWS Price List Service API, you must allow `DescribeServices`, `GetAttributeValues`, and `GetProducts`. For an example policy, see Example 10: Find products and prices.
`pricing:GetProducts`	Allow or deny IAM users permission to view AWS service products and pricing via the AWS Price List Service API. To allow IAM users to use AWS Price List Service API, you must allow `DescribeServices`, `GetAttributeValues`, and `GetProducts`. For an example policy, see Example 10: Find products and prices.

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Overview of Managing Access

Billing and Cost Management Policy Examples