Using identity-based policies (IAM policies) for Billing and Cost Management - AWS Billing and Cost Management

Using identity-based policies (IAM policies) for Billing and Cost Management

This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) and thereby grant permissions to perform operations on Billing and Cost Management resources.

For a full discussion of AWS accounts and IAM users, see What Is IAM? in the IAM User Guide.

For information on how you can update customer managed policies, see Editing customer managed policies (console) in the IAM User Guide.

Billing and Cost Management actions policies

This table summarizes the permissions that allow or deny IAM users access to your billing information and tools. For examples of policies that use these permissions, see Billing and Cost Management policy examples.

Permission name Description

aws-portal:ViewBilling

Allow or deny IAM users permission to view the Billing and Cost Management console pages.

aws-portal:ModifyBilling

Allow or deny IAM users permission to modify the following Billing and Cost Management console pages:

To allow IAM users to modify these console pages, you must allow both ModifyBilling and ViewBilling. For an example policy, see Allow IAM users to modify billing information.

aws-portal:ViewAccount

Allow or deny IAM users permission to view the following Billing and Cost Management console pages:

aws-portal:ModifyAccount

Allow or deny IAM users permission to modify Account Settings.

To allow IAM users to modify account settings, you must allow both ModifyAccount and ViewAccount.

For an example of a policy that explicitly denies an IAM user access to the Account Settings console page, see Deny access to account settings, but allow full access to all other billing and usage information.

budgets:ViewBudget

Allow or deny IAM users permission to view Budgets.

To allow IAM users to view budgets, you must also allow ViewBilling.

budgets:ModifyBudget

Allow or deny IAM users permission to modify Budgets.

To allow IAM users to view and modify budgets, you must also allow ViewBilling.

aws-portal:ViewPaymentMethods

Allow or deny IAM users permission to view Payment Methods.

aws-portal:ModifyPaymentMethods

Allow or deny IAM users permission to modify Payment Methods.

To allow users to modify payment methods, you must allow both ModifyPaymentMethods and ViewPaymentMethods.

cur:DescribeReportDefinitions

Allow or deny IAM users permission to view AWS Cost and Usage Reports.

AWS Cost and Usage Reports permissions apply to all reports created using the AWS Cost and Usage Reports Service API and the Billing and Cost Management console. If you create reports using the Billing and Cost Management console, we recommend that you update the permissions for IAM users. Not updating the permissions will result in users losing access to viewing, editing, and removing reports on the console reports page.

For an example of a policy, see Allow IAM users to access the reports console page.

cur:PutReportDefinition

Allow or deny IAM users permission to create AWS Cost and Usage Reports.

AWS Cost and Usage Reports permissions apply to all reports created using the AWS Cost and Usage Reports Service API and the Billing and Cost Management console. If you create reports using the Billing and Cost Management console, we recommend that you update the permissions for IAM users. Not updating the permissions will result in users losing access to viewing, editing, and removing reports on the console reports page.

For an example of a policy, see Allow IAM users to access the reports console page.

cur:DeleteReportDefinition

Allow or deny IAM users permission to delete AWS Cost and Usage Reports.

AWS Cost and Usage Reports permissions apply to all reports created using the AWS Cost and Usage Reports Service API and the Billing and Cost Management console. If you create reports using the Billing and Cost Management console, we recommend that you update the permissions for IAM users. Not updating the permissions will result in users losing access to viewing, editing, and removing reports on the console reports page.

For an example of a policy, see Create, view, edit, or delete AWS Cost and Usage Reports.

cur:ModifyReportDefinition

Allow or deny IAM users permission to modify AWS Cost and Usage Reports.

AWS Cost and Usage Reports permissions apply to all reports created using the AWS Cost and Usage Reports Service API and the Billing and Cost Management console. If you create reports using the Billing and Cost Management console, we recommend that you update the permissions for IAM users. Not updating the permissions will result in users losing access to viewing, editing, and removing reports on the console reports page.

For an example of a policy, see Create, view, edit, or delete AWS Cost and Usage Reports.

ce:GetPreferences

Allow or deny IAM users permissions to view the Cost Explorer preferences page.

For an example policy, see View and update the Cost Explorer preferences page.

ce:UpdatePreferences

Allow or deny IAM users permissions to update the Cost Explorer preferences page.

For an example policy, see View and update the Cost Explorer preferences page.

ce:DescribeReport

Allow or deny IAM users permissions to view the Cost Explorer reports page.

For an example policy, see View, create, update, and delete using the Cost Explorer reports page.

ce:CreateReport

Allow or deny IAM users permissions to create reports using the Cost Explorer reports page.

For an example policy, see View, create, update, and delete using the Cost Explorer reports page.

ce:UpdateReport

Allow or deny IAM users permissions to update using the Cost Explorer reports page.

For an example policy, see View, create, update, and delete using the Cost Explorer reports page.

ce:DeleteReport

Allow or deny IAM users permissions to delete reports using the Cost Explorer reports page.

For an example policy, see View, create, update, and delete using the Cost Explorer reports page.

ce:DescribeNotificationSubscription

Allow or deny IAM users permissions to view Cost Explorer reservation expiration alerts in the reservation overview page.

For an example policy, see View, create, update, and delete reservation and Savings Plans alerts.

ce:CreateNotificationSubscription

Allow or deny IAM users permissions to create Cost Explorer reservation expiration alerts in the reservation overview page.

For an example policy, see View, create, update, and delete reservation and Savings Plans alerts.

ce:UpdateNotificationSubscription

Allow or deny IAM users permissions to update Cost Explorer reservation expiration alerts in the reservation overview page.

For an example policy, see View, create, update, and delete reservation and Savings Plans alerts.

ce:DeleteNotificationSubscription

Allow or deny IAM users permissions to delete Cost Explorer reservation expiration alerts in the reservation overview page.

For an example policy, see View, create, update, and delete reservation and Savings Plans alerts.

ce:CreateCostCategoryDefinition

Allow or deny IAM users permissions to create cost categories.

For an example policy, see View and manage cost categories.

ce:DeleteCostCategoryDefinition

Allow or deny IAM users permissions to delete cost categories.

For an example policy, see View and manage cost categories.

ce:DescribeCostCategoryDefinition

Allow or deny IAM users permissions to view cost categories.

For an example policy, see View and manage cost categories.

ce:ListCostCategoryDefinitions

Allow or deny IAM users permissions to list cost categories.

For an example policy, see View and manage cost categories.

ce:UpdateCostCategoryDefinition

Allow or deny IAM users permissions to update cost categories.

For an example policy, see View and manage cost categories.

ce:CreateAnomalyMonitor Allow or deny IAM users permissions to create a single AWS Cost Anomaly Detection monitor.
ce:GetAnomalyMonitors Allow or deny IAM users permissions to view all AWS Cost Anomaly Detection monitors.
ce:UpdateAnomalyMonitor Allow or deny IAM users permissions to update AWS Cost Anomaly Detection monitors.
ce:DeleteAnomalyMonitor Allow or deny IAM users permissions to delete AWS Cost Anomaly Detection monitors.
ce:CreateAnomalySubscription Allow or deny IAM users permissions to create a single subscription for AWS Cost Anomaly Detection.
ce:GetAnomalySubscriptions Allow or deny IAM users permissions to view all subscriptions for AWS Cost Anomaly Detection.
ce:UpdateAnomalySubscription Allow or deny IAM users permissions to update AWS Cost Anomaly Detection subscriptions.
ce:DeleteAnomalySubscription Allow or deny IAM users permissions to delete AWS Cost Anomaly Detection subscriptions.
ce:GetAnomalies Allow or deny IAM users permissions to view all anomalies in AWS Cost Anomaly Detection.
ce:ProvideAnomalyFeedback

Allow or deny IAM users permissions to provide feedback on a detected AWS Cost Anomaly Detection.

aws-portal:ViewUsage

Allow or deny IAM users permission to view AWS usage Reports.

To allow IAM users to view usage reports, you must allow both ViewUsage and ViewBilling.

For an example policy, see Allow IAM users to access the reports console page.

pricing:DescribeServices

Allow or deny IAM users permission to view AWS service products and pricing via the AWS Price List Service API.

To allow IAM users to use AWS Price List Service API, you must allow DescribeServices, GetAttributeValues, and GetProducts.

For an example policy, see Find products and prices.

pricing:GetAttributeValues

Allow or deny IAM users permission to view AWS service products and pricing via the AWS Price List Service API.

To allow IAM users to use AWS Price List Service API, you must allow DescribeServices, GetAttributeValues, and GetProducts.

For an example policy, see Find products and prices.

pricing:GetProducts

Allow or deny IAM users permission to view AWS service products and pricing via the AWS Price List Service API.

To allow IAM users to use AWS Price List Service API, you must allow DescribeServices, GetAttributeValues, and GetProducts.

For an example policy, see Find products and prices.

purchase-orders:ViewPurchaseOrders

Allow or deny IAM users permission to view Purchase Orders.

For an example policy, see View and manage purchase orders.

purchase-orders:ModifyPurchaseOrders

Allow or deny IAM users permission to modify Purchase Orders.

For an example policy, see View and manage purchase orders.

Managed policies

Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account. You can use AWS managed policies to control access in Billing and Cost Management.

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases. AWS managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.

You can't change the permissions defined in AWS managed policies. AWS occasionally updates the permissions defined in an AWS managed policy. When this occurs, the update affects all principal entities (users, groups, and roles) that the policy is attached to.

Billing and Cost Management provides several AWS managed policies for common use cases.

Allows full access to AWS Budgets including budgets actions

Managed policy name: AWSBudgetsActionsWithAWSResourceControlAccess

This managed policy is focused on the user, ensuring that you have the proper permissions to grant permission to AWS Budgets to run the defined actions. This policy provides full access to AWS Budgets, including budgets actions, to retrieve the status of your policies and run AWS resources using the AWS Management Console.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "budgets:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "budgets.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "aws-portal:ModifyBilling", "ec2:DescribeInstances", "iam:ListGroups", "iam:ListPolicies", "iam:ListRoles", "iam:ListUsers", "organizations:ListAccounts", "organizations:ListOrganizationalUnitsForParent", "organizations:ListPolicies", "organizations:ListRoots", "rds:DescribeDBInstances", "sns:ListTopics" ], "Resource": "*" } ] }

Allows AWS Budgets broad permission to control AWS resources

Managed policy name: AWSBudgetsActionsRolePolicyForResourceAdministrationWithSSM

This managed policy is focused on specific actions that AWS Budgets takes on your behalf when completing a specific action. This policy gives AWS Budgets broad permission to control AWS resources. For example, starts and stops Amazon EC2 or Amazon RDS instances by running AWS Systems Manager (SSM) scripts.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstanceStatus", "ec2:StartInstances", "ec2:StopInstances", "rds:DescribeDBInstances", "rds:StartDBInstance", "rds:StopDBInstance" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "ssm.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ssm:StartAutomationExecution" ], "Resource": "*" } ] }