Overview of managing access permissions - AWS Billing and Cost Management

Overview of managing access permissions

AWS Billing and Cost Management integrates with the AWS Identity and Access Management (IAM) service so that you can control who in your organization has access to specific pages on the AWS Billing and Cost Management console. You can control access to invoices and detailed information about charges and account activity, budgets, payment methods, and credits.

For more information about how to activate access to the Billing Console, see Tutorial: Delegate Access to the Billing Console in the IAM User Guide.

Granting access to your billing information and tools

The AWS account owner can access billing information and tools by signing in to the AWS Management Console using the account password. We recommend that you don't use the account password for everyday access to the account, and especially that you don't share account credentials with others to give them access to your account.

Instead, you should create a special user identity called an IAM user for anyone who might need access to the account. This approach provides individual sign-in information for each user, and you can grant each user only the permissions they need to work with your account. For example, you can grant some users limited access to some of your billing information and tools, and grant others complete access to all of the information and tools. (We recommend that the account owner also access the account by using an IAM user identity.)

By default, IAM users do not have access to the AWS Billing and Cost Management console. You or your account administrator must grant users access. You can do this by activating IAM user access to the Billing and Cost Management console and attaching an IAM policy to your users. This can be either managed or custom. Then, you need to activate IAM user access for IAM policies to take effect. You only need to activate IAM user access once.

Note

IAM is a feature of your AWS account. If you are already signed up for a product that is integrated with IAM, you don't need to do anything else to sign up for IAM, nor will you be charged for using it.

Permissions for Cost Explorer apply to all accounts and linked accounts, regardless of IAM policies. For more information about Cost Explorer access, see Controlling access for Cost Explorer.

Activating access to the Billing and Cost Management console

To be able to grant your IAM user and role access to your account's Billing and Cost Management console, you must activate the functionality.

Important

When you activate IAM user access to the Billing and Cost Management console, you grant full access to all users who already have full access to the AWS APIs. You can restrict their access by applying an IAM policy that constrains their permissions. See Example 4: Allow full access to AWS services but deny IAM users access to the Billing and Cost Management console.

To activate IAM user and role access to the Billing and Cost Management console

  1. Sign in to the AWS Management Console with your root account credentials (the email address and password that you used to create your AWS account).

  2. On the navigation bar, choose your account name, and then choose My Account.

  3. Next to IAM User and Role Access to Billing Information, choose Edit.

  4. Select the Activate IAM Access check box to activate access to the Billing and Cost Management pages.

  5. Choose Update.

You can now use IAM policies to control which pages a user can access.

After you have activated IAM user access, you can attach IAM policies to grant or deny access to specific billing features. For more information about using policies to grant IAM users access to Billing and Cost Management features, see Using identity-based policies (IAM policies) for Billing and Cost Management.