Granting access to your billing information and tools Activating access to the AWS Billing console

Overview of managing access permissions

AWS Billing integrates with the AWS Identity and Access Management (IAM) service so that you can control who in your organization has access to specific pages on the AWS Billing console. You can control access to invoices and detailed information about charges and account activity, budgets, payment methods, and credits.

For instructions on how to activate access to the AWS Billing console, see Tutorial: Delegate Access to the Billing Console in the IAM User Guide.

Topics

Granting access to your billing information and tools
Activating access to the AWS Billing console

Granting access to your billing information and tools

The AWS account owner can access billing information and tools by signing in to the AWS Management Console using the account password. We don't recommend that you use the account password for everyday access to the account or share your account credentials with others.

Instead, you should create a special user identity that's called an IAM user for anyone who might need access to the account. This approach provides individual sign-in information for each user, and you can grant each user only the permissions they need. More specifically, you can grant some users limited access to some of your billing information and tools. Then, grant others complete access to all of the information and tools. We also recommend that the account owner also access the account by using an IAM user identity.

By default, IAM users don't have access to the AWS Billing console. You or your account administrator must grant users access. You can do this by activating IAM user access to the Billing console and attaching an IAM policy to your users. This can be either managed or custom. Then, you must activate IAM user access for IAM policies to take effect. You only need to activate IAM user access once.

Note

IAM is a feature of your AWS account. If you're already signed up for a product that's integrated with IAM, you don't need to do anything else to sign up for IAM. Moreover, you're not charged for using IAM.

Permissions for Cost Explorer apply to all accounts and member accounts, regardless of the IAM policies. For more information about Cost Explorer access, see Controlling access for AWS Cost Explorer.

Activating access to the AWS Billing console

By default, IAM users and roles within an AWS account can't access the Billing console pages. This is true even if the IAM user or role has IAM policies that grant access to certain Billing features. The AWS account root user can allow IAM users and roles access to Billing console pages by using the Activate IAM Access setting.

On the Billing console, the Activate IAM Access setting controls IAM user and role access to the following pages:

Home
Cost Explorer
Budgets
Budgets Reports
AWS Cost and Usage Reports
Cost categories
Cost allocation tags
Bills
Payments
Credits
Purchase Order
Billing preferences
Payment methods
Tax settings

On the Cost Management console, the Activate IAM Access setting controls IAM user and role access to the following pages:

Home
Cost Explorer
Reports
Rightsizing recommendations
Savings Plans recommendations
Savings Plans utilization report
Savings Plans coverage report
Reservations overview
Reservations recommendations
Reservations utilization report
Reservations coverage report
Preferences

Important

Activating IAM access alone doesn't grant IAM users and roles the necessary permissions for these Billing console pages. In addition to activating IAM access, you must also attach the required IAM policies to those users or roles. For more information, see Using identity-based policies (IAM policies) for AWS Billing.

The Activate IAM Access setting doesn't control access to the following pages and resources:

The console pages for AWS Cost Anomaly Detection, Savings Plans overview, Savings Plans inventory, Purchase Savings Plans, Savings Plans cart, and customer verification
The Cost Management view in the AWS Console Mobile Application
The Billing SDK APIs (AWS Cost Explorer, AWS Budgets, and AWS Cost and Usage Reports APIs)
The cost and usage widget on the AWS Console and AWS Systems Manager Application Manager.
The Account SDK APIs.

To activate the Activate IAM Access setting, you must log in to your AWS account using the root user credentials, and then select the setting in the My Account page. Activate this setting in each account where you want to allow IAM user and role access to the Billing console pages. If you use AWS Organizations, activate this setting in each management or member account where you want to allow IAM user and role access to console pages.

Note

The Activate IAM Access setting isn't available to IAM users with administrator access. This setting is available only to the AWS account root user.

If the Activate IAM Access setting isn't activated, then IAM users and roles in the account can't access the Billing console pages. This is true even if they have administrator access or the required IAM policies.

To activate IAM user and role access to the AWS Billing console, see IAM tutorial: Delegate access to the AWS Billing console in the IAM User Guide.

After you activate IAM access, you must also attach the required IAM policies to the IAM users or roles. The IAM policies can grant or deny access to specific Billing features. For more information, see Using identity-based policies (IAM policies) for AWS Billing.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity and access management

Using IAM policies for Billing