Overview of managing access permissions - AWS Billing
Grant access to billing information and toolsAbout IAM Access

Overview of managing access permissions

You can use AWS Identity and Access Management (IAM) to control who in your account or organization has access to specific pages on the AWS Billing and Cost Management console. For example, you can control access to invoices and detailed information about charges and account activity, budgets, payment methods, and credits. IAM is a feature of your AWS account. You don't need to do anything else to sign up for IAM. You're not charged for using IAM.

Granting access to your billing information and tools

When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials in the IAM User Guide.

Instead, you should create a special user identity that's called an IAM user for anyone who might need access to the account. This approach provides individual sign-in information for each user, and you can grant each user only the permissions that they need.

You can grant some users limited access to your billing information and tools and then grant others complete access. We also recommend that the account owner use an IAM user identity to access the account.

Important

By default, IAM users don't have access to the AWS Billing and Cost Management console.

To grant IAM entities (such as users or groups) access to the Billing and Cost Management console, complete the following:

  • Activate IAM Access as the AWS account root user. You only need to complete this action once for your account.

  • Create your IAM identities, such as a user, group, or role.

  • Use an AWS managed policy or create a customer managed policy that grants permission to specific actions on the Billing and Cost Management console. For more information, see Using identity-based policies (IAM policies) for AWS Billing.

For a step-by-step guide, see the IAM tutorial: Grant access to the Billing console in the IAM User Guide.

Note

Permissions for Cost Explorer apply to all accounts and member accounts, regardless of the IAM policies. For more information, see Controlling access to AWS Cost Explorer.

About IAM Access to the AWS Billing and Cost Management console

By default, IAM users and roles in an AWS account can't access the Billing and Cost Management console. This is true even if they have IAM policies that grant access to certain Billing features. To grant access, the AWS account root user can use the Activate IAM Access setting.

Activate this setting in each account where you want to allow IAM user and role access to the Billing and Cost Management console. If you use AWS Organizations, activate this setting in each management or member account where you want to allow IAM user and role access to the Billing and Cost Management console.

For more information, see Activating IAM access to the AWS Billing and Cost Management console.

On the Billing and Cost Management console, the Activate IAM Access setting controls access to the following pages:

  • Home

  • Cost Explorer

  • Budgets

  • Budgets Reports

  • AWS Cost and Usage Reports

  • Cost categories

  • Cost allocation tags

  • Bills

  • Payments

  • Credits

  • Purchase Order

  • Billing preferences

  • Payment methods

  • Tax settings

On the Cost Management console, the Activate IAM Access setting controls access to the following pages:

  • Home

  • Cost Explorer

  • Reports

  • Rightsizing recommendations

  • Savings Plans recommendations

  • Savings Plans utilization report

  • Savings Plans coverage report

  • Reservations overview

  • Reservations recommendations

  • Reservations utilization report

  • Reservations coverage report

  • Preferences

Important

  • The Activate IAM Access setting alone doesn't grant IAM users and roles the necessary permissions for these pages. You must also attach the required IAM policies to those users or roles. For more information, see Using identity-based policies (IAM policies) for AWS Billing.

  • The Activate IAM Access setting isn't available to IAM users with administrator access. This setting is available only to the AWS account root user.

The Activate IAM Access setting doesn't control access to the following pages and resources:

  • Console pages for AWS Cost Anomaly Detection, Savings Plans overview, Savings Plans inventory, Purchase Savings Plans, Savings Plans cart, and customer verification

  • Cost Management view in the AWS Console Mobile Application

  • Billing SDK APIs (AWS Cost Explorer, AWS Budgets, and AWS Cost and Usage Reports APIs)

  • Cost and usage widget on the AWS Management Console and AWS Systems Manager Application Manager

  • Account SDK APIs