Migrating access control for AWS Billing
Note
The following AWS Identity and Access Management (IAM) actions have reached the end of standard support on July 2023:
-
aws-portalnamespace -
purchase-orders:ViewPurchaseOrders -
purchase-orders:ModifyPurchaseOrders
If you're using AWS Organizations, you can use the bulk policy migrator scripts to update polices from your payer account. You can also use the old to granular action mapping reference to verify the IAM actions that need to be added.
For more information, see the Changes to AWS Billing, AWS Cost Management, and Account Consoles Permission
If you have an AWS account, or are a part of an AWS Organizations created on or after March 6, 2023, 11:00 AM (PDT), the fine-grained actions are already in effect in your organization.
You can use fine-grained access controls to provide individuals in your organization access to AWS Billing and Cost Management services. For example, you can provide access to Cost Explorer without providing access to the Billing and Cost Management console.
To use the fine-grained access controls, you'll need to migrate your policies from under aws-portal to the new IAM actions.
The following IAM actions in your permission policies or service control policies (SCP) require updating with this migration:
aws-portal:ViewAccountaws-portal:ViewBillingaws-portal:ViewPaymentMethodsaws-portal:ViewUsageaws-portal:ModifyAccountaws-portal:ModifyBillingaws-portal:ModifyPaymentMethodspurchase-orders:ViewPurchaseOrderspurchase-orders:ModifyPurchaseOrders
To learn how to use the Affected policies tool to identify your impacted IAM policies, see How to use the affected policies tool.
Note
API access to AWS Cost Explorer, AWS Cost and Usage Reports, and AWS Budgets remains unaffected.
Activating access to the Billing and Cost Management console remain unchanged.
Topics
Managing access permissions
AWS Billing integrates with the AWS Identity and Access Management (IAM) service so that you can control
who in your organization can access specific pages on the Billing and Cost Management console
Use the following IAM permissions for granular control for the Billing and Cost Management console.
To provide fine-grained access, replace the aws-portal policy with
account, billing, payments,
freetier, invoicing, tax, and consolidatedbilling.
Additionally, replace purchase-orders:ViewPurchaseOrders and
purchase-orders:ModifyPurchaseOrders with the fine-grained actions
under purchase-orders, account, and
payments.
Using fine-grained AWS Billing actions
This table summarizes the permissions that allow or deny IAM users and roles access to your billing information. For examples of policies that use these permissions, see AWS Billing policy examples.
For a list of actions for the AWS Cost Management console, see AWS Cost Management actions policies in the AWS Cost Management User Guide.
| Feature name in the Billing and Cost Management console | IAM action | Description |
|---|---|---|
|
|
Grants permission to view the Home page. These are read-only permissions. NoteThese are permissions for the console only. No API access is available for these permissions. |
|
|
|
Grants permission to view the Bills page. These are read-only permissions. NoteThese are permissions for the console only. No API access is available for these permissions. |
|
|
Grants permission to download invoices from the Bills page. NoteThis is a permission for the console only. No API access is available for this permission. |
|
|
Grants permission to download CSV reports from the Bills page. NoteThis is a permission for the console only. No API access is available for this permission. |
|
|
Grants permission to view the NoteThis is a permission for the console only. No API access is available for this permission. |
|
|
|
Grants permission to view the Payments page. These are read-only permissions to the Payments due, Unapplied funds, Transaction, and Advance pay tabs. NoteThese are permissions for the console only. No API access is available for these permissions. |
|
|
Grants permission to download an invoice from the Transactions tab. NoteThis is a permission for the console only. No API access is available for this permission. |
|
|
Grants permission action required to use Advance Pay and set up payment details. |
|
|
Grants permission to generate a funding request document for Advance Pay, and make a payment. |
|
|
|
Grants permission to view the Credits page. |
|
|
|
Grants permission to redeem credits. |
|
|
|
Grants permission to view the Purchase orders page. |
|
|
Grants permission to view details of a purchase order. |
|
|
|
Grants permission to add a purchase order. |
|
|
Grants permission to delete a purchase order. |
|
|
|
Grants permission to update purchase orders and purchase order status. |
|
|
|
Grants permission to view a list of AWS CUR reports on the AWS Cost and Usage Reports page. Note
|
|
|
Grants permission to view the NoteThis is a permission for the console only. No API access is available for this permission. |
|
|
|
Grants permission actions required to create a new AWS CUR report. Note
|
|
|
|
Grants permission to edit AWS CUR definition. Note
|
|
|
|
Grants permission to delete AWS CUR reports. |
|
|
Grants permission to download usage reports. |
|
|
Grants permission to view sustainability data for your AWS account. |
|
|
|
Grants permission to view cost categories. Note
|
|
|
|
Grants permission to create cost categories. Note
|
|
|
Grants permission to modify cost categories. |
|
|
Grants permission to delete cost categories. | |
|
|
Grants permission to view cost allocation tags. |
|
|
|
Grants permission to activate or deactivate cost allocation tags. |
|
|
|
Grants permission to view the Budgets page. |
|
|
|
Grants permission to create, delete, and modify Budgets and Budgets actions. |
|
|
|
Grants permission to view free tier usage limits and month to date usage status. |
|
|
|
Grants permission actions required to view all sections on the Billing preferences page. NoteThese are permissions for the console only. No API access is available for these permissions. |
|
|
|
Grants permission to make the following changes in the Billing preferences page:
Note
|
|
|
|
Grants permission to view the Payment preferences page. NoteThese are permissions for the console only. No API access is available for these permissions. |
|
|
|
Grants permission to create or update payment methods. Note
|
|
|
Grants permission to update or delete tax registration numbers. |
|
|
Grants permission to update payment profiles. NoteThis is a permission for the console only. No API access is available for this permission. |
|
|
|
Grants permission to view tax settings. |
|
|
Grants permission action required to update tax settings. |
|
|
Grants permission to set tax inheritance. |
|
|
Grants permission to update tax exemption. |
|
|
Grants permission to view Account settings. Note
|
|
|
Grants permission to close AWS accounts. NoteThis is a permission for the console only. No API access is available for this permission. |
|
|
Grants permission to turn off an AWS Region on the Account page. |
|
|
Grants permission to turn on an AWS Region on the Account page. |
|
|
Grants permission to write alternate contacts for the account. |
|
|
Grants permission to set security challenge questions for the account. NoteThis permission is for the console only. No API access is available for this permission. |
|
|
Grants permission action required to set or write main contact information, including address, for the account. |
|
|
Grants permission to set the account contract information, if the account is used to service public-sector customers. Information that can be pulled includes end user organization names, contract number, and PO numbers. NoteThis permission is for the console only. No API access is available for this permission. |
|
|
Grants permission action required to turn on or turn off the Activate IAM Access setting on the Account page. |
|
|
Grants permission to set advance pay, currency preference, billing contact details and address, and payment terms and conditions. |
