Using identity-based policies (IAM policies) for AWS Cost Management - AWS Cost Management

Using identity-based policies (IAM policies) for AWS Cost Management

This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) and thereby grant permissions to perform operations on Billing and Cost Management resources.

For a full discussion of AWS accounts and IAM users, see What Is IAM? in the IAM User Guide.

For information on how you can update customer managed policies, see Editing customer managed policies (console) in the IAM User Guide.

Billing and Cost Management actions policies

This table summarizes the permissions that allow or deny IAM users access to your billing information and tools. For examples of policies that use these permissions, see AWS Cost Management policy examples.

For a list of actions policies for the Billing console, see Billing actions policies in the Billing user guide.

Permission name Description

aws-portal:ViewBilling

Allow or deny IAM users permission to view the Billing and Cost Management console pages. For an example policy, see Allow IAM users to view your billing information in the Billing User Guide..

aws-portal:ViewUsage

Allow or deny IAM users permission to view AWS usage Reports.

To allow IAM users to view usage reports, you must allow both ViewUsage and ViewBilling.

For an example policy, see Allow IAM users to access the reports console page in the Billing User Guide.

aws-portal:ModifyBilling

Allow or deny IAM users permission to modify the following Billing and Cost Management console pages:

To allow IAM users to modify these console pages, you must allow both ModifyBilling and ViewBilling. For an example policy, see Allow IAM users to modify billing information.

aws-portal:ViewAccount

Allow or deny IAM users permission to view the following Billing and Cost Management console pages:

aws-portal:ModifyAccount

Allow or deny IAM users permission to modify Account Settings.

To allow IAM users to modify account settings, you must allow both ModifyAccount and ViewAccount.

For an example of a policy that explicitly denies an IAM user access to the Account Settings console page, see Deny access to account settings, but allow full access to all other billing and usage information.

budgets:ViewBudget

Allow or deny IAM users permission to view Budgets.

To allow IAM users to view budgets, you must also allow ViewBilling.

budgets:ModifyBudget

Allow or deny IAM users permission to modify Budgets.

To allow IAM users to view and modify budgets, you must also allow ViewBilling.

ce:GetPreferences

Allow or deny IAM users permissions to view the Cost Explorer preferences page.

For an example policy, see View and update the Cost Explorer preferences page.

ce:UpdatePreferences

Allow or deny IAM users permissions to update the Cost Explorer preferences page.

For an example policy, see View and update the Cost Explorer preferences page.

ce:DescribeReport

Allow or deny IAM users permissions to view the Cost Explorer reports page.

For an example policy, see View, create, update, and delete using the Cost Explorer reports page.

ce:CreateReport

Allow or deny IAM users permissions to create reports using the Cost Explorer reports page.

For an example policy, see View, create, update, and delete using the Cost Explorer reports page.

ce:UpdateReport

Allow or deny IAM users permissions to update using the Cost Explorer reports page.

For an example policy, see View, create, update, and delete using the Cost Explorer reports page.

ce:DeleteReport

Allow or deny IAM users permissions to delete reports using the Cost Explorer reports page.

For an example policy, see View, create, update, and delete using the Cost Explorer reports page.

ce:DescribeNotificationSubscription

Allow or deny IAM users permissions to view Cost Explorer reservation expiration alerts in the reservation overview page.

For an example policy, see View, create, update, and delete reservation and Savings Plans alerts.

ce:CreateNotificationSubscription

Allow or deny IAM users permissions to create Cost Explorer reservation expiration alerts in the reservation overview page.

For an example policy, see View, create, update, and delete reservation and Savings Plans alerts.

ce:UpdateNotificationSubscription

Allow or deny IAM users permissions to update Cost Explorer reservation expiration alerts in the reservation overview page.

For an example policy, see View, create, update, and delete reservation and Savings Plans alerts.

ce:DeleteNotificationSubscription

Allow or deny IAM users permissions to delete Cost Explorer reservation expiration alerts in the reservation overview page.

For an example policy, see View, create, update, and delete reservation and Savings Plans alerts.

ce:CreateCostCategoryDefinition

Allow or deny IAM users permissions to create cost categories.

For an example policy, see View and manage cost categories in the Billing User Guide.

You can add resource tags to monitors during Create. In order to create monitors with resource tags, you need the ce:TagResource permission.

ce:DeleteCostCategoryDefinition

Allow or deny IAM users permissions to delete cost categories.

For an example policy, see View and manage cost categories in the Billing User Guide.

ce:DescribeCostCategoryDefinition

Allow or deny IAM users permissions to view cost categories.

For an example policy, see View and manage cost categories in the Billing User Guide.

ce:ListCostCategoryDefinitions

Allow or deny IAM users permissions to list cost categories.

For an example policy, see View and manage cost categories in the Billing User Guide.

ce:ListTagsForResource

Allow or deny IAM users permissions to list all resource tags for a given resource. For a list of supported resources, see ResourceTag in the AWS Billing and Cost Management API Reference.

ce:UpdateCostCategoryDefinition

Allow or deny IAM users permissions to update cost categories.

For an example policy, see View and manage cost categories in the Billing User Guide.

ce:CreateAnomalyMonitor

Allow or deny IAM users permissions to create a single AWS Cost Anomaly Detection monitor. You can add resource tags to monitors during Create. In order to create monitors with resource tags, you need the ce:TagResource permission.

ce:GetAnomalyMonitors

Allow or deny IAM users permissions to view all AWS Cost Anomaly Detection monitors.

ce:UpdateAnomalyMonitor

Allow or deny IAM users permissions to update AWS Cost Anomaly Detection monitors.

ce:DeleteAnomalyMonitor

Allow or deny IAM users permissions to delete AWS Cost Anomaly Detection monitors.

ce:CreateAnomalySubscription

Allow or deny IAM users permissions to create a single subscription for AWS Cost Anomaly Detection. You can add resource tags to subscriptions during Create. In order to create subscriptions with resource tags, you need the ce:TagResource permission.

ce:GetAnomalySubscriptions

Allow or deny IAM users permissions to view all subscriptions for AWS Cost Anomaly Detection.

ce:UpdateAnomalySubscription

Allow or deny IAM users permissions to update AWS Cost Anomaly Detection subscriptions.

ce:DeleteAnomalySubscription

Allow or deny IAM users permissions to delete AWS Cost Anomaly Detection subscriptions.

ce:GetAnomalies

Allow or deny IAM users permissions to view all anomalies in AWS Cost Anomaly Detection.

ce:ProvideAnomalyFeedback

Allow or deny IAM users permissions to provide feedback on a detected AWS Cost Anomaly Detection.

ce:TagResource

Allow or deny IAM users permissions to add resource tag key-value pairs to a resource. For a list of supported resources, see ResourceTag in the AWS Billing and Cost Management API Reference.

ce:UntagResource

Allow or deny IAM users permissions to delete resource tags from a resource. For a list of supported resources, see ResourceTag in the AWS Billing and Cost Management API Reference.