Using identity-based policies (IAM policies) for AWS Cost Management
The following AWS Identity and Access Management (IAM) actions will reach the end of standard support on July 2023: aws-portal namespace, purchase-orders:ViewPurchaseOrders, and purchase-orders:ModifyPurchaseOrders. See the Using fine-grained AWS Cost Management actions
to replace these actions with fine-grained actions so you have access to AWS Billing, AWS Cost Management, and AWS accounts consoles.
If you created your AWS account or AWS Organizations Management account before March 6, 2023, the fine-grained actions will be effective starting July 2023. We recommend you to add the fine-grained actions, but not remove your existing permissions with aws-portal or purchase-orders prefixes.
If you created your AWS account or AWS Organizations Management account on or after March 6, 2023, the fine-grained actions are effective immediately.
This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) and thereby grant permissions to perform operations on Billing and Cost Management resources.
For a full discussion of AWS accounts and IAM users, see What Is IAM? in the IAM User Guide.
For information on how you can update customer managed policies, see Editing customer managed policies (console) in the IAM User Guide.
Billing and Cost Management actions policies
This table summarizes the permissions that allow or deny IAM users access to your billing information and tools. For examples of policies that use these permissions, see AWS Cost Management policy examples.
For a list of actions policies for the Billing console, see Billing actions policies in the Billing user guide.
| Permission name | Description |
|---|---|
|
|
Allow or deny IAM users permission to view the Billing and Cost Management console pages. For an example policy, see Allow IAM users to view your billing information in the Billing User Guide.. |
aws-portal:ViewUsage |
Allow or deny IAM users permission to view AWS usage
Reports To allow IAM users to view usage reports, you must allow
both For an example policy, see Allow IAM users to access the reports console page in the Billing User Guide. |
|
|
Allow or deny IAM users permission to modify the following Billing and Cost Management console pages: To allow IAM users to modify these console pages, you must
allow both |
|
|
Allow or deny IAM users permission to view the following Billing and Cost Management console pages: |
aws-portal:ModifyAccount |
Allow or deny IAM users permission to modify Account
Settings To allow IAM users to modify account settings, you must
allow both For an example of a policy that explicitly denies an IAM user access to the Account Settings console page, see Deny access to account settings, but allow full access to all other billing and usage information. |
budgets:ViewBudget |
Allow or deny IAM users permission to view Budgets To allow IAM users to view budgets, you must also allow
|
budgets:ModifyBudget |
Allow or deny IAM users permission to modify Budgets To allow IAM users to view and modify budgets, you must also
allow |
ce:GetPreferences |
Allow or deny IAM users permissions to view the Cost Explorer preferences page. For an example policy, see View and update the Cost Explorer preferences page. |
ce:UpdatePreferences |
Allow or deny IAM users permissions to update the Cost Explorer preferences page. For an example policy, see View and update the Cost Explorer preferences page. |
ce:DescribeReport |
Allow or deny IAM users permissions to view the Cost Explorer reports page. For an example policy, see View, create, update, and delete using the Cost Explorer reports page. |
ce:CreateReport |
Allow or deny IAM users permissions to create reports using the Cost Explorer reports page. For an example policy, see View, create, update, and delete using the Cost Explorer reports page. |
ce:UpdateReport |
Allow or deny IAM users permissions to update using the Cost Explorer reports page. For an example policy, see View, create, update, and delete using the Cost Explorer reports page. |
ce:DeleteReport |
Allow or deny IAM users permissions to delete reports using the Cost Explorer reports page. For an example policy, see View, create, update, and delete using the Cost Explorer reports page. |
ce:DescribeNotificationSubscription |
Allow or deny IAM users permissions to view Cost Explorer reservation expiration alerts in the reservation overview page. For an example policy, see View, create, update, and delete reservation and Savings Plans alerts. |
ce:CreateNotificationSubscription |
Allow or deny IAM users permissions to create Cost Explorer reservation expiration alerts in the reservation overview page. For an example policy, see View, create, update, and delete reservation and Savings Plans alerts. |
ce:UpdateNotificationSubscription |
Allow or deny IAM users permissions to update Cost Explorer reservation expiration alerts in the reservation overview page. For an example policy, see View, create, update, and delete reservation and Savings Plans alerts. |
ce:DeleteNotificationSubscription |
Allow or deny IAM users permissions to delete Cost Explorer reservation expiration alerts in the reservation overview page. For an example policy, see View, create, update, and delete reservation and Savings Plans alerts. |
ce:CreateCostCategoryDefinition |
Allow or deny IAM users permissions to create cost categories. For an example policy, see View and manage cost categories in the Billing User Guide. You can add resource tags to monitors during |
ce:DeleteCostCategoryDefinition |
Allow or deny IAM users permissions to delete cost categories. For an example policy, see View and manage cost categories in the Billing User Guide. |
ce:DescribeCostCategoryDefinition |
Allow or deny IAM users permissions to view cost categories. For an example policy, see View and manage cost categories in the Billing User Guide. |
ce:ListCostCategoryDefinitions |
Allow or deny IAM users permissions to list cost categories. For an example policy, see View and manage cost categories in the Billing User Guide. |
ce:ListTagsForResource |
Allow or deny IAM users permissions to list all resource tags for a given resource. For a list of supported resources, see ResourceTag in the AWS Billing and Cost Management API Reference. |
ce:UpdateCostCategoryDefinition |
Allow or deny IAM users permissions to update cost categories. For an example policy, see View and manage cost categories in the Billing User Guide. |
ce:CreateAnomalyMonitor |
Allow or deny IAM users permissions to
create a single AWS Cost Anomaly Detection
monitor. You can add resource tags to monitors during |
ce:GetAnomalyMonitors |
Allow or deny IAM users permissions to view all AWS Cost Anomaly Detection monitors. |
ce:UpdateAnomalyMonitor |
Allow or deny IAM users permissions to update AWS Cost Anomaly Detection monitors. |
ce:DeleteAnomalyMonitor |
Allow or deny IAM users permissions to delete AWS Cost Anomaly Detection monitors. |
ce:CreateAnomalySubscription |
Allow or deny IAM users permissions to
create a single subscription for AWS Cost Anomaly Detection. You can add resource tags to subscriptions during |
ce:GetAnomalySubscriptions |
Allow or deny IAM users permissions to view all subscriptions for AWS Cost Anomaly Detection. |
ce:UpdateAnomalySubscription |
Allow or deny IAM users permissions to update AWS Cost Anomaly Detection subscriptions. |
ce:DeleteAnomalySubscription |
Allow or deny IAM users permissions to delete AWS Cost Anomaly Detection subscriptions. |
ce:GetAnomalies |
Allow or deny IAM users permissions to view all anomalies in AWS Cost Anomaly Detection. |
ce:ProvideAnomalyFeedback |
Allow or deny IAM users permissions to provide feedback on a detected AWS Cost Anomaly Detection. |
ce:TagResource |
Allow or deny IAM users permissions to add resource tag key-value pairs to a resource. For a list of supported resources, see ResourceTag in the AWS Billing and Cost Management API Reference. |
ce:UntagResource |
Allow or deny IAM users permissions to delete resource tags from a resource. For a list of supported resources, see ResourceTag in the AWS Billing and Cost Management API Reference. |
Managed policies
The following AWS Identity and Access Management (IAM) actions will reach the end of standard support on July 2023: aws-portal namespace, purchase-orders:ViewPurchaseOrders, and purchase-orders:ModifyPurchaseOrders. See the Using fine-grained AWS Cost Management actions
to replace these actions with fine-grained actions so you have access to AWS Billing, AWS Cost Management, and AWS accounts consoles.
If you created your AWS account or AWS Organizations Management account before March 6, 2023, the fine-grained actions will be effective starting July 2023. We recommend you to add the fine-grained actions, but not remove your existing permissions with aws-portal or purchase-orders prefixes.
If you created your AWS account or AWS Organizations Management account on or after March 6, 2023, the fine-grained actions are effective immediately.
Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account. You can use AWS managed policies to control access in Billing and Cost Management.
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases. AWS managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.
You can't change the permissions defined in AWS managed policies. AWS occasionally updates the permissions defined in an AWS managed policy. When this occurs, the update affects all principal entities (users, groups, and roles) that the policy is attached to.
Billing and Cost Management provides several AWS managed policies for common use cases.
Topics
Allows full access to AWS Budgets including budgets actions
Managed policy name: AWSBudgetsActionsWithAWSResourceControlAccess
This managed policy is focused on the user, ensuring that you have the proper permissions to grant permission to AWS Budgets to run the defined actions. This policy provides full access to AWS Budgets, including budgets actions, to retrieve the status of your policies and run AWS resources using the AWS Management Console.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "budgets:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "budgets.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "aws-portal:ModifyBilling", "ec2:DescribeInstances", "iam:ListGroups", "iam:ListPolicies", "iam:ListRoles", "iam:ListUsers", "organizations:ListAccounts", "organizations:ListOrganizationalUnitsForParent", "organizations:ListPolicies", "organizations:ListRoots", "rds:DescribeDBInstances", "sns:ListTopics" ], "Resource": "*" } ] }
Allows AWS Budgets broad permission to control AWS resources
Managed policy name: AWSBudgetsActionsRolePolicyForResourceAdministrationWithSSM
This managed policy is focused on specific actions that AWS Budgets takes on your behalf when completing a specific action. This policy gives AWS Budgets broad permission to control AWS resources. For example, starts and stops Amazon EC2 or Amazon RDS instances by running AWS Systems Manager (SSM) scripts.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstanceStatus", "ec2:StartInstances", "ec2:StopInstances", "rds:DescribeDBInstances", "rds:StartDBInstance", "rds:StopDBInstance" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "ssm.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ssm:StartAutomationExecution" ], "Resource": "*" } ] }
