AWS Billing and Cost Management and AWS Organizations - AWS Organizations

AWS Billing and Cost Management and AWS Organizations

AWS Billing and Cost Management provides a suite of features to help you set up your billing, retrieve and pay invoices, and analyze, organize, plan, and optimize your costs. When you use Billing and Cost Management with AWS Organizations you allow split cost allocation data to retrieve AWS Organizations information, if applicable, and collect telemetry data for the split cost allocation data services that you opted into.

Use the following information to help you integrate AWS Billing and Cost Management with AWS Organizations.

Service-linked roles created when you enable integration

The following service-linked role is automatically created in your organization's management account when you enable trusted access. This role allows Billing and Cost Management to perform supported operations within your organization's accounts in your organization.

You can delete or modify this role only if you disable trusted access between Billing and Cost Management and Organizations, or if you remove the member account from the organization.

For more information, see Service-linked role permissions for Billing and Cost Management in the Billing and Cost Management User Guide.

  • AWSServiceRoleForSplitCostAllocationData

Service principals used by Billing and Cost Management

The service-linked role in the previous section can be assumed only by the service principals authorized by the trust relationships defined for the role. The service-linked roles used by Billing and Cost Management grant access to the following service principals:

Billing and Cost Management uses the billing-cost-management.amazonaws.com service principal.

Enabling trusted access with Billing and Cost Management

For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.

With trusted access enabled via management account, customers can take advantage of the split cost allocation data feature under Billing and Cost Management. When customers enable split cost allocation data for Amazon Elastic Kubernetes Service with Amazon Managed Service for Prometheus, trusted access is invoked to create service-linked roles for all member accounts within the Organization. This allows split cost allocation data to collect telemetry data from customers' Amazon Managed Service for Prometheus work spaces and perform cost allocation based on those metrics.

You can enable trusted access by using either the AWS Organizations console, by running a AWS CLI command, or by calling an API operation in one of the AWS SDKs.

AWS Management Console
To enable trusted service access using the Organizations console
  1. Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.

  2. In the navigation pane, choose Services.

  3. Choose AWS Billing and Cost Management in the list of services.

  4. Choose Enable trusted access.

  5. In the Enable trusted access for AWS Billing and Cost Management dialog box, type enable to confirm it, and then choose Enable trusted access.

  6. If you are the administrator of only AWS Organizations, tell the administrator of AWS Billing and Cost Management that they can now enable that service using its console to work with AWS Organizations.

AWS CLI, AWS API
To enable trusted service access using the OrganizationsCLI/SDK

You can use the following AWS CLI commands or API operations to enable trusted service access:

  • AWS CLI: enable-aws-service-access

    You can run the following command to enable AWS Billing and Cost Management as a trusted service with Organizations.

    $ aws organizations enable-aws-service-access \ --service-principal billing-cost-management.amazonaws.com

    This command produces no output when successful.

  • AWS API: EnableAWSServiceAccess

Disabling trusted access

For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.

You can disable trusted access using only the Organizations tools.

You can disable trusted access by running a Organizations AWS CLI command, or by calling an Organizations API operation in one of the AWS SDKs.

AWS CLI, AWS API
To disable trusted service access using the Organizations CLI/SDK

You can use the following AWS CLI commands or API operations to disable trusted service access:

  • AWS CLI: disable-aws-service-access

    You can run the following command to disable AWS Billing and Cost Management as a trusted service with Organizations.

    $ aws organizations disable-aws-service-access \ --service-principal billing-cost-management.amazonaws.com

    This command produces no output when successful.

  • AWS API: DisableAWSServiceAccess