Billing and Cost Management 策略示例 - AWS Billing and Cost Management
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Billing and Cost Management 策略示例

本主题包含几个示例策略,您可以将它们附加到您的 IAM 用户或组以控制对您的账户的账单信息和工具的访问权限。以下基本规则适用于IAM的 Billing and Cost Management 策略:

  • Version 始终为 2012-10-17

  • Effect 始终为 AllowDeny

  • Action 是操作的名称或通配符 (*)。

    操作前缀为 budgets (对于 AWS Budgets)、cur(对于 AWS Cost and Usage Reports)、aws-portal(对于 AWS Billing)或 ce (对于 Cost Explorer)。

  • 对于 Resource Billing,* 始终为 AWS。

    对于在 budget 资源上执行的操作,请指定预算 Amazon 资源名称 (ARN)。

  • 一个策略中可能包含多个语句。

注意

这些策略要求您在IAM账户设置Billing and Cost Management控制台页面上激活 用户对控制台的访问权限。有关更多信息,请参阅激活对 Billing and Cost Management 控制台的访问权限

IAM 允许用户查看您的账单信息

要允许某个 IAM 用户查看您的账单信息而不向该 IAM 用户提供对敏感账户信息(如您的密码和账户活动报告)的访问权限,请使用类似于以下示例策略的策略。此策略允许 IAM 用户查看以下Billing and Cost Management控制台页面,而不会向他们提供对账户设置报告控制台页面的访问权限:

  • 控制面板

  • Cost Explorer

  • 账单

  • 订单和发票

  • 整合账单

  • Preferences

  • 服务抵扣金额

  • Advance Payment

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-portal:ViewBilling", "Resource": "*" } ] }

IAM 允许用户访问报告控制台页面

要允许 IAM 用户访问报告控制台页面和查看包含账户活动信息的使用率报告,请使用类似于此示例策略的策略。

有关各操作的定义,请参阅Billing and Cost Management 操作策略

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-portal:ViewUsage", "aws-portal:ViewBilling", "cur:DescribeReportDefinitions", "cur:PutReportDefinition", "cur:DeleteReportDefinition", "cur:ModifyReportDefinition" ], "Resource": "*" } ] }

拒绝 IAM 用户访问Billing and Cost Management控制台

要显式拒绝 IAM 用户访问所有Billing and Cost Management控制台页面,请使用类似于此示例策略的策略。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "aws-portal:*", "Resource": "*" } ] }

允许完全访问 AWS 服务但拒绝IAM用户访问Billing and Cost Management控制台

要拒绝 IAM 用户访问 Billing and Cost Management 控制台上的所有内容,请使用以下策略。在这种情况下,您还应拒绝用户访问 AWS Identity and Access Management (IAM),这样,用户就无法访问控制对账单信息和工具的访问权限的策略。

重要

该策略不允许进行任何操作。可将此策略与允许特定操作的其他策略结合使用。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "aws-portal:*", "iam:*" ], "Resource": "*" } ] }

IAM 允许用户查看 Billing and Cost Management 控制台(账户设置除外)

此策略允许对所有 Billing and Cost Management 控制台(包括付款方式报告控制台页面)进行只读访问,但拒绝访问 Account Settings (账户设置) 页面,从而保护账户密码、联系信息和安全问题。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-portal:View*", "Resource": "*" }, { "Effect": "Deny", "Action": "aws-portal:*Account", "Resource": "*" } ] }

IAM 允许用户修改账单信息

要允许 IAM 用户在Billing and Cost Management控制台中修改账户账单信息,您还必须允许 IAM 用户查看您的账单信息。以下策略示例允许 IAM 用户修改整合账单首选项积分控制台页面。它还允许 IAM 用户查看以下Billing and Cost Management控制台页面:

  • 控制面板

  • Cost Explorer

  • 账单

  • 订单和发票

  • Advance Payment

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aws-portal:*Billing", "Resource": "*" } ] }

IAM 允许用户创建预算

要允许 IAM 用户在Billing and Cost Management控制台中创建预算,您还必须允许 IAM 用户查看您的账单信息、创建 CloudWatch 警报和创建 Amazon SNS 通知。以下策略示例允许 IAM 用户修改预算控制台页面。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1435216493000", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "aws-portal:ModifyBilling", "budgets:ViewBudget", "budgets:ModifyBudget" ], "Resource": [ "*" ] }, { "Sid": "Stmt1435216514000", "Effect": "Allow", "Action": [ "cloudwatch:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1435216552000", "Effect": "Allow", "Action": [ "sns:*" ], "Resource": [ "arn:aws:sns:us-east-1" ] } ] }

拒绝访问账户设置,但允许完全访问所有其他账单和使用率信息

要保护您的账户密码、联系信息和安全问题,您可以拒绝 IAM 用户访问账户设置,同时仍允许完全访问Billing and Cost Management控制台中的其余功能,如以下示例所示。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aws-portal:*Billing", "aws-portal:*Usage", "aws-portal:*PaymentMethods" ], "Resource": "*" }, { "Effect": "Deny", "Action": "aws-portal:*Account", "Resource": "*" } ] }

将报告存入 Amazon S3 存储桶

以下策略允许Billing and Cost Management将您的详细 AWS 账单保存到 Amazon S3 存储桶,只要您同时拥有 AWS 账户和 Amazon S3 存储桶。请注意,此策略必须应用于 Amazon S3 存储桶而不是 IAM 用户。也就是说,它是一种基于资源的策略,而不是基于用户的策略。您应拒绝 IAM 用户访问无需访问您的账单的 IAM 用户的存储桶。

Replace bucketname 替换为您的 存储桶的名称。

有关更多信息,请参阅 中的https://docs.amazonaws.cn/AmazonS3/latest/dev/using-iam-policies.html使用存储桶策略和用户策略Amazon Simple Storage Service 开发人员指南

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "billingreports.amazonaws.com" }, "Action": [ "s3:GetBucketAcl", "s3:GetBucketPolicy" ], "Resource": "arn:aws:s3:::bucketname" }, { "Effect": "Allow", "Principal": { "Service": "billingreports.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::bucketname/*" } ] }

查找产品和价格

要允许 IAM 用户使用 AWS Price List Service API,请使用以下策略授予他们访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "pricing:DescribeServices", "pricing:GetAttributeValues", "pricing:GetProducts" ], "Resource": [ "*" ] } ] }

查看成本和使用情况

要允许用户IAM使用 AWS Cost Explorer API,请使用以下策略授予他们访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ce:*" ], "Resource": [ "*" ] } ] }

启用和禁用AWS区域

有关允许用户启用和禁用区域的示例IAM策略,请参阅 AWS AWS中的 :允许启用和禁用IAM 用户指南区域

查看和管理成本类别

要允许用户IAM使用、查看和管理成本类别,请使用以下策略授予他们访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "ce:DescribeCostCategoryDefinition", "ce:UpdateCostCategoryDefinition", "ce:CreateCostCategoryDefinition", "ce:DeleteCostCategoryDefinition", "ce:ListCostCategoryDefinitions", "pricing:DescribeServices" ], "Resource": "*" } ] }

创建、查看、编辑或删除 AWS Cost and Usage Reports

此策略允许 IAM 用户使用 API 创建、查看、编辑或删除 sample-report

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ManageSampleReport", "Effect": "Allow", "Action": [ "cur:PutReportDefinition", "cur:DeleteReportDefinition", "cur:ModifyReportDefinition" ], "Resource": "arn:aws:cur:*:123456789012:definition/sample-report" }, { "Sid": "DescribeReportDefs", "Effect": "Allow", "Action": "cur:DescribeReportDefinitions", "Resource": "*" } ] }

查看和管理采购订单

此策略允许 用户使用以下策略授予访问权限IAM来查看和管理采购订单。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "purchase-orders:ViewPurchaseOrders", "purchase-orders:ModifyPurchaseOrders" ], "Resource": "*" } ] }

查看和更新Cost Explorer首选项页面

此策略允许 IAM 用户使用 Cost Explorer 首选项页面查看和更新 。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "ce:UpdatePreferences" ], "Resource": "*" } ] }

以下策略IAM允许用户查看 Cost Explorer,但拒绝查看或编辑 Preferences (首选项) 页面的权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": [ "ce:GetPreferences", "ce:UpdatePreferences" ], "Resource": "*" } ] }

以下策略IAM允许用户查看 Cost Explorer,但拒绝编辑 Preferences (首选项) 页面的权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": [ "ce:UpdatePreferences" ], "Resource": "*" } ] }

使用Cost Explorer报告页面查看、创建、更新和删除

此策略允许 IAM 用户使用Cost Explorer报告页面查看、创建、更新和删除 。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "ce:CreateReport", "ce:UpdateReport", "ce:DeleteReport" ], "Resource": "*" } ] }

以下策略IAM允许用户查看 Cost Explorer,但拒绝查看或编辑 Reports (报告) 页面的权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": [ "ce:DescribeReport", "ce:CreateReport", "ce:UpdateReport", "ce:DeleteReport" ], "Resource": "*" } ] }

以下策略IAM允许用户查看 Cost Explorer,但拒绝编辑 Reports (报告) 页面的权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": "ce:CreateReport", "ce:UpdateReport", "ce:DeleteReport" ], "Resource": "*" } ] }

查看、创建、更新和删除预留和Savings Plans提醒

此策略允许 IAM 用户查看、创建、更新和删除预留过期提醒Savings Plans 提醒。要编辑预留过期提醒或 Savings Plans 提醒,用户需要所有三个精细操作ce:CreateNotificationSubscription:、 ce:UpdateNotificationSubscriptionce:DeleteNotificationSubscription

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling", "ce:CreateNotificationSubscription", "ce:UpdateNotificationSubscription", "ce:DeleteNotificationSubscription" ], "Resource": "*" } ] }

以下策略IAM允许用户查看 Cost Explorer,但拒绝查看或编辑预留过期提醒Savings Plans提醒页面的权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": [ "ce:DescribeNotificationSubscription", "ce:CreateNotificationSubscription", "ce:UpdateNotificationSubscription", "ce:DeleteNotificationSubscription" ], "Resource": "*" } ] }

以下策略IAM允许用户查看 Cost Explorer,但拒绝编辑预留过期提醒Savings Plans提醒页面的权限。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Deny", "Action": [ "ce:CreateNotificationSubscription", "ce:UpdateNotificationSubscription", "ce:DeleteNotificationSubscription" ], "Resource": "*" } ] }

允许对 进行只读访问

要允许用户IAM对 进行只读访问,请使用以下策略授予他们访问权限。ce:ProvideAnomalyFeedback 作为只读访问的一部分是可选的。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ce:Get*" ], "Effect": "Allow", "Resource": "*" } ] }

允许 AWS Budgets 应用IAM策略和 SCPs并将 EC2 和 RDS 实例设为目标

此策略允许 AWS Budgets 代表用户应用 IAM 策略和服务控制策略 (SCPs以及定位 Amazon EC2 和 Amazon RDS 实例。

信任策略

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "budgets.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

权限策略

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstanceStatus", "ec2:StartInstances", "ec2:StopInstances", "iam:AttachGroupPolicy", "iam:AttachRolePolicy", "iam:AttachUserPolicy", "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", "organizations:AttachPolicy", "organizations:DetachPolicy", "rds:DescribeDBInstances", "rds:StartDBInstance", "rds:StopDBInstance", "ssm:StartAutomationExecution" ], "Resource": "*" } ] }