IAM tutorial: Delegate access to the billing console - Amazon Identity and Access Management
PrerequisitesStep 1: Activate access to billing data on your Amazon test accountStep 2: Attach billing policies to your user groupsStep 3: Test access to the billing consoleRelated resourcesSummary
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM tutorial: Delegate access to the billing console

Amazon Web Services account owners can delegate access to specific IAM users who need to view or manage the Amazon Billing and Cost Management data for an Amazon Web Services account. The instructions that follow will help you set up a pretested scenario. This scenario helps you gain hands-on experience configuring billing permissions without concern for affecting your main Amazon production account. If you attach a managed policy to your IAM users instead of following this tutorial, you must first activate access to the Amazon Billing and Cost Management console in Step 1.

Step 1: Activate access to billing data on your Amazon test account

If you create a single Amazon Web Services account, only the Amazon Web Services account owner (Amazon Web Services account root user) has access to view and manage billing information. IAM users cannot access billing data until the account owner activates IAM access and also attaches policies that provide billing actions to the user or role. To view additional tasks that require you to sign in as the root user, see Amazon Tasks that Require Account Root User.

If you create a member account using Amazon Organizations, this feature is enabled by default.

Step 2: Attach billing policies to your user groups

When you attach a policy to a user group, all members of that user group receive the complete set of access permissions that are associated with that policy. In this scenario, you attach the billing policies to user groups containing only those users who require the billing access.

Step 3: Test access to the billing console

After you've completed the core tasks, you're ready to test the policy. Testing ensures that the policy works the way you want it to.

Prerequisites

Create a test Amazon Web Services account to use with this tutorial. In this account create two test users and two test user groups as summarized in the following table. Be sure to assign a password to each user so that you can sign in later in Step 4.

Create user accounts Create and configure user group accounts
User name User group name Add user as a member
FinanceManager BillingFullAccessGroup FinanceManager
FinanceUser BillingViewAccessGroup FinanceUser

Step 1: Activate access to billing data on your Amazon test account

First, activate billing access for your test users in the Amazon Billing and Cost Management console.

Note

If you create a member account using Amazon Organizations, this feature is enabled by default.

To activate IAM user and role access to the Billing and Cost Management console

  1. Sign in to the Amazon Web Services Management Console with your root user credentials (specifically, the email address and password that you used to create your Amazon account).

  2. On the navigation bar, choose your account name, and then choose Account.

  3. Next to IAM User and Role Access to Billing Information, choose Edit.

  4. Select the Activate IAM Access check box to activate access to the Billing and Cost Management console pages.

  5. Choose Update.

You can now use IAM policies to control which pages a user can access.

After you have activated IAM user access, you can attach IAM policies to grant or deny access to specific billing features. For more information about using policies to grant IAM users access to Amazon Billing and Cost Management features, see Using identity-based policies (IAM policies) for Billing and Cost Management in the Amazon Billing User Guide.

Step 2: Attach billing policies to your user groups

Now we are going to attach the appropriate Amazon managed polices to the billing user groups that you created earlier.

To attach billing policies to your user groups

  1. In the navigation pane, choose Policies to display the full list of policies available to your Amazon Web Services account.

  2. In the policy search box, enter Billing. The list displays only the Amazon managed policies that apply to billing functions.

  3. To give full access to your billing administrator, select the Billing Amazon managed – job function policy.

  4. Select the Actions drop-down arrow, and then choose Attach from the actions list.

  5. On the Attach policy page, in the Filter search box, enter BillingFullAccessGroup.

  6. In the list, select the user group and then select Attach policy. You are returned to the Policies page.

  7. In the policy search box, enter Billing. The list displays only the Amazon managed policies that apply to billing functions.

  8. To give read-only access to users that are monitoring billing activity, select the AmazonBillingReadOnlyAccess Amazon managed policy.

  9. Select the Actions drop-down arrow, and then choose Attach from the actions list.

  10. On the Attach policy page, in the Filter search box, enter BillingViewAccessGroup.

  11. In the list, select the user group and then select Attach policy.

  12. Sign out of the console, and then proceed to Step 3: Test access to the billing console.

Step 3: Test access to the billing console

We recommend that you test access by signing in as each of the test users to learn what your users might experience. Use the following steps to sign in using both test accounts to see the difference between access rights.

To test billing access by signing in with both test users

  1. Use your Amazon account ID or account alias, your IAM user name, and your password to sign in to the IAM console.

    Note

    For your convenience, the Amazon sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your Amazon account ID or account alias to be redirected to the IAM user sign-in page for your account.

  2. Sign in with each user using the steps provided below so you can compare the different user experiences.

    Full access

    1. Sign in to your Amazon Web Services account as the user FinanceManager.

    2. On the navigation bar, choose FinanceManager@<account alias or ID number> , and then choose Billing Dashboard.

    3. Browse through the pages and choose the various buttons to ensure that you have full modify permissions.

    Read-only access

    1. Sign in to your Amazon Web Services account as the user FinanceUser.

    2. On the navigation bar, choose FinanceUser@<account alias or ID number>, and then choose Billing Dashboard.

    3. Browse through the pages. Notice that you can display costs, reports, and billing data with no problems. However, if you choose an option to modify a value, you receive an Access Denied message. For example, on the Preferences page, choose any of the check boxes on the page, and then choose Save preferences. The console message informs you that you need ModifyBilling permissions to make changes to that page.

Related resources

For related information found in the Amazon Billing User Guide, see the following resources:

For related information in the IAM User Guide, see the following resources:

Summary

You've now successfully completed all of the steps necessary to delegate user access to the Billing and Cost Management console. As a result, you've seen firsthand what your users billing console experience will be like. You can now proceed to implement this logic in your production environment at your convenience.