Overview of managing access permissions - Amazon Billing
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Overview of managing access permissions

Granting access to your billing information and tools

By default, IAM users don't have access to the Amazon Billing and Cost Management console.

When you create an Amazon Web Services account, you begin with one sign-in identity that has complete access to all Amazon Web Services and resources in the account. This identity is called the Amazon Web Services account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you don't use the root user for your everyday tasks. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials in the IAM User Guide.

As an administrator, you can create roles under your Amazon account that your users can assume. After you create roles, you can attach your IAM policy to them, based on the access needed. For example, you can grant some users limited access to some of your billing information and tools, and grant others complete access to all of the information and tools.

To grant IAM entities access to the Billing and Cost Management console, complete the following:

  • Activate IAM Access as the Amazon Web Services account root user. You only need to complete this action once for your account.

  • Create your IAM identities, such as a user, group, or role.

  • Use an Amazon managed policy or create a customer managed policy that grants permission to specific actions on the Billing and Cost Management console. For more information, see Using identity-based policies for Billing.

For more information, see the IAM tutorial: Grant access to the Billing console in the IAM User Guide.

Note

Permissions for Cost Explorer apply to all accounts and member accounts, regardless of the IAM policies. For more information, see Controlling access to Amazon Cost Explorer.

Activating access to the Billing and Cost Management console

IAM users and roles in an Amazon Web Services account can't access the Billing and Cost Management console by default. This is true even if they have IAM policies that grant access to certain Billing features. To grant access, the Amazon Web Services account root user can use the Activate IAM Access setting.

If you use Amazon Organizations, activate this setting in each management or member account where you want to allow IAM user and role access to the Billing and Cost Management console. For more information, see Activating IAM access to the Amazon Billing and Cost Management console.

On the Billing console, the Activate IAM Access setting controls access to the following pages:

  • Home

  • Budgets

  • Budgets Reports

  • Amazon Cost and Usage Reports

  • Cost categories

  • Cost allocation tags

  • Bills

  • Payments

  • Credits

  • Purchase Order

  • Billing preferences

  • Payment methods

  • Fapiao management

  • Real name information

On the Amazon Cost Management console, the Activate IAM Access setting controls access to the following pages:

  • Home

  • Cost Explorer

  • Reports

  • Rightsizing recommendations

  • Savings Plans recommendations

  • Savings Plans utilization report

  • Savings Plans coverage report

  • Reservations overview

  • Reservations recommendations

  • Reservations utilization report

  • Reservations coverage report

  • Preferences

For a list of pages the Activate IAM Access setting controls for the Billing console, see Activating access to the Billing console in the Billing User Guide.

Important

Activating IAM access alone doesn't grant roles the necessary permissions for these Billing and Cost Management console pages. In addition to activating IAM access, you must also attach the required IAM policies to those roles. For more information, see Using identity-based policies for Billing.

The Activate IAM Access setting doesn't control access to the following pages and resources:

  • The console pages for Amazon Cost Anomaly Detection, Savings Plans overview, Savings Plans inventory, Purchase Savings Plans, and Savings Plans cart

  • The Cost Management view in the Amazon Console Mobile Application

  • The Billing and Cost Management SDK APIs (Amazon Cost Explorer, Amazon Budgets, and Amazon Cost and Usage Reports APIs)

  • Amazon Systems Manager Application Manager