Mapping fine-grained IAM actions reference
Note
The following Amazon Identity and Access Management (IAM) actions have reached the end of standard support:
-
aws-portalnamespace -
purchase-orders:ViewPurchaseOrders -
purchase-orders:ModifyPurchaseOrders
If you're using Amazon Organizations, you can use the bulk policy migrator scripts to update polices from your payer account. You can also use the old to granular action mapping reference to verify the IAM actions that need to be added.
For more information, see the Changes to Amazon Billing, Amazon Cost Management, and Account Consoles Permission
If you have an Amazon Web Services account, or are a part of an Amazon Organizations created on or after November 16, 2023, 11:00 AM (PDT), the fine-grained actions are already in effect in your organization.
You will need to migrate the following IAM actions in your permission policies or service control policies (SCP):
-
aws-portal:ViewAccount -
aws-portal:ViewBilling -
aws-portal:ViewPaymentMethods -
aws-portal:ModifyAccount -
aws-portal:ModifyBilling -
aws-portal:ModifyPaymentMethods -
purchase-orders:ViewPurchaseOrders -
purchase-orders:ModifyPurchaseOrders
You can use this topic to view the mapping of the old to new fine-grained actions for each IAM action that we're retiring.
Overview
-
Review your affected IAM policies in your Amazon Web Services account. To do so, follow the steps in the Affected policies tool to identify your affected IAM policies. See How to use the affected policies tool.
-
Use the IAM console to add the new granular permissions to your policy. For example, if your policy allows the
purchase-orders:ModifyPurchaseOrderspermission, you will need to add each action in the Mapping for purchase-orders:ModifyPurchaseOrders table.Old policy
The following policy allows a user to add, delete, or modify any purchase order in the account.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "purchase-orders:ModifyPurchaseOrders", "Resource": "arn:aws:purchase-orders::123456789012:purchase-order/*" } ] }New policy
The following policy also allows a user to add, delete, or modify any purchase order in the account. Note that each granular permission appears after the old
purchase-orders:ModifyPurchaseOrderspermission. These permissions give you more control over what actions you want to allow or deny.Tip
We recommend that you keep the old permissions to ensure that you don't lose permissions until this migration is complete.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "purchase-orders:ModifyPurchaseOrders", "purchase-orders:AddPurchaseOrder", "purchase-orders:DeletePurchaseOrder", "purchase-orders:UpdatePurchaseOrder", "purchase-orders:UpdatePurchaseOrderStatus" ], "Resource": "arn:aws:purchase-orders::123456789012:purchase-order/*" } ] } -
Save your changes.
Notes
-
To edit policies manually in the IAM console, see Editing customer managed policies (console) in the IAM User Guide.
-
To bulk migrate your IAM policies to use fine-grained actions (new actions), see Use scripts to bulk migrate your policies to use fine-grained IAM actions.
Contents
- Mapping for aws-portal:ViewAccount
- Mapping for aws-portal:ViewBilling
- Mapping for aws-portal:ViewPaymentMethods
- Mapping for aws-portal:ModifyAccount
- Mapping for aws-portal:ModifyBilling
- Mapping for aws-portal:ModifyPaymentMethods
- Mapping for purchase-orders:ViewPurchaseOrders
- Mapping for purchase-orders:ModifyPurchaseOrders
Mapping for aws-portal:ViewAccount
| New action | Description | Access level |
|---|---|---|
account:GetAccountInformation |
Grants permission to retrieve the account information for an account | Read |
account:GetAlternateContact |
Grants permission to retrieve the alternate contacts for an account | Read |
account:GetChallengeQuestions
|
Grants permission to retrieve the challenge questions for an account | Read |
account:GetContactInformation
|
Grants permission to retrieve the primary contact information for an account | Read |
billing:GetContractInformation
|
Grants permission to view the account's contract information including the contract number, end-user organization names, purchase order numbers, and if the account is used to service public-sector customers | Read |
billing:GetSellerOfRecord
|
Grants permission to retrieve the account's default seller of record | Read |
payments:ListPaymentPreferences
|
Grants permission to get payment preferences (for example, preferred payment currency, preferred payment method) | Read |
Mapping for aws-portal:ViewBilling
| New action | Description | Access level |
|---|---|---|
account:GetAccountInformation
|
Grants permission to retrieve the account information for an account | Read |
billing:GetBillingData |
Grants permission to perform queries on billing information | Read |
billing:GetBillingDetails |
Grants permission to view detailed line item billing information | Read |
billing:GetBillingNotifications
|
Grants permission to view notifications sent by Amazon related to your accounts billing information | Read |
billing:GetBillingPreferences |
Grants permission to view billing preferences such as Reserved Instances, Savings Plans, and credits sharing | Read |
billing:GetContractInformation |
Grants permission to view the account's contract information including the contract number, end-user organization names, purchase order numbers, and if the account is used to service public-sector customers | Read |
billing:GetCredits
|
Grants permission to view credits that have been redeemed | Read |
billing:GetSellerOfRecord |
Grants permission to retrieve the account's default seller of record | Read |
ce:DescribeNotificationSubscription |
Grants permission to view reservation expiration alerts | Read |
ce:DescribeReport
|
Grants permission to view Cost Explorer reports page | Read |
ce:GetAnomalies |
Grants permission to retrieve anomalies | Read |
ce:GetAnomalyMonitors
|
Grants permission to query anomaly monitors | Read |
ce:GetAnomalySubscriptions |
Grants permission to query anomaly subscriptions | Read |
ce:GetCostAndUsage
|
Grants permission to retrieve the cost and usage metrics for your account | Read |
ce:GetCostAndUsageWithResources
|
Grants permission to retrieve the cost and usage metrics with resources for your account | Read |
ce:GetCostCategories
|
Grants permission to query cost category names and values for a specified time period | Read |
ce:GetCostForecast |
Grants permission to retrieve a cost forecast for a forecast time period | Read |
ce:GetDimensionValues
|
Grants permission to retrieve all available filter values for a filter for a period of time | Read |
ce:GetPreferences |
Grants permission to view the Cost Explorer preferences page | Read |
ce:GetReservationCoverage
|
Grants permission to retrieve the reservation coverage for your account | Read |
ce:GetReservationPurchaseRecommendation |
Grants permission to retrieve the reservation recommendations for your account | Read |
ce:GetReservationUtilization
|
Grants permission to retrieve the reservation utilization for your account | Read |
ce:GetRightsizingRecommendation
|
Grants permission to retrieve the rightsizing recommendations for your account | Read |
ce:GetSavingsPlansCoverage
|
Grants permission to retrieve the Savings Plans coverage for your account | Read |
ce:GetSavingsPlansPurchaseRecommendation |
Grants permission to retrieve the Savings Plans recommendations for your account | Read |
ce:GetSavingsPlansUtilization
|
Grants permission to retrieve the Savings Plans utilization for your account | Read |
ce:GetSavingsPlansUtilizationDetails
|
Grants permission to retrieve the Savings Plans utilization details for your account | Read |
ce:GetTags |
Grants permission to query tags for a specified time period | Read |
ce:GetUsageForecast |
Grants permission to retrieve a usage forecast for a forecast time period | Read |
ce:ListCostAllocationTags
|
Grants permission to list cost allocation tags | List |
ce:ListSavingsPlansPurchaseRecommendationGeneration
|
Grants permission to retrieve a list of your historical recommendation generations | Read |
consolidatedbilling:GetAccountBillingRole
|
Grants permission to get account role (payer, linked, regular) | Read |
consolidatedbilling:ListLinkedAccounts
|
Grants permission to get list of member and linked accounts | List |
cur:GetClassicReport
|
Grants permission to get the CSV report for your bill | Read |
cur:GetClassicReportPreferences
|
Grants permission to get the classic report enablement status for usage reports | Read |
cur:ValidateReportDestination
|
Grants permission to validates if the Amazon S3 bucket exists with appropriate permissions for Amazon CUR delivery | Read |
freetier:GetFreeTierAlertPreference
|
Grants permission to get Amazon Web Services China Region Free Tier alert preference (by email address) | Read |
freetier:GetFreeTierUsage
|
Grants permission to get Amazon Web Services China Region Free Tier usage limits and month-to-date (MTD) usage status | Read |
invoicing:GetInvoiceEmailDeliveryPreferences
|
Grants permission to get invoice email delivery preferences | Read |
invoicing:GetInvoicePDF
|
Grants permission to get the invoice PDF | Read |
invoicing:ListInvoiceSummaries
|
Grants permission to get invoice summary information for your account or linked account | List |
payments:GetPaymentInstrument
|
Grants permission to get information about a payment instrument | Read |
payments:GetPaymentStatus
|
Grants permission to get payment status of invoices | Read |
payments:ListPaymentPreferences
|
Grants permission to get payment preferences (for example, preferred payment currency, preferred payment method) | Read |
Mapping for aws-portal:ViewPaymentMethods
| New action | Description | Access level |
|---|---|---|
account:GetAccountInformation
|
Grants permission to retrieve the account information for an account | Read |
invoicing:GetInvoicePDF
|
Grants permission to get the invoice PDF | Read |
payments:GetPaymentInstrument
|
Grants permission to get information about a payment instrument | Read |
payments:GetPaymentStatus
|
Grants permission to get payment status of invoices | Read |
payments:ListPaymentPreferences
|
Grants permission to get payment preferences (for example, preferred payment currency, preferred payment method) | List |
Mapping for aws-portal:ModifyAccount
| New action | Description | Access level |
|---|---|---|
account:CloseAccount
|
Grants permission to close an account | Write |
account:DeleteAlternateContact
|
Grants permission to delete the alternate contacts for an account | Write |
account:PutAlternateContact
|
Grants permission to modify the alternate contacts for an account | Write |
account:PutChallengeQuestions
|
Grants permission to modify the challenge questions for an account | Write |
account:PutContactInformation
|
Grants permission to update the primary contact information for an account | Write |
billing:PutContractInformation |
Grants permission to set the account's contract information end-user organization names and if the account is used to service public-sector customers | Write |
payments:UpdatePaymentPreferences
|
Grants permission to update payment preferences (for example, preferred payment currency, preferred payment method) | Write |
Mapping for aws-portal:ModifyBilling
| New action | Description | Access level |
|---|---|---|
billing:PutContractInformation |
Grants permission to set the account's contract information end-user organization names and if the account is used to service public-sector customers | Write |
billing:RedeemCredits
|
Grants permission to redeem an Amazon credit | Write |
billing:UpdateBillingPreferences
|
Grants permission to update billing preferences such as Reserved Instances, Savings Plans, and credits sharing | Write |
ce:CreateAnomalyMonitor
|
Grants permission to create a new anomaly monitor | Write |
ce:CreateAnomalySubscription |
Grants permission to create a new anomaly subscription | Write |
ce:CreateNotificationSubscription |
Grants permission to create reservation expiration alerts | Write |
ce:CreateReport |
Grants permission to create Cost Explorer reports | Write |
ce:DeleteAnomalyMonitor
|
Grants permission to delete an anomaly monitor | Write |
ce:DeleteAnomalySubscription |
Grants permission to delete an anomaly subscription | Write |
ce:DeleteNotificationSubscription
|
Grants permission to delete reservation expiration alerts | Write |
ce:DeleteReport
|
Grants permission to delete Cost Explorer reports | Write |
ce:ProvideAnomalyFeedback
|
Grants permission to provide feedback on detected anomalies | Write |
ce:StartSavingsPlansPurchaseRecommendationGeneration
|
Grants permission to request a Savings Plans recommendation generation | Write |
ce:UpdateAnomalyMonitor
|
Grants permission to update an existing anomaly monitor | Write |
ce:UpdateAnomalySubscription
|
Grants permission to update an existing anomaly subscription | Write |
ce:UpdateCostAllocationTagsStatus
|
Grants permission to update existing cost allocation tags status | Write |
ce:UpdateNotificationSubscription |
Grants permission to update reservation expiration alerts | Write |
ce:UpdatePreferences
|
Grants permission to edit the Cost Explorer preferences page | Write |
cur:PutClassicReportPreferences
|
Grants permission to enable classic reports | Write |
freetier:PutFreeTierAlertPreference
|
Grants permission to set Amazon Web Services China Region Free Tier alert preference (by email address) | Write |
invoicing:PutInvoiceEmailDeliveryPreferences
|
Grants permission to update invoice email delivery preferences | Write |
payments:CreatePaymentInstrument |
Grants permission to create a payment instrument | Write |
payments:DeletePaymentInstrument |
Grants permission to delete a payment instrument | Write |
payments:MakePayment
|
Grants permission to make a payment, authenticate a payment, verify a payment method, and generate a funding request document for Advance Pay | Write |
payments:UpdatePaymentPreferences
|
Grants permission to update payment preferences (for example, preferred payment currency, preferred payment method) | Write |
Mapping for aws-portal:ModifyPaymentMethods
| New action | Description | Access level |
|---|---|---|
account:GetAccountInformation
|
Grants permission to retrieve the account information for an account | Read |
payments:DeletePaymentInstrument
|
Grants permission to delete a payment instrument | Write |
payments:CreatePaymentInstrument
|
Grants permission to create a payment instrument | Write |
payments:MakePayment
|
Grants permission to make a payment, authenticate a payment, verify a payment method, and generate a funding request document for Advance Pay | Write |
payments:UpdatePaymentPreferences
|
Grants permission to update payment preferences (for example, preferred payment currency, preferred payment method) | Write |
Mapping for purchase-orders:ViewPurchaseOrders
| New action | Description | Access level |
|---|---|---|
invoicing:GetInvoicePDF
|
Grants permission to get invoice PDF | Get |
payments:ListPaymentPreferences
|
Grants permission to get payment preferences (for example, preferred payment currency, preferred payment method) | List |
purchase-orders:GetPurchaseOrder
|
Grants permission to get a purchase order | Read |
purchase-orders:ListPurchaseOrderInvoices |
Grants permission to view purchase orders and details | List |
purchase-orders:ListPurchaseOrders
|
Grants permission to get all available purchase orders | List |
Mapping for purchase-orders:ModifyPurchaseOrders
| New action | Description | Access level |
|---|---|---|
purchase-orders:AddPurchaseOrder |
Grants permission to add a purchase order | Write |
purchase-orders:DeletePurchaseOrder
|
Grants permission to delete a purchase order. | Write |
purchase-orders:UpdatePurchaseOrder
|
Grants permission to update an existing purchase order | Write |
purchase-orders:UpdatePurchaseOrderStatus
|
Grants permission to set purchase order status | Write |