Migrating access control for Amazon Billing
Note
The following Amazon Identity and Access Management (IAM) actions have reached the end of standard support:
-
aws-portal
namespace -
purchase-orders:ViewPurchaseOrders
-
purchase-orders:ModifyPurchaseOrders
If you're using Amazon Organizations, you can use the bulk policy migrator scripts or bulk policy migrator to update polices from your payer account. You can also use the old to granular action mapping reference to verify the IAM actions that need to be added.
If you have an Amazon Web Services account, or are a part of an Amazon Organizations created on or after November 16, 2023, 11:00 AM (PDT), the fine-grained actions are already in effect in your organization.
You can use fine-grained access controls to provide individuals in your organization access to Amazon Billing and Cost Management services. For example, you can provide access to Cost Explorer without providing access to the Billing and Cost Management console.
To use the fine-grained access controls, you'll need to migrate your policies from under aws-portal
to the new IAM actions.
The following IAM actions in your permission policies or service control policies (SCP) require updating with this migration:
aws-portal:ViewAccount
aws-portal:ViewBilling
aws-portal:ViewPaymentMethods
aws-portal:ModifyAccount
aws-portal:ModifyBilling
aws-portal:ModifyPaymentMethods
purchase-orders:ViewPurchaseOrders
purchase-orders:ModifyPurchaseOrders
To learn how to use the Affected policies tool to identify your impacted IAM policies, see How to use the affected policies tool.
Note
API access to Amazon Cost Explorer, Amazon Cost and Usage Reports, and Amazon Budgets remains unaffected.
Activating access to the Billing and Cost Management console remain unchanged.
Topics
Managing access permissions
Amazon Billing integrates with the Amazon Identity and Access Management (IAM) service so that you can control
who in your organization can access specific pages on the Billing and Cost Management console
Use the following IAM permissions for granular control for the Billing and Cost Management console.
To provide fine-grained access, replace the aws-portal
policy with
account
, billing
, payments
,
freetier
, invoicing
, and consolidatedbilling
.
Additionally, replace purchase-orders:ViewPurchaseOrders
and
purchase-orders:ModifyPurchaseOrders
with the fine-grained actions
under purchase-orders
, account
, and
payments
.
Using fine-grained Amazon Billing actions
This table summarizes the permissions that allow or deny IAM users and roles access to your billing information. For examples of policies that use these permissions, see Amazon Billing policy examples.
For a list of actions for the Amazon Cost Management console, see Amazon Cost Management actions policies in the Amazon Cost Management User Guide.
Feature name in the Billing and Cost Management console | IAM action | Description |
---|---|---|
|
Grants permission to view the Home page. These are read-only permissions. NoteThese are permissions for the console only. No API access is available for these permissions. |
|
|
Grants permission to view the Bills page. These are read-only permissions. NoteThese are permissions for the console only. No API access is available for these permissions. |
|
|
Grants permission to download invoices from the Bills page. NoteThis is a permission for the console only. No API access is available for this permission. |
|
|
Grants permission to download CSV reports from the Bills page. NoteThis is a permission for the console only. No API access is available for this permission. |
|
|
Grants permission to view the Payments page. These are read-only permissions to the Payments due, Unapplied funds, Transaction, and Advance pay tabs. NoteThese are permissions for the console only. No API access is available for these permissions. |
|
|
Grants permission to download an invoice from the Transactions tab. NoteThis is a permission for the console only. No API access is available for this permission. |
|
|
Grants permission action required to use Advance Pay and set up payment details. |
|
|
Grants permission to generate a funding request document for Advance Pay, and make a payment. |
|
|
Grants permission to view the Credits page. |
|
|
Grants permission to redeem credits. |
|
|
Grants permission to view the Purchase orders page. |
|
|
Grants permission to view details of a purchase order. |
|
|
Grants permission to add a purchase order. |
|
|
Grants permission to delete a purchase order. |
|
|
Grants permission to update purchase orders and purchase order status. |
|
|
Grants permission to view a list of Amazon CUR reports on the Amazon Cost and Usage Reports page. Note
|
|
|
Grants permission actions required to create a new Amazon CUR report. Note
|
|
|
Grants permission to edit Amazon CUR definition. Note
|
|
|
Grants permission to delete Amazon CUR reports. |
|
|
Grants permission to download usage reports. |
|
|
Grants permission to view sustainability data for your Amazon Web Services account. |
|
|
Grants permission to view cost categories. Note
|
|
|
Grants permission to create cost categories. Note
|
|
|
Grants permission to modify cost categories. |
|
|
Grants permission to delete cost categories. | |
|
Grants permission to view cost allocation tags. |
|
|
Grants permission to activate or deactivate cost allocation tags. |
|
|
Grants permission to view the Budgets page. |
|
|
Grants permission to create, delete, and modify Budgets and Budgets actions. |
|
|
Grants permission to view free tier usage limits and month to date usage status. |
|
|
Grants permission actions required to view all sections on the Billing preferences page. NoteThese are permissions for the console only. No API access is available for these permissions. |
|
|
Grants permission to make the following changes in the Billing preferences page:
Note
|
|
|
Grants permission to view the Payment preferences page. NoteThese are permissions for the console only. No API access is available for these permissions. |
|
|
Grants permission to create or update payment methods. Note
|
|
|
Grants permission to update payment profiles. NoteThis is a permission for the console only. No API access is available for this permission. |
|
|
Grants permission to view Account settings. Note
|
|
|
Grants permission to close Amazon Web Services accounts. NoteThis is a permission for the console only. No API access is available for this permission. |
|
|
Grants permission to write alternate contacts for the account. |
|
|
Grants permission to set security challenge questions for the account. NoteThis permission is for the console only. No API access is available for this permission. |
|
|
Grants permission action required to set or write main contact information, including address, for the account. |
|
|
Grants permission to set the account contract information, if the account is used to service public-sector customers. Information that can be pulled includes end user organization names, contract number, and PO numbers. NoteThis permission is for the console only. No API access is available for this permission. |
|
|
Grants permission action required to turn on or turn off the Activate IAM Access setting on the Account page. |
|
|
Grants permission to set advance pay, currency preference, billing contact details and address, and payment terms and conditions. |