Migrating access control for Amazon Billing - Amazon Billing
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Migrating access control for Amazon Billing

Note

The following Amazon Identity and Access Management (IAM) actions have reached the end of standard support:

  • aws-portal namespace

  • purchase-orders:ViewPurchaseOrders

  • purchase-orders:ModifyPurchaseOrders

If you're using Amazon Organizations, you can use the bulk policy migrator scripts or bulk policy migrator to update polices from your payer account. You can also use the old to granular action mapping reference to verify the IAM actions that need to be added.

If you have an Amazon Web Services account, or are a part of an Amazon Organizations created on or after November 16, 2023, 11:00 AM (PDT), the fine-grained actions are already in effect in your organization.

You can use fine-grained access controls to provide individuals in your organization access to Amazon Billing and Cost Management services. For example, you can provide access to Cost Explorer without providing access to the Billing and Cost Management console.

To use the fine-grained access controls, you'll need to migrate your policies from under aws-portal to the new IAM actions.

The following IAM actions in your permission policies or service control policies (SCP) require updating with this migration:

  • aws-portal:ViewAccount

  • aws-portal:ViewBilling

  • aws-portal:ViewPaymentMethods

  • aws-portal:ModifyAccount

  • aws-portal:ModifyBilling

  • aws-portal:ModifyPaymentMethods

  • purchase-orders:ViewPurchaseOrders

  • purchase-orders:ModifyPurchaseOrders

To learn how to use the Affected policies tool to identify your impacted IAM policies, see How to use the affected policies tool.

Note

API access to Amazon Cost Explorer, Amazon Cost and Usage Reports, and Amazon Budgets remains unaffected.

Activating access to the Billing and Cost Management console remain unchanged.

Managing access permissions

Amazon Billing integrates with the Amazon Identity and Access Management (IAM) service so that you can control who in your organization can access specific pages on the Billing and Cost Management console. This includes features like Payments, Billing, Credits, Free Tier, Payment preferences, Consolidated billing, and Account pages.

Use the following IAM permissions for granular control for the Billing and Cost Management console.

To provide fine-grained access, replace the aws-portal policy with account, billing, payments, freetier, invoicing, and consolidatedbilling.

Additionally, replace purchase-orders:ViewPurchaseOrders and purchase-orders:ModifyPurchaseOrders with the fine-grained actions under purchase-orders, account, and payments.

Using fine-grained Amazon Billing actions

This table summarizes the permissions that allow or deny IAM users and roles access to your billing information. For examples of policies that use these permissions, see Amazon Billing policy examples.

For a list of actions for the Amazon Cost Management console, see Amazon Cost Management actions policies in the Amazon Cost Management User Guide.

Feature name in the Billing and Cost Management console IAM action Description

Billing Home

account:GetAccountInformation

billing:Get*

payments:List*

Grants permission to view the Home page. These are read-only permissions.

Note

These are permissions for the console only. No API access is available for these permissions.

Bills

account:GetAccountInformation

billing:Get*

consolidatedbilling:Get*

consolidatedbilling:List*

invoicing:List*

payments:List*

Grants permission to view the Bills page. These are read-only permissions.

Note

These are permissions for the console only. No API access is available for these permissions.

invoicing:Get*

Grants permission to download invoices from the Bills page.

Note

This is a permission for the console only. No API access is available for this permission.

cur:Get*

Grants permission to download CSV reports from the Bills page.

Note

This is a permission for the console only. No API access is available for this permission.

Payments

account:GetAccountInformation

billing:Get*

payments:Get*

payments:List*

Grants permission to view the Payments page. These are read-only permissions to the Payments due, Unapplied funds, Transaction, and Advance pay tabs.

Note

These are permissions for the console only. No API access is available for these permissions.

invoicing:Get*

Grants permission to download an invoice from the Transactions tab.

Note

This is a permission for the console only. No API access is available for this permission.

payments:Update*

Grants permission action required to use Advance Pay and set up payment details.

payments:Make*

invoicing:Get*

Grants permission to generate a funding request document for Advance Pay, and make a payment.

Credits

billing:Get*

account:GetAccountInformation

Grants permission to view the Credits page.

billing:RedeemCredits

Grants permission to redeem credits.

Purchase orders

account:GetAccountInformation

account:GetContactInformation

payments:Get*

payments:List*

purchase-orders:ListPurchaseOrders

purchase-orders:ListPurchaseOrderInvoices

consolidatedbilling:GetAccountBillingRole

Grants permission to view the Purchase orders page.

purchase-orders:GetPurchaseOrder

Grants permission to view details of a purchase order.

purchase-orders:AddPurchaseOrder

Grants permission to add a purchase order.

purchase-orders:DeletePurchaseOrder

Grants permission to delete a purchase order.

purchase-orders:UpdatePurchaseOrder

purchase-orders:UpdatePurchaseOrderStatus

Grants permission to update purchase orders and purchase order status.

Amazon Cost and Usage Reports

cur:GetClassic*

cur:DescribeReportDefinitions

Grants permission to view a list of Amazon CUR reports on the Amazon Cost and Usage Reports page.

Note

cur:GetClassic* is a permission for the console only. No API access is available for this permission.

s3:ListAllMyBuckets

s3:CreateBucket

s3:PutBucketPolicy

s3:GetBucketLocation

cur:Validate*

cur:PutReportDefinition

Grants permission actions required to create a new Amazon CUR report.

Note

cur:Validate* is a permission for the console only. No API access is available for these permissions.

cur:Validate*

s3:CreateBucket

s3:ListAllMyBuckets

s3:PutBucketPolicy

s3:GetBucketLocation

cur:ModifyReportDefinition

Grants permission to edit Amazon CUR definition.

Note

cur:Validate* is a permission for the console only. No API access is available for these permissions.

cur:DeleteReportDefinition

Grants permission to delete Amazon CUR reports.

cur:GetUsage*

Grants permission to download usage reports.

sustainability:GetCarbonFootprintSummary

Grants permission to view sustainability data for your Amazon Web Services account.

Cost categories

account:GetAccountInformation

ce:ListCostCategoryDefinitions

ce:DescribeCostCategoryDefinition

ce:GetCostAndUsage

ce:ListTagsForResource

consolidatedbilling:GetAccountBillingRole

Grants permission to view cost categories.

Note

account:GetAccountInformation is a permission for the console only. No API access is available for these permissions.

billing:Get*

ce:TagResource

ce:ListCostAllocationTags

consolidatedbilling:List*

ce:CreateCostCategoryDefinition

pricing:DescribeServices

ce:GetDimensionValues

ce:GetTags

Grants permission to create cost categories.

Note

billing:Get* and consolidatedbilling:List* is a permission for the console only. No API access is available for these permissions.

ce:UpdateCostCategoryDefinition

ce:UntagResource

Grants permission to modify cost categories.

ce:DeleteCostCategoryDefinition

Grants permission to delete cost categories.

Cost allocation tags

account:GetAccountInformation

ce:ListCostAllocationTags

consolidatedbilling:GetAccountBillingRole

Grants permission to view cost allocation tags.

ce:UpdateCostAllocationTagsStatus

Grants permission to activate or deactivate cost allocation tags.

Amazon Budgets

budgets:ViewBudget

budgets:DescribeBudgetActionsForBudget

budgets:DescribeBudgetAction

budgets:DescribeBudgetActionsForAccount

budgets:DescribeBudgetActionHistories

Grants permission to view the Budgets page.

budgets:CreateBudgetAction

budgets:ExecuteBudgetAction

budgets:DeleteBudgetAction

budgets:UpdateBudgetAction

budgets:ModifyBudget

Grants permission to create, delete, and modify Budgets and Budgets actions.

Free tier

billing:Get*

freetier:Get*

Grants permission to view free tier usage limits and month to date usage status.

Billing preferences

account:GetAccountInformation

billing:Get*

consolidatedbilling:Get*

consolidatedbilling:List*

cur:GetClassic*

cur:Validate*

freetier:Get*

invoicing:Get*

Grants permission actions required to view all sections on the Billing preferences page.

Note

These are permissions for the console only. No API access is available for these permissions.

billing:Update*

freetier:Put*

cur:PutClassic*

s3:ListAllMyBuckets

s3:CreateBucket

s3:PutBucketPolicy

s3:GetBucketLocation

invoicing:Put*

Grants permission to make the following changes in the Billing preferences page:

  • Turn credit sharing to RI or Savings Plans discount sharing on or off

  • Set Free Tier Usage Alert preferences

  • Set detailed billing reports delivery settings and preferences

  • Set or update the PDF invoice by email preferences

Note

billing:Update*, freetier:Put*, cur:PutClassic* are permissions for the console only. No API access is available for these permissions.

Payment preferences

account:GetAccountInformation

billing:Get*

payments:GetPaymentInstrument

payments:List*

payments:GetPaymentStatus

Grants permission to view the Payment preferences page.

Note

These are permissions for the console only. No API access is available for these permissions.

payments:Update*

payments:Make*

payments:CreatePaymentInstrument

payments:DeletePaymentInstrument

Grants permission to create or update payment methods.

Note

payments:Make* is only required if a payment card requires multi-factor authentication (MFA).

payments:Update*

Grants permission to update payment profiles.

Note

This is a permission for the console only. No API access is available for this permission.

Account

account:Get*

account:List*

billing:Get*

payments:List*

Grants permission to view Account settings.

Note

billing:Get* is a permission for the console only. No API access is available for this permission.

account:CloseAccount

Grants permission to close Amazon Web Services accounts.

Note

This is a permission for the console only. No API access is available for this permission.

account:PutAlternateContact

Grants permission to write alternate contacts for the account.

account:PutChallengeQuestions

Grants permission to set security challenge questions for the account.

Note

This permission is for the console only. No API access is available for this permission.

account:PutContactInformation

Grants permission action required to set or write main contact information, including address, for the account.

billing:PutContractInformation

Grants permission to set the account contract information, if the account is used to service public-sector customers. Information that can be pulled includes end user organization names, contract number, and PO numbers.

Note

This permission is for the console only. No API access is available for this permission.

billing:Update*

Grants permission action required to turn on or turn off the Activate IAM Access setting on the Account page.

payments:Update*

Grants permission to set advance pay, currency preference, billing contact details and address, and payment terms and conditions.