Deny users access to the Billing and Cost Management console Deny Amazon Console cost and usage widget access for member accounts Deny Amazon Console cost and usage widget access for specific users and roles Allow full access to Amazon services but deny users access to the Billing and Cost Management console Allow users to view the Billing and Cost Management console except for account settings Allow users to modify billing information Allow users to create budgets Deny access to account settings, but allow full access to all other billing and usage information Deposit reports into an Amazon S3 bucket View costs and usage Enable and disable Amazon Regions View and update the Cost Explorer preferences page View, create, update, and delete using the Cost Explorer reports page View, create, update, and delete reservation and Savings Plans alerts Allow read-only access to Amazon Cost Anomaly Detection Allow Amazon Budgets to apply IAM policies and SCPs Allow Amazon Budgets to apply IAM policies and SCPs and target EC2 and RDS instances

Amazon Cost Management policy examples

Note

The following Amazon Identity and Access Management (IAM) actions have reached the end of standard support:

aws-portal namespace
purchase-orders:ViewPurchaseOrders
purchase-orders:ModifyPurchaseOrders

If you haven't migrated the old IAM actions to the new fine-grained actions, you have until March 2024 to do so.

If you're using Amazon Organizations, you can use the bulk policy migrator scripts to update polices from your payer account. You can also use the old to granular action mapping reference to verify the IAM actions that need to be added.

For more information, see the Changes to Amazon Billing, Amazon Cost Management, and Account Consoles Permission blog.

If you have an Amazon Web Services account, or are a part of an Amazon Organizations created on or after November 16, 2023, 11:00 AM (PDT), the fine-grained actions are already in effect in your organization.

This topic contains example policies that you can attach to your IAM role or group to control access to your account's billing information and tools. The following basic rules apply to IAM policies for Billing and Cost Management:

Version is always 2012-10-17.
Effect is always Allow or Deny.
Action is the name of the action or a wildcard (*).

The action prefix is budgets for Amazon Budgets, cur for Amazon Cost and Usage Reports, aws-portal for Amazon Billing, or ce for Cost Explorer.
Resource is always * for Amazon Billing.

For actions performed on a budget resource, specify the budget Amazon Resource Name (ARN).
It's possible to have multiple statements in one policy.

For a list of policy examples for the Billing console, see Billing policy examples in the Billing user guide.

Note

These policies require that you activate user access to the Billing and Cost Management console on the Account Settings console page. For more information, see Activating access to the Billing and Cost Management console.

Topics

Deny users access to the Billing and Cost Management console
Deny Amazon Console cost and usage widget access for member accounts
Deny Amazon Console cost and usage widget access for specific users and roles
Allow full access to Amazon services but deny users access to the Billing and Cost Management console
Allow users to view the Billing and Cost Management console except for account settings
Allow users to modify billing information
Allow users to create budgets
Deny access to account settings, but allow full access to all other billing and usage information
Deposit reports into an Amazon S3 bucket
View costs and usage
Enable and disable Amazon Regions
View and update the Cost Explorer preferences page
View, create, update, and delete using the Cost Explorer reports page
View, create, update, and delete reservation and Savings Plans alerts
Allow read-only access to Amazon Cost Anomaly Detection
Allow Amazon Budgets to apply IAM policies and SCPs
Allow Amazon Budgets to apply IAM policies and SCPs and target EC2 and RDS instances

Deny users access to the Billing and Cost Management console

To explicitly deny a user access to the all Billing and Cost Management console pages, use a policy similar to this example policy.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "aws-portal:*",
            "Resource": "*"
        }
    ]
}

To restrict member (linked) account access to cost and usage data, use your management (payer) account to access the Cost Explorer preferences tab and uncheck Linked Account Access. This will deny access to cost and usage data from the Cost Explorer (Amazon Cost Management) console, Cost Explorer API, and Amazon Console Home page's cost and usage widget regardless of the IAM actions a member account’s user or role has.

Deny Amazon Console cost and usage widget access for specific users and roles

To deny Amazon Console cost and usage widget access for specific users and roles, use the permissions policy below.

Note

Adding this policy to a user or role will deny users access to Cost Explorer (Amazon Cost Management) console and Cost Explorer APIs as well.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ce:*",
            "Resource": "*"
        }
    ]
}

Allow full access to Amazon services but deny users access to the Billing and Cost Management console

To deny users access to everything on the Billing and Cost Management console, use the following policy. In this case, you should also deny user access to Amazon Identity and Access Management (IAM) so that the users can't access the policies that control access to billing information and tools.

Important

This policy doesn't allow any actions. Use this policy in combination with other policies that allow specific actions.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "aws-portal:*",
                "iam:*"
            ],
            "Resource": "*"
        }
    ]
}

Allow users to view the Billing and Cost Management console except for account settings

This policy allows read-only access to all of the Billing and Cost Management console, including the Payments Method and Reports console pages, but denies access to the Account Settings page, thus protecting the account password, contact information, and security questions.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "aws-portal:View*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "aws-portal:*Account",
            "Resource": "*"
        }
    ]
}

Allow users to modify billing information

To allow users to modify account billing information in the Billing and Cost Management console, you must also allow users to view your billing information. The following policy example allows a user to modify the Consolidated Billing, Preferences, and Credits console pages. It also allows a user to view the following Billing and Cost Management console pages:

Dashboard
Cost Explorer
Bills
Orders and invoices
Advance Payment


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "aws-portal:*Billing",
            "Resource": "*"
        }
    ]
}

Allow users to create budgets

To allow users to create budgets in the Billing and Cost Management console, you must also allow users to view your billing information, create CloudWatch alarms, and create Amazon SNS notifications. The following policy example allows a user to modify the Budget console page.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1435216493000",
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewBilling",
                "aws-portal:ModifyBilling",
                "budgets:ViewBudget",
                "budgets:ModifyBudget"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1435216514000",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1435216552000",
            "Effect": "Allow",
            "Action": [
                "sns:*"
            ],
            "Resource": [
                "arn:aws:sns:us-east-1::"
            ]
        }
    ]
}

Deny access to account settings, but allow full access to all other billing and usage information

To protect your account password, contact information, and security questions, you can deny user access to Account Settings while still enabling full access to the rest of the functionality in the Billing and Cost Management console, as shown in the following example.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "aws-portal:*Billing",
                "aws-portal:*Usage",
                "aws-portal:*PaymentMethods"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "aws-portal:*Account",
            "Resource": "*"
        }
    ]
}

Deposit reports into an Amazon S3 bucket

The following policy allows Billing and Cost Management to save your detailed Amazon bills to an Amazon S3 bucket, as long as you own both the Amazon account and the Amazon S3 bucket. Note that this policy must be applied to the Amazon S3 bucket, instead of to a user. That is, it's a resource-based policy, not a user-based policy. You should deny user access to the bucket for users who don't need access to your bills.

Replace bucketname with the name of your bucket.

For more information, see Using Bucket Policies and User Policies in the Amazon Simple Storage Service User Guide.


{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Principal": {
      "Service": "billingreports.amazonaws.com"
    },
    "Action": [
      "s3:GetBucketAcl",
      "s3:GetBucketPolicy"
    ],
    "Resource": "arn:aws:s3:::bucketname"
  },
  {
    "Effect": "Allow",
    "Principal": {
      "Service": "billingreports.amazonaws.com"
    },
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::bucketname/*"
  }
  ]
}

View costs and usage

To allow users to use the Amazon Cost Explorer API, use the following policy to grant them access.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ce:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Enable and disable Amazon Regions

For an example IAM policy that allows users to enable and disable Regions, see Amazon: Allows Enabling and Disabling Amazon Regions in the IAM User Guide.

View and update the Cost Explorer preferences page

This policy allows a user to view and update using the Cost Explorer preferences page.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "aws-portal:ViewBilling",
        "ce:UpdatePreferences"
       ],
      "Resource": "*"
    }
  ]
}

The following policy allows users to view Cost Explorer, but deny permission to view or edit the Preferences page.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewBilling"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action": [
                "ce:GetPreferences",
                "ce:UpdatePreferences"
            ],
            "Resource": "*"
        }
    ]
}

The following policy allows users to view Cost Explorer, but deny permission to edit the Preferences page.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewBilling"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action": [
                "ce:UpdatePreferences"
            ],
            "Resource": "*"
        }
    ]
}

View, create, update, and delete using the Cost Explorer reports page

This policy allows a user to view, create, update, and delete using the Cost Explorer reports page.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "aws-portal:ViewBilling",
        "ce:CreateReport",
        "ce:UpdateReport",
        "ce:DeleteReport"
       ],
      "Resource": "*"
    }
  ]
}

The following policy allows users to view Cost Explorer, but deny permission to view or edit the Reports page.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewBilling"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action": [
                "ce:DescribeReport",
                "ce:CreateReport",
                "ce:UpdateReport",
                "ce:DeleteReport"
            ],
            "Resource": "*"
        }
    ]
}

The following policy allows users to view Cost Explorer, but deny permission to edit the Reports page.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewBilling"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action":  
                "ce:CreateReport",
                "ce:UpdateReport",
                "ce:DeleteReport"
            ],
            "Resource": "*"
        }
    ]
}

View, create, update, and delete reservation and Savings Plans alerts

This policy allows a user to view, create, update, and delete reservation expiration alerts and Savings Plans alerts. To edit reservation expiration alerts or Savings Plans alerts, a user needs all three granular actions: ce:CreateNotificationSubscription, ce:UpdateNotificationSubscription, and ce:DeleteNotificationSubscription.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "aws-portal:ViewBilling",
        "ce:CreateNotificationSubscription",
        "ce:UpdateNotificationSubscription",
        "ce:DeleteNotificationSubscription"
       ],
      "Resource": "*"
    }
  ]
}

The following policy allows users to view Cost Explorer, but denies permission to view or edit the Reservation Expiration Alerts and Savings Plans alert pages.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewBilling"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action": [
                "ce:DescribeNotificationSubscription",
                "ce:CreateNotificationSubscription",
                "ce:UpdateNotificationSubscription",
                "ce:DeleteNotificationSubscription"
            ],
            "Resource": "*"
        }
    ]
}

The following policy allows users to view Cost Explorer, but denies permission to edit the Reservation Expiration Alerts and Savings Plans alert pages.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "aws-portal:ViewBilling"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action": [
                "ce:CreateNotificationSubscription",
                "ce:UpdateNotificationSubscription",
                "ce:DeleteNotificationSubscription"
            ],
            "Resource": "*"
        }
    ]
}

Allow read-only access to Amazon Cost Anomaly Detection

To allow users read-only access to Amazon Cost Anomaly Detection, use the following policy to grant them access. ce:ProvideAnomalyFeedback is optional as a part of the read-only access.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ce:Get*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Allow Amazon Budgets to apply IAM policies and SCPs

This policy allows Amazon Budgets to apply IAM policies and service control policies (SCPs) on behalf of the user.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:AttachGroupPolicy",
        "iam:AttachRolePolicy",
        "iam:AttachUserPolicy",
        "iam:DetachGroupPolicy",
        "iam:DetachRolePolicy",
        "iam:DetachUserPolicy",
        "organizations:AttachPolicy",
        "organizations:DetachPolicy"
      ],
      "Resource": "*"
    }
  ]
}

Allow Amazon Budgets to apply IAM policies and SCPs and target EC2 and RDS instances

This policy allows Amazon Budgets to apply IAM policies and service control policies (SCPs), and to target Amazon EC2 and Amazon RDS instances on behalf of the user.

Trust policy

Note

This trust policy allows Amazon Budgets to assume a role that can call other services on your behalf. For more information on the best practices for cross-service permissions like this, see Cross-service confused deputy prevention.


{
"Version": "2012-10-17",
"Statement": [
  {
    "Effect": "Allow",
    "Principal": {
      "Service": "budgets.amazonaws.com"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
      "ArnLike": {
        "aws:SourceArn": "arn:aws:budgets::123456789012:budget/*"
      },
      "StringEquals": {
        "aws:SourceAccount": "123456789012"
      }
    }
  }
]
}

Permissions policy


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstanceStatus",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "iam:AttachGroupPolicy",
        "iam:AttachRolePolicy",
        "iam:AttachUserPolicy",
        "iam:DetachGroupPolicy",
        "iam:DetachRolePolicy",
        "iam:DetachUserPolicy",
        "organizations:AttachPolicy",
        "organizations:DetachPolicy",
        "rds:DescribeDBInstances",
        "rds:StartDBInstance",
        "rds:StopDBInstance",
        "ssm:StartAutomationExecution"
      ],
      "Resource": "*"
    }
  ]
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Using IAM policies for Amazon Cost Management

Migrating access control