Using identity-based policies (IAM policies) for Amazon Cost Management - Amazon Cost Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using identity-based policies (IAM policies) for Amazon Cost Management

Note

The following Amazon Identity and Access Management (IAM) actions have reached the end of standard support:

  • aws-portal namespace

  • purchase-orders:ViewPurchaseOrders

  • purchase-orders:ModifyPurchaseOrders

If you haven't migrated the old IAM actions to the new fine-grained actions, you have until March 2024 to do so.

If you're using Amazon Organizations, you can use the bulk policy migrator scripts to update polices from your payer account. You can also use the old to granular action mapping reference to verify the IAM actions that need to be added.

For more information, see the Changes to Amazon Billing, Amazon Cost Management, and Account Consoles Permission blog.

If you have an Amazon Web Services account, or are a part of an Amazon Organizations created on or after November 16, 2023, 11:00 AM (PDT), the fine-grained actions are already in effect in your organization.

This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (roles and groups) and thereby grant permissions to perform operations on Billing and Cost Management resources.

For a full discussion of Amazon accounts and users, see What Is IAM? in the IAM User Guide.

For information on how you can update customer managed policies, see Editing customer managed policies (console) in the IAM User Guide.

Billing and Cost Management actions policies

This table summarizes the permissions that allow or deny users access to your billing information and tools. For examples of policies that use these permissions, see Amazon Cost Management policy examples.

For a list of actions policies for the Billing console, see Billing actions policies in the Billing user guide.

Permission name Description

aws-portal:ViewBilling

Allow or deny users permission to view the Billing and Cost Management console pages. For an example policy, see Allow IAM users to view your billing information in the Billing User Guide.

aws-portal:ViewUsage

Allow or deny users permission to view Amazon usage Reports.

To allow users to view usage reports, you must allow both ViewUsage and ViewBilling.

For an example policy, see Allow IAM users to access the reports console page in the Billing User Guide.

aws-portal:ModifyBilling

Allow or deny users permission to modify the following Billing and Cost Management console pages:

To allow users to modify these console pages, you must allow both ModifyBilling and ViewBilling. For an example policy, see Allow users to modify billing information.

aws-portal:ViewAccount

Allow or deny users permission to view the following Billing and Cost Management console pages:

aws-portal:ModifyAccount

Allow or deny users permission to modify Account Settings.

To allow users to modify account settings, you must allow both ModifyAccount and ViewAccount.

For an example of a policy that explicitly denies a user access to the Account Settings console page, see Deny access to account settings, but allow full access to all other billing and usage information.

budgets:ViewBudget

Allow or deny users permission to view Budgets.

To allow users to view budgets, you must also allow ViewBilling.

budgets:ModifyBudget

Allow or deny users permission to modify Budgets.

To allow users to view and modify budgets, you must also allow ViewBilling.

ce:GetPreferences

Allow or deny users permissions to view the Cost Explorer preferences page.

For an example policy, see View and update the Cost Explorer preferences page.

ce:UpdatePreferences

Allow or deny users permissions to update the Cost Explorer preferences page.

For an example policy, see View and update the Cost Explorer preferences page.

ce:DescribeReport

Allow or deny users permissions to view the Cost Explorer reports page.

For an example policy, see View, create, update, and delete using the Cost Explorer reports page.

ce:CreateReport

Allow or deny users permissions to create reports using the Cost Explorer reports page.

For an example policy, see View, create, update, and delete using the Cost Explorer reports page.

ce:UpdateReport

Allow or deny users permissions to update using the Cost Explorer reports page.

For an example policy, see View, create, update, and delete using the Cost Explorer reports page.

ce:DeleteReport

Allow or deny users permissions to delete reports using the Cost Explorer reports page.

For an example policy, see View, create, update, and delete using the Cost Explorer reports page.

ce:DescribeNotificationSubscription

Allow or deny users permissions to view Cost Explorer reservation expiration alerts in the reservation overview page.

For an example policy, see View, create, update, and delete reservation and Savings Plans alerts.

ce:CreateNotificationSubscription

Allow or deny users permissions to create Cost Explorer reservation expiration alerts in the reservation overview page.

For an example policy, see View, create, update, and delete reservation and Savings Plans alerts.

ce:UpdateNotificationSubscription

Allow or deny users permissions to update Cost Explorer reservation expiration alerts in the reservation overview page.

For an example policy, see View, create, update, and delete reservation and Savings Plans alerts.

ce:DeleteNotificationSubscription

Allow or deny users permissions to delete Cost Explorer reservation expiration alerts in the reservation overview page.

For an example policy, see View, create, update, and delete reservation and Savings Plans alerts.

ce:CreateCostCategoryDefinition

Allow or deny users permissions to create cost categories.

For an example policy, see View and manage cost categories in the Billing User Guide.

You can add resource tags to monitors during Create. In order to create monitors with resource tags, you need the ce:TagResource permission.

ce:DeleteCostCategoryDefinition

Allow or deny users permissions to delete cost categories.

For an example policy, see View and manage cost categories in the Billing User Guide.

ce:DescribeCostCategoryDefinition

Allow or deny users permissions to view cost categories.

For an example policy, see View and manage cost categories in the Billing User Guide.

ce:ListCostCategoryDefinitions

Allow or deny users permissions to list cost categories.

For an example policy, see View and manage cost categories in the Billing User Guide.

ce:ListTagsForResource

Allow or deny users permissions to list all resource tags for a given resource. For a list of supported resources, see ResourceTag in the Amazon Billing and Cost Management API Reference.

ce:UpdateCostCategoryDefinition

Allow or deny users permissions to update cost categories.

For an example policy, see View and manage cost categories in the Billing User Guide.

ce:CreateAnomalyMonitor

Allow or deny users permissions to create a single Amazon Cost Anomaly Detection monitor. You can add resource tags to monitors during Create. In order to create monitors with resource tags, you need the ce:TagResource permission.

ce:GetAnomalyMonitors

Allow or deny users permissions to view all Amazon Cost Anomaly Detection monitors.

ce:UpdateAnomalyMonitor

Allow or deny users permissions to update Amazon Cost Anomaly Detection monitors.

ce:DeleteAnomalyMonitor

Allow or deny users permissions to delete Amazon Cost Anomaly Detection monitors.

ce:CreateAnomalySubscription

Allow or deny users permissions to create a single subscription for Amazon Cost Anomaly Detection. You can add resource tags to subscriptions during Create. In order to create subscriptions with resource tags, you need the ce:TagResource permission.

ce:GetAnomalySubscriptions

Allow or deny users permissions to view all subscriptions for Amazon Cost Anomaly Detection.

ce:UpdateAnomalySubscription

Allow or deny users permissions to update Amazon Cost Anomaly Detection subscriptions.

ce:DeleteAnomalySubscription

Allow or deny users permissions to delete Amazon Cost Anomaly Detection subscriptions.

ce:GetAnomalies

Allow or deny users permissions to view all anomalies in Amazon Cost Anomaly Detection.

ce:ProvideAnomalyFeedback

Allow or deny users permissions to provide feedback on a detected Amazon Cost Anomaly Detection.

ce:TagResource

Allow or deny users permissions to add resource tag key-value pairs to a resource. For a list of supported resources, see ResourceTag in the Amazon Billing and Cost Management API Reference.

ce:UntagResource

Allow or deny users permissions to delete resource tags from a resource. For a list of supported resources, see ResourceTag in the Amazon Billing and Cost Management API Reference.

Managed policies

Note

The following Amazon Identity and Access Management (IAM) actions have reached the end of standard support:

  • aws-portal namespace

  • purchase-orders:ViewPurchaseOrders

  • purchase-orders:ModifyPurchaseOrders

If you haven't migrated the old IAM actions to the new fine-grained actions, you have until March 2024 to do so.

If you're using Amazon Organizations, you can use the bulk policy migrator scripts to update polices from your payer account. You can also use the old to granular action mapping reference to verify the IAM actions that need to be added.

For more information, see the Changes to Amazon Billing, Amazon Cost Management, and Account Consoles Permission blog.

If you have an Amazon Web Services account, or are a part of an Amazon Organizations created on or after November 16, 2023, 11:00 AM (PDT), the fine-grained actions are already in effect in your organization.

Managed policies are standalone identity-based policies that you can attach to multiple users, groups, and roles in your Amazon account. You can use Amazon managed policies to control access in Billing and Cost Management.

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases. Amazon managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.

You can't change the permissions defined in Amazon managed policies. Amazon occasionally updates the permissions defined in an Amazon managed policy. When this occurs, the update affects all principal entities (users, groups, and roles) that the policy is attached to.

Billing and Cost Management provides several Amazon managed policies for common use cases.

Allows full access to Amazon Budgets including budgets actions

Managed policy name: AWSBudgetsActionsWithAWSResourceControlAccess

This managed policy is focused on the user, ensuring that you have the proper permissions to grant permission to Amazon Budgets to run the defined actions. This policy provides full access to Amazon Budgets, including budgets actions, to retrieve the status of your policies and run Amazon resources using the Amazon Web Services Management Console.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "budgets:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "aws-portal:ViewBilling" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "budgets.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "aws-portal:ModifyBilling", "ec2:DescribeInstances", "iam:ListGroups", "iam:ListPolicies", "iam:ListRoles", "iam:ListUsers", "organizations:ListAccounts", "organizations:ListOrganizationalUnitsForParent", "organizations:ListPolicies", "organizations:ListRoots", "rds:DescribeDBInstances", "sns:ListTopics" ], "Resource": "*" } ] }

Allows read only access to Amazon Budgets

Managed policy name: AWSBudgetsReadOnlyAccess

This managed policy allows read only access to Amazon Budgets through the Amazon Web Services Management Console. The policy can be attached to your users, groups, and roles.

{ "Version" : "2012-10-17", "Statement" : [ { "Sid": "AWSBudgetsReadOnlyAccess", "Effect" : "Allow", "Action" : [ "aws-portal:ViewBilling", "budgets:ViewBudget", "budgets:Describe*" "budgets:ListTagsForResource" ], "Resource" : "*" } ] }

Allows permission to control Amazon resources

Managed policy name: AWSBudgetsActions_RolePolicyForResourceAdministrationWithSSM

This managed policy is focused on specific actions that Amazon Budgets takes on your behalf when completing a specific action. This policy gives permission to control Amazon resources. For example, starts and stops Amazon EC2 or Amazon RDS instances by running Amazon Systems Manager (SSM) scripts.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstanceStatus", "ec2:StartInstances", "ec2:StopInstances", "rds:DescribeDBInstances", "rds:StartDBInstance", "rds:StopDBInstance" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": [ "ssm.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ssm:StartAutomationExecution" ], "Resource": [ "arn:aws:ssm:*:*:automation-definition/AWS-StartEC2Instance:*", "arn:aws:ssm:*:*:automation-definition/AWS-StopEC2Instance:*", "arn:aws:ssm:*:*:automation-definition/AWS-StartRdsInstance:*", "arn:aws:ssm:*:*:automation-definition/AWS-StopRdsInstance:*" ] } ] }

Allows Cost Optimization Hub to call services required to make the service work

Managed policy name: CostOptimizationHubServiceRolePolicy

Allows Cost Optimization Hub to retrieve organization information and collect optimization-related data and metadata.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AwsOrgsAccess", "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:ListAccounts", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListParents", "organizations:DescribeOrganizationalUnit" ], "Resource": [ "*" ] }, { "Sid": "AwsOrgsScopedAccess", "Effect": "Allow", "Action": [ "organizations:ListDelegatedAdministrators" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "organizations:ServicePrincipal": [ "cost-optimization-hub.bcm.amazonaws.com" ] } } }, { "Sid": "CostExplorerAccess", "Effect": "Allow", "Action": [ "ce:ListCostAllocationTags", "ce:GetCostAndUsage" ], "Resource": [ "*" ] } ] }

For more information, see Service-linked roles for Cost Optimization Hub.

Allows read-only access to Cost Optimization Hub

Managed policy name: CostOptimizationHubReadOnlyAccess

This managed policy provides read-only access to Cost Optimization Hub.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CostOptimizationHubReadOnlyAccess", "Effect": "Allow", "Action": [ "cost-optimization-hub:ListEnrollmentStatuses", "cost-optimization-hub:GetPreferences", "cost-optimization-hub:GetRecommendation", "cost-optimization-hub:ListRecommendations", "cost-optimization-hub:ListRecommendationSummaries" ], "Resource": "*" } ] }

Allows admin access to Cost Optimization Hub

Managed policy name: CostOptimizationHubAdminAccess

This managed policy provides admin access to Cost Optimization Hub.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CostOptimizationHubAdminAccess", "Effect": "Allow", "Action": [ "cost-optimization-hub:ListEnrollmentStatuses", "cost-optimization-hub:UpdateEnrollmentStatus", "cost-optimization-hub:GetPreferences", "cost-optimization-hub:UpdatePreferences", "cost-optimization-hub:GetRecommendation", "cost-optimization-hub:ListRecommendations", "cost-optimization-hub:ListRecommendationSummaries", "organizations:EnableAWSServiceAccess" ], "Resource": "*" }, { "Sid": "AllowCreationOfServiceLinkedRoleForCostOptimizationHub", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/cost-optimization-hub.bcm.amazonaws.com/AWSServiceRoleForCostOptimizationHub" ], "Condition": { "StringLike": { "iam:AWSServiceName": "cost-optimization-hub.bcm.amazonaws.com" } } }, { "Sid": "AllowAWSServiceAccessForCostOptimizationHub", "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess" ], "Resource": "*", "Condition": { "StringLike": { "organizations:ServicePrincipal": [ "cost-optimization-hub.bcm.amazonaws.com" ] } } } ] }

Allows split cost allocation data to call services required to make the service work

Managed policy name: SplitCostAllocationDataServiceRolePolicy

Allows split cost allocation data to retrieve Amazon Organizations information, if applicable, and collect telemetry data for the split cost allocation data services that the customer has opted in to.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AwsOrganizationsAccess", "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:ListAccounts", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListParents" ], "Resource": "*" }, { "Sid": "AmazonManagedServiceForPrometheusAccess", "Effect": "Allow", "Action": [ "aps:ListWorkspaces", "aps:QueryMetrics" ], "Resource": "*" } ] }

For more information, see Service-linked roles for split cost allocation data.

Allows Data Exports to access other Amazon services

Managed policy name: AWSBCMDataExportsServiceRolePolicy

Allows Data Exports to access other Amazon services such as Cost Optimization Hub on your behalf.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CostOptimizationRecommendationAccess", "Effect": "Allow", "Action": [ "cost-optimization-hub:ListEnrollmentStatuses", "cost-optimization-hub:ListRecommendations" ], "Resource": "*" } ] }

For more information, see Service-linked roles for Data Exports.

Amazon Cost Management updates to Amazon managed policies

View details about updates to Amazon managed policies for Amazon Cost Management since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Cost Management Document history page.

Change Description Date

Update to existing policy

CostOptimizationHubServiceRolePolicy

We updated the policy to add the organizations:ListDelegatedAdministrators and ce:GetCostAndUsage actions. 07/05/2024

Update to existing policy

AWSBudgetsReadOnlyAccess

We updated the policy to add the budgets:ListTagsForResource action. 06/17/2024

Addition of a new policy

AWSBCMDataExportsServiceRolePolicy

Data Exports added a new policy to be used with service-linked roles, which enables access to other Amazon services such as Cost Optimization Hub. 06/10/2024

Addition of a new policy

SplitCostAllocationDataServiceRolePolicy

Split cost allocation data added a new policy to be used with service-linked roles, which enables access to Amazon services and resources used or managed by split cost allocation data. 04/16/2024

Update to existing policy

AWSBudgetsActions_RolePolicyForResourceAdministrationWithSSM

We updated the policy with scoped down permissions. The ssm:StartAutomationExecution action is only allowed for specific resources used by Budget actions. 12/14/2023

Update to existing policies

CostOptimizationHubReadOnlyAccess

CostOptimizationHubAdminAccess

Cost Optimization Hub updated the following two managed policies:
  • CostOptimizationHubReadOnlyAccess: Fixed typo in "GetRecommendation"; removed permissions covered by the SLR policy.

  • CostOptimizationHubAdminAccess: Fixed typo in "GetRecommendation"; removed permissions covered by the SLR policy; added permissions to enable service access and to create the SLR, so that the policy provides all necessary permissions to opt in and use Cost Optimization Hub.

12/14/2023

Addition of a new policy

CostOptimizationHubServiceRolePolicy

Cost Optimization Hub added a new policy to be used with service-linked roles, which enables access to Amazon services and resources used or managed by Cost Optimization Hub. 11/02/2023
Amazon Cost Management started tracking changes Amazon Cost Management started tracking changes for its Amazon managed policies 11/02/2023