Migrating access control for Amazon Cost Management
Note
The following Amazon Identity and Access Management (IAM) actions have reached the end of standard support:
-
aws-portal
namespace -
purchase-orders:ViewPurchaseOrders
-
purchase-orders:ModifyPurchaseOrders
If you haven't migrated the old IAM actions to the new fine-grained actions, you have until March 2024 to do so.
If you're using Amazon Organizations, you can use the bulk policy migrator scripts to update polices from your payer account. You can also use the old to granular action mapping reference to verify the IAM actions that need to be added.
For more information, see the Changes to Amazon Billing, Amazon Cost Management, and Account Consoles Permission
If you have an Amazon Web Services account, or are a part of an Amazon Organizations created on or after November 16, 2023, 11:00 AM (PDT), the fine-grained actions are already in effect in your organization.
You can use fine-grained access controls to provide individuals in your organization access to Amazon Billing and Cost Management services. For example, you can provide access to Cost Explorer without providing access to the Amazon Billing console.
To use the fine-grained access controls, you'll need to migrate your policies from under
aws-portal
to the new IAM actions.
The following IAM actions in your permission policies or service control policies (SCP) require updating with this migration:
-
aws-portal:ViewAccount
-
aws-portal:ViewBilling
-
aws-portal:ViewPaymentMethods
-
aws-portal:ModifyAccount
-
aws-portal:ModifyBilling
-
aws-portal:ModifyPaymentMethods
-
purchase-orders:ViewPurchaseOrders
-
purchase-orders:ModifyPurchaseOrders
To learn how to use the Affected policies tool to identify your impacted IAM policies, see How to use the affected policies tool.
Note
Programmatic requests to Amazon Cost Explorer, Amazon Cost and Usage Reports, and Amazon Budgets remains unaffected.
Activating access to the Billing and Cost Management console remain unchanged.
Managing access permissions
Amazon Cost Management integrates with the Amazon Identity and Access Management (IAM) service so that you can control who in
your organization has access to specific pages on the Amazon Cost Management console
Use the following IAM permissions for granular control for the Amazon Cost Management console.
Using fine-grained Amazon Cost Management actions
This table summarizes the permissions that allow or deny IAM users and roles access to your cost and usage information. For examples of policies that use these permissions, see Amazon Cost Management policy examples.
For a list of actions for the Amazon Billing console, see Amazon Billing actions policies in the Amazon Billing user guide.
Feature name in the Amazon Cost Management console | IAM action | Description |
---|---|---|
|
Allow or deny users permission to view the Amazon Cost Management Home page. All IAM actions are required to view the page. |
|
|
Allow or deny users permission to view the Amazon Cost Explorer page. |
|
|
Allow or deny users permission to save Cost Explorer reports. |
|
|
Allow or deny users permission to view a list of saved reports. |
|
|
Allow or deny users permission to delete a saved report. |
|
|
Allow or deny users permission to view the Budgets page. |
|
|
Allow or deny users permission to create, delete, and modify Budgets and Budgets actions. |
|
|
Allow or deny users permission to view, create, delete, and update on the Cost Anomaly Detection page. |
|
|
Allow or deny users permission to view the Savings Plans Overview page. |
|
Savings Plans overview |
|
|
|
Allow or deny users permission to view the existing notification settings for expiring and queued Savings Plans alerts. |
|
|
Allow or deny users permission to update the existing notification settings for expiring and queued Savings Plans alerts. |
|
Savings Plans inventory |
|
Allow or deny users permissions to view purchased Savings Plans. |
|
Allow or deny users permissions to add the Savings Plans they wish to renew to the cart. |
|
|
Allow or deny users permission to view generated Savings Plans recommendations. |
|
|
Allow or deny users permission to calculate a new set of recommendations based on the latest usage and Savings Plans inventory. |
|
|
Allow or deny users permission to add Savings Plans to the cart. |
|
|
Allow or deny users permission to view utilization of your existing Savings Plans. |
|
|
Allow or deny users permission to view the Savings Plans rate. |
|
|
Allow or deny users permission to view the eligible spends covered by Savings Plans. |
|
|
Allow or deny users permission to purchase Savings Plans. |
|
|
||
|
Allow or deny users permission to view the Reservations Overview page. |
|
|
Allow or deny users permission to view existing notification settings for expiring reserved instances (RI) alerts. |
|
|
Allow or deny users permission to update notification settings for expiring RI alerts. | |
|
Allow or deny users permission to view reservations recommendations. |
|
|
Allow or deny users permission to view utilization of your existing RI. |
|
|
Allow or deny users permission to save RI reports. |
|
|
Allow or deny users permission to view eligible spends covered by Reservations (RIs). |
|
|
Allow or deny users permission to save RI coverage reports. |
|
|
Allow or deny users permission to view Amazon Cost Management preferences. |
|
|
Allow or deny users permission to update Amazon Cost Management preferences. |