Migrating access control for Amazon Cost Management

Note

The following Amazon Identity and Access Management (IAM) actions have reached the end of standard support:

aws-portal namespace
purchase-orders:ViewPurchaseOrders
purchase-orders:ModifyPurchaseOrders

If you haven't migrated the old IAM actions to the new fine-grained actions, you have until March 2024 to do so.

If you're using Amazon Organizations, you can use the bulk policy migrator scripts to update polices from your payer account. You can also use the old to granular action mapping reference to verify the IAM actions that need to be added.

For more information, see the Changes to Amazon Billing, Amazon Cost Management, and Account Consoles Permission blog.

If you have an Amazon Web Services account, or are a part of an Amazon Organizations created on or after November 16, 2023, 11:00 AM (PDT), the fine-grained actions are already in effect in your organization.

You can use fine-grained access controls to provide individuals in your organization access to Amazon Billing and Cost Management services. For example, you can provide access to Cost Explorer without providing access to the Amazon Billing console.

To use the fine-grained access controls, you'll need to migrate your policies from under aws-portal to the new IAM actions.

The following IAM actions in your permission policies or service control policies (SCP) require updating with this migration:

aws-portal:ViewAccount
aws-portal:ViewBilling
aws-portal:ViewPaymentMethods
aws-portal:ModifyAccount
aws-portal:ModifyBilling
aws-portal:ModifyPaymentMethods
purchase-orders:ViewPurchaseOrders
purchase-orders:ModifyPurchaseOrders

To learn how to use the Affected policies tool to identify your impacted IAM policies, see How to use the affected policies tool.

Note

Programmatic requests to Amazon Cost Explorer, Amazon Cost and Usage Reports, and Amazon Budgets remains unaffected.

Activating access to the Billing and Cost Management console remain unchanged.

Topics

Managing access permissions

Amazon Cost Management integrates with the Amazon Identity and Access Management (IAM) service so that you can control who in your organization has access to specific pages on the Amazon Cost Management console. You can control access to Amazon Cost Management features. For example, Amazon Cost Explorer, Savings Plans, and reservation recommendations, Savings Plans and reservations utilization and coverage reports.

Use the following IAM permissions for granular control for the Amazon Cost Management console.

Using fine-grained Amazon Cost Management actions

This table summarizes the permissions that allow or deny IAM users and roles access to your cost and usage information. For examples of policies that use these permissions, see Amazon Cost Management policy examples.

For a list of actions for the Amazon Billing console, see Amazon Billing actions policies in the Amazon Billing user guide.

Feature name in the Amazon Cost Management console	IAM action	Description
Amazon Cost Management Home	`ce:GetCostAndUsage` `ce:GetDimensionValues` `ce:GetCostForecast` `ce:GetReservationUtilization` `ce:GetReservationPurchaseRecommendation` `ce:DescribeReport` `ce:GetDimensionValues` `ce:GetReservationUtilization`	Allow or deny users permission to view the Amazon Cost Management Home page. All IAM actions are required to view the page.
Amazon Cost Explorer	`ce:GetCostCategories` `ce:GetDimensionValues` `ce:GetCostAndUsageWithResources` `ce:GetCostAndUsage` `ce:GetCostForecast` `ce:GetTags` `ce:GetUsageForecast` `ce:DescribeReport`	Allow or deny users permission to view the Amazon Cost Explorer page.
Amazon Cost Explorer	`ce:CreateReport`	Allow or deny users permission to save Cost Explorer reports.
Reports	`ce:DescribeReport`	Allow or deny users permission to view a list of saved reports.
Reports	`ce:DeleteReport`	Allow or deny users permission to delete a saved report.
Amazon Budgets	`budgets:ViewBudget` `budgets:DescribeBudgetActionsForBudget` `budgets:DescribeBudgetAction` `budgets:DescribeBudgetActionsForAccount` `budgets:DescribeBudgetActionHistories`	Allow or deny users permission to view the Budgets page.
Amazon Budgets	`budgets:CreateBudgetAction` `budgets:ExecuteBudgetAction` `budgets:DeleteBudgetAction` `budgets:UpdateBudgetAction` `budgets:ModifyBudget`	Allow or deny users permission to create, delete, and modify Budgets and Budgets actions.
Amazon Cost Anomaly Detection	`ce:GetDimensionValues` `ce:GetCostAndUsage` `ce:CreateAnomalyMonitor` `ce:GetAnomalyMonitors` `ce:UpdateAnomalyMonitor` `ce:DeleteAnomalyMonitor` `ce:CreateAnomalySubscription` `ce:GetAnomalySubscriptions` `ce:UpdateAnomalySubscription` `ce:DeleteAnomalySubscription` `ce:GetAnomalies` `ce:ProvideAnomalyFeedback`	Allow or deny users permission to view, create, delete, and update on the Cost Anomaly Detection page.
Rightsizing recommendations	`ce:GetDimensionValues` `ce:GetTags` `ce:GetRightsizingRecommendation`	Allow or deny users permission to view the Savings Plans Overview page.
Savings Plans overview	`ce:GetSavingsPlansUtilizationDetails` `ce:GetSavingsPlansPurchaseRecommendation`
	`ce:DescribeNotificationSubscription`	Allow or deny users permission to view the existing notification settings for expiring and queued Savings Plans alerts.
	`ce:CreateNotificationSubscription` `ce:UpdateNotificationSubscription` `ce:DeleteNotificationSubscription`	Allow or deny users permission to update the existing notification settings for expiring and queued Savings Plans alerts.
Savings Plans inventory	`savingsplans:DescribeSavingsPlans` `ce:GetSavingsPlansUtilizationDetails`	Allow or deny users permissions to view purchased Savings Plans.
Savings Plans inventory	`savingsplans:DescribeSavingsPlansOfferings`	Allow or deny users permissions to add the Savings Plans they wish to renew to the cart.
Savings Plans recommendations	`ce:GetSavingsPlansPurchaseRecommendation` `ce:ListSavingsPlansPurchaseRecommendationGeneration`	Allow or deny users permission to view generated Savings Plans recommendations.
Savings Plans recommendations	`ce:StartSavingsPlansPurchaseRecommendationGeneration`	Allow or deny users permission to calculate a new set of recommendations based on the latest usage and Savings Plans inventory.
Purchase Savings Plans	`savingsplans:DescribeSavingsPlansOfferings`	Allow or deny users permission to add Savings Plans to the cart.
Savings Plans utilization report	`ce:DescribeReport` `ce:GetSavingsPlansUtilization` `ce:GetSavingsPlansUtilizationDetails` `ce:GetDimensionValues`	Allow or deny users permission to view utilization of your existing Savings Plans.
Savings Plans utilization report	`savingsplans:DescribeSavingsPlanRates`	Allow or deny users permission to view the Savings Plans rate.
Savings Plans coverage report	`ce:GetDimensionValues` `ce:GetSavingsPlansCoverage` `ce:GetCostCategories` `ce:DescribeReport` `ce:GetSavingsPlansPurchaseRecommendation`	Allow or deny users permission to view the eligible spends covered by Savings Plans.
Savings Plans cart	`savingsplans:DescribeSavingsPlansOfferings` `savingsplans:DescribeSavingsPlans`	Allow or deny users permission to purchase Savings Plans.
Savings Plans cart	`savingsplans:CreateSavingsPlan`
Reservations overview	`ce:GetReservationUtilization` `ce:GetReservationCoverage` `ce:GetReservationPurchaseRecommendation` `ce:DescribeReport`	Allow or deny users permission to view the Reservations Overview page.
	`ce:DescribeNotificationSubscription`	Allow or deny users permission to view existing notification settings for expiring reserved instances (RI) alerts.
	`ce:CreateNotificationSubscription` `ce:UpdateNotificationSubscription` `ce:DeleteNotificationSubscription`	Allow or deny users permission to update notification settings for expiring RI alerts.
Reservations recommendations	`ce:GetReservationPurchaseRecommendation` `ce:GetDimensionValues`	Allow or deny users permission to view reservations recommendations.
Reservations utilization reports	`ce:GetDimensionValues` `ce:GetReservationUtilization` `ce:DescribeReport`	Allow or deny users permission to view utilization of your existing RI.
Reservations utilization reports	`ce:CreateReport`	Allow or deny users permission to save RI reports.
Reservations coverage report	`ce:GetReservationCoverage` `ce:GetReservationPurchaseRecommendation` `ce:DescribeReport` `ce:GetDimensionValues` `ce:GetCostCategories`	Allow or deny users permission to view eligible spends covered by Reservations (RIs).
Reservations coverage report	`ce:CreateReport`	Allow or deny users permission to save RI coverage reports.
Preferences	`ce:GetPreferences`	Allow or deny users permission to view Amazon Cost Management preferences.
Preferences	`ce:UpdatePreferences`	Allow or deny users permission to update Amazon Cost Management preferences.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Amazon Cost Management policy examples

How to use the affected policies tool