View a markdown version of this page

Actions, resources, and condition keys for Amazon Cost and Usage Report - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon Cost and Usage Report

Amazon Cost and Usage Report (service prefix: cur) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon Cost and Usage Report

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

DeleteReportDefinition

cur:DeleteReportDefinition

Write

DescribeReportDefinitions

cur:DescribeReportDefinitions

Read

ListTagsForResource

cur:ListTagsForResource

Read

ModifyReportDefinition

cur:ModifyReportDefinition

Write

PutReportDefinition

cur:PutReportDefinition

Write

cur:TagResource

Tagging, Write

TagResource

cur:TagResource

Tagging, Write

UntagResource

cur:UntagResource

Tagging, Write

Actions defined by Amazon Cost and Usage Report

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

DeleteReportDefinition

Grants permission to delete Cost and Usage Report Definition

cur*

Write

DescribeReportDefinitions

Grants permission to get Cost and Usage Report Definitions

Read

ListTagsForResource

Grants permission to list tags for a resource

cur*

aws:ResourceTag/${TagKey}

Read

ModifyReportDefinition

Grants permission to modify Cost and Usage Report Definition

cur*

Write

PutReportDefinition

Grants permission to write Cost and Usage Report Definition

cur*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

TagResource

Grants permission to tag a resource

cur*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagResource

Grants permission to untag a resource

cur*

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

Permission-only actions for Amazon Cost and Usage Report

The following actions are defined by Amazon Cost and Usage Report but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

GetClassicReport

Grants permission to get Bills CSV report

Read

GetClassicReportPreferences

Grants permission to get the classic report enablement status for Usage Reports

Read

GetUsageReport

Grants permission to get list of Amazon services, usage type and operation for the Usage Report workflow. Allows or denies download of usage reports too

Read

PutClassicReportPreferences

Grants permission to enable classic reports

Write

ValidateReportDestination

Grants permission to validates if the s3 bucket exists with appropriate permissions for CUR delivery

Read

Resource types defined by Amazon Cost and Usage Report

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

cur

arn:${Partition}:cur:${Region}:${Account}:definition/${ReportName}

Condition keys for Amazon Cost and Usage Report

Amazon Cost and Usage Report defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString