AWS Security Blog

Enhanced IAM Capabilities for the AWS Billing Console

In this post, Graham Evans, a developer on the AWS Billing team, describes new security features that expand how you can secure access to billing information in your AWS account.


My team—AWS Billing— recently released the new and improved Billing and Cost Management Console.  We’re now happy to introduce an improvement to the access and capabilities of users, which includes both IAM users and federated users. Building on our existing IAM capabilities that let you grant users read-only access, we’ve released new actions to grant additional read/write access to billing information.

You can now manage the access your users have to the following pages in the Billing console:

  • Dashboard
  • Bills
  • Cost Explorer
  • Advance Payment
  • Payment Methods
  • Payment History
  • Consolidated Billing
  • Account Settings
  • Reports
  • Preferences
  • Credits

New Billing Actions

We’ve added five new actions: ModifyBilling, ViewAccount, ModifyAccount, ViewPaymentMethods, and ModifyPaymentMethods. By combining the existing ViewBilling permission with these new actions, you can grant specific access for users to all areas of the Billing and Cost Management console, like this:

  • ViewBilling and ModifyBilling. These actions are used to control access to these areas of the console: Dashboard, Advanced Payment, Bills, Cost Explorer, Payment History, Consolidated Billing, Preferences,  Reports and Credits.
  • ViewAccount and ModifyAccount. These actions are used to control access to the Account Settings area of the console. Note that IAM users do not have the option to close an AWS account—closing the account still requires account (root) credentials.
  • ViewPaymentMethods and ModifyPaymentMethods. These actions are used to control access to the Payment Methods area of the console.

Example 1: Access to just billing reports

Let’s take Jane from Accounting, Jane’s responsibilities lie in understanding how much her company is spending on AWS resources. Jane also manages credits on the account and makes use of the Detailed Billing Report area of the console to ensure her company understands the finer details of their bill (ViewBilling and ModifyBilling). Jane needs only to understand the costs associated with the account. She doesn’t require access to managing payment methods or account settings, because those are areas that are handled by other departments. Given her responsibilities, you can therefore attach the following policy to Jane’s IAM user. Note that the policy explicitly denies Jane access to the areas of the console that are not relevant to her job.

{"Statement": [
  {
    "Effect":"Allow",
    "Action": [
      "aws-portal:ViewBilling",
      "aws-portal:ModifyBilling"
    ],
    "Resource":"*"
    },
    {
      "Effect":"Deny",
      "Action":[
        "aws-portal:ViewPaymentMethods",
        "aws-portal:ModifyPaymentMethods",
        "aws-portal:ViewAccount",
        "aws-portal:ModifyAccount"
      ],
      "Resource":"*"
    }
]}

Example 2: Access for a retry charge

Consider another case where user Paul needs the ability to perform a retry charge on an outstanding charge. This task requires three of the new actions.

The flow of a retry charge is that Paul visits the Payment History page and views the company’s past charges (ViewBilling). If a charge is outstanding, Paul sees a link that says Pay Now. After he clicks the link, he’s presented with the Payment Methods page (ViewPaymentMethods) and asked to choose a credit card and submit the retry charge. Thus, Paul needs access to these two pages and needs permission to submit the retry charge (ModifyPaymentMethods). As with the previous example, we want to explicitly deny him access to the parts of the console that are not relevant to his job.

The policy that would cover this scenario is as follows:

{"Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "aws-portal:ViewBilling",
      "aws-portal:ViewPaymentMethods",
      "aws-portal:ModifyPaymentMethods"
     ],
     "Resource":"*"
   },
   {
     "Effect":"Deny",
     "Action": [
       "aws-portal:ModifyBilling",
       "aws-portal:ViewAccount",
       "aws-portal:ModifyAccount"
     ],
     "Resource":"*"
   }
]}

Our goals for this release have been twofold: eliminate the requirement for root accounts to perform day-to-day tasks in the Billing console, and provide a simple policy structure to achieve it. We think we’ve done both—try out these new actions by creating policies that are tailored to the responsibilities of users in your account who access the Billing console and let us know what you think.

If you have any additional questions please check our documentation.  You can also leave feedback in the console and it will be routed to our team.

-Graham