AWS IAM policy for payment and usage activity view only (for accountant staff)

StackOverflow https://stackoverflow.com/questions/19328956

Question

I am looking for a policy to let accountant to manage payment methods and observe usage activity only. Would it be possible to construct such policy?

Thanks

Was it helpful?

Solution

AWS have made it possible to control access to payments and usage using IAM.

When logged in as the root account, go to Account Settings in the Billing and Cost Management area, scroll down to "IAM User Access to Billing Information", click "Edit", and enable the option.

With that done, the following policy will permit access to the payment and usage activity view:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1423852703000",
      "Effect": "Allow",
      "Action": [
        "aws-portal:ModifyBilling",
        "aws-portal:ModifyPaymentMethods",
        "aws-portal:ViewBilling",
        "aws-portal:ViewPaymentMethods",
        "aws-portal:ViewUsage"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

A reference to the available permissions can be found here

OTHER TIPS

Would it be possible to construct such policy?

Unfortunately, the management of payment methods isn't covered by AWS Identity and Access Management (IAM) yet and still requires the account credentials instead (my answer to the similar question How can I create an IAM policy to restrict permissions to billing/payment management? outlines a possible workaround), but you can craft an IAM policy for observing usage activity at least - the requirements and process for implementing this use case are documented in Controlling User Access to Your AWS Account Billing Information:

The AWS website integrates with AWS Identity and Access Management (IAM) so you can grant users access to billing information. You can control access to the Account Activity page and the Usage Reports page. The Account Activity page displays invoices and detailed information about charges and account activity, itemized by service and by usage type. The Usage Reports page provides detailed usage reports for each service you are subscribed to.

Please refer to the article for details, but the IAM policy itself boils down to:

{
  "Statement": [
    {
      "Action": [
        "aws-portal:ViewBilling",
        "aws-portal:ViewUsage"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top