Is the AWS Root account the only account able to view the usage and billing?

StackOverflow https://stackoverflow.com/questions/22308525

  •  12-06-2023
  •  | 
  •  

Question

I have created a group: billing and a user: billing. To this group I have assigned the following policy:

AWSAccountActivityAccess-Billing - Allow *
AWSAccountUsageReportAccess-Billing - Allow *

but when I then log in to the "Billing and Cost Management" menu from the main login drop-down at aws.amazon.com it will allow me to log in with the 'billing' user but then nothing is available to view: "Unauthorised etc.."

So am I lead to belief that only the Root user can view usage and billing? This would be weird and not in keeping with the advice not to use the Root for anything. And to that end, is it possible to actually 'disable' the use of Root. Sounds crazy, as how would one do it.. kinda chicken and egg. Some infrastructure providers I have used will only allow access to certain top-level things (like deleting the account or changing Root password etc) through a Notary intermediate who takes copies of passports photo ID etc. Does AWS go to this extent if asked? I wouldn't want to be only a mouse click away from infrastructure being deleted at whim if for what ever the Root did get compromised.

Was it helpful?

Solution

There are two policies that allow viewing of the billing and usage information, both available as templates:

Billing - "AWS Account Activity Access":

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aws-portal:ViewBilling"
      ],
      "Resource": "*"
    }
  ]
}

Usage - "AWS Account Usage Report Access":

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aws-portal:ViewUsage"
      ],
      "Resource": "*"
    }
  ]
}

These have to be turned on by the root user in order to take effect. To do this, log in with the root credentials, and go to "My Account" from the menu that appears when you click your name. Scroll past all the services you're signed up for, services you haven't signed up for, and the first paragraph under that should be "IAM user access to the AWS Website". There's a button to activate it, and two checkboxes - one for account activity, one for usage reports. Select those, and activate IAM and the policies should take effect.

OTHER TIPS

You can give an IAM user access to the billing information by following these steps:

  1. Attach the full admin policy to the user.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
     "Effect": "Allow",
     "Action": "*",
     "Resource": "*"
    }
  ]
}

  2. Activate the pages in the "IAM user access to the AWS" section on the Manage Your Account Page from your root account.

This will allow an IAM user to access the billing information. You are correct in the assumption that you do not want to use the root account for too many actions. Amazon recommends locking down the root account and managing user access through IAM.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top