Migrating access control for AWS Cost Management
Note
The following AWS Identity and Access Management (IAM) actions have reached the end of standard support on July 2023:
-
aws-portalnamespace -
purchase-orders:ViewPurchaseOrders -
purchase-orders:ModifyPurchaseOrders
If you're using AWS Organizations, you can use the bulk policy migrator scripts to update polices from your payer account. You can also use the old to granular action mapping reference to verify the IAM actions that need to be added.
For more information, see the Changes to AWS Billing, AWS Cost Management, and Account Consoles Permission
If you have an AWS account, or are a part of an AWS Organizations created on or after March 6, 2023, 11:00 AM (PDT), the fine-grained actions are already in effect in your organization.
You can use fine-grained access controls to provide individuals in your organization access to AWS Billing and Cost Management services. For example, you can provide access to Cost Explorer without providing access to the AWS Billing console.
To use the fine-grained access controls, you'll need to migrate your policies from under
aws-portal to the new IAM actions.
The following IAM actions in your permission policies or service control policies (SCP) require updating with this migration:
-
aws-portal:ViewAccount -
aws-portal:ViewBilling -
aws-portal:ViewPaymentMethods -
aws-portal:ViewUsage -
aws-portal:ModifyAccount -
aws-portal:ModifyBilling -
aws-portal:ModifyPaymentMethods -
purchase-orders:ViewPurchaseOrders -
purchase-orders:ModifyPurchaseOrders
To learn how to use the Affected policies tool to identify your impacted IAM policies, see How to use the affected policies tool.
Note
Programmatic requests to AWS Cost Explorer, AWS Cost and Usage Reports, and AWS Budgets remains unaffected.
Activating access to the Billing and Cost Management console remain unchanged.
Managing access permissions
AWS Cost Management integrates with the AWS Identity and Access Management (IAM) service so that you can control who in
your organization has access to specific pages on the AWS Cost Management console
Use the following IAM permissions for granular control for the AWS Cost Management console.
Using fine-grained AWS Cost Management actions
This table summarizes the permissions that allow or deny IAM users and roles access to your cost and usage information. For examples of policies that use these permissions, see AWS Cost Management policy examples.
For a list of actions for the AWS Billing console, see AWS Billing actions policies in the AWS Billing user guide.
| Feature name in the AWS Cost Management console | IAM action | Description |
|---|---|---|
|
|
Allow or deny users permission to view the AWS Cost Management Home page. All IAM actions are required to view the page. |
|
|
|
Allow or deny users permission to view the AWS Cost Explorer page. |
|
|
|
Allow or deny users permission to save Cost Explorer reports. |
|
|
|
Allow or deny users permission to view a list of saved reports. |
|
|
|
Allow or deny users permission to delete a saved report. |
|
|
|
Allow or deny users permission to view the Budgets page. |
|
|
|
Allow or deny users permission to create, delete, and modify Budgets and Budgets actions. |
|
|
|
Allow or deny users permission to view, create, delete, and update on the Cost Anomaly Detection page. |
|
|
|
Allow or deny users permission to view the Savings Plans Overview page. |
|
| Savings Plans overview |
|
|
|
|
Allow or deny users permission to view the existing notification settings for expiring and queued Savings Plans alerts. |
|
|
|
Allow or deny users permission to update the existing notification settings for expiring and queued Savings Plans alerts. |
|
| Savings Plans inventory |
|
Allow or deny users permissions to view purchased Savings Plans. |
|
|
Allow or deny users permissions to add the Savings Plans they wish to renew to the cart. |
|
|
|
Allow or deny users permission to view generated Savings Plans recommendations. |
|
|
|
Allow or deny users permission to calculate a new set of recommendations based on the latest usage and Savings Plans inventory. |
|
|
|
Allow or deny users permission to add Savings Plans to the cart. |
|
|
|
Allow or deny users permission to view utilization of your existing Savings Plans. |
|
|
|
Allow or deny users permission to view the Savings Plans rate. |
|
|
|
Allow or deny users permission to view the eligible spends covered by Savings Plans. |
|
|
|
Allow or deny users permission to purchase Savings Plans. |
|
|
|
||
|
|
Allow or deny users permission to view the Reservations Overview page. |
|
|
|
Allow or deny users permission to view existing notification settings for expiring reserved instances (RI) alerts. |
|
|
|
Allow or deny users permission to update notification settings for expiring RI alerts. | |
|
|
Allow or deny users permission to view reservations recommendations. |
|
|
|
Allow or deny users permission to view utilization of your existing RI. |
|
|
|
Allow or deny users permission to save RI reports. |
|
|
|
Allow or deny users permission to view eligible spends covered by Reservations (RIs). |
|
|
|
Allow or deny users permission to save RI coverage reports. |
|
|
|
Allow or deny users permission to view AWS Cost Management preferences. |
|
|
|
Allow or deny users permission to update AWS Cost Management preferences. |
