Do I need to sign up for IAM?
Step 4: Test access to the billing console
After you've completed the core tasks, you're ready to test the policy. Testing ensures that the policy works the way you want it to.
Prerequisites
Prerequisites
Create a test AWS account to use with this tutorial. In this account create two test users and two test user groups as summarized in the following table. Be sure to assign a password to each user so that you can sign in later in Step 4.
Create user accounts Create and configure user group accounts
FinanceManager BillingFullAccessGroup FinanceManager
FinanceUser BillingViewAccessGroup FinanceUser
Step 1: Activate access to billing data on your AWS test account
First, activate billing access for your test users in the AWS Billing and Cost Management console.
Note
If you create a member account using AWS Organizations, this feature is enabled by default.To activate IAM user and role access to the Billing and Cost Management console
1. Sign in to the AWS Management Console with your root account credentials (specifically, the email address and password that you used to create your AWS account).
2. On the navigation bar, choose your account name, and then choose My Account.
3. Next to IAM User and Role Access to Billing Information, choose Edit.
4. Select the Activate IAM Access check box to activate access to the Billing and Cost Management console pages.
5. Choose Update.
You can now use IAM policies to control which pages a user can access.
After you have activated IAM user access, you can attach IAM policies to grant or deny access to specific billing features. For more information about using policies to grant IAM users access to AWS Billing and Cost Management Management features, see Using identity-based policies (IAM policies) for Billing and Cost Management Management in the AWS Billing and Cost Management User Guide.
Step 2: Create IAM policies that grant permissions to billing data
Next, create custom policies that grant both view and full access permissions to the pages within the Billing and Cost Management console. For general information about IAM permissions policies, see Managed Policies and Inline Policies (p. 392).
To create IAM policies that grant permissions to billing data
1. Sign in to the AWS Management Console as a user with administrator credentials. To adhere to IAM best practices, don't sign in with your root user credentials. For more information, see Creating your first IAM admin user and user group (p. 19).
Step 3: Attach billing policies to your user groups
2. Open the IAM console at https://console.aws.amazon.com/iam/.
3. In the navigation pane, choose Policies, and then choose Create policy.
4. On the Visual editor tab, choose Choose a service to get started. Then choose Billing.
5. Follow these steps to create two policies:
Full access
a. Choose Select actions and then select the check box next to All Billing actions (aws-portal:*).
You do not need to select a resource or condition for this policy.
b. Choose Review policy.
c. On the Review page, next to Name, type BillingFullAccess, and then choose Create policy to save it.
Read-only access
a. Repeat steps 3 and 4 (p. 31).
b. Choose Select actions and then select the check box next to Read. You do not need to select a resource or condition for this policy.
c. Choose Review policy.
d. On the Review page, for Name, type BillingViewAccess. Then choose Create policy to save it.
To review descriptions for each of the permissions available in IAM policies that grant users access to the Billing and Cost Management console, see Billing Permissions Descriptions.
Step 3: Attach billing policies to your user groups
Now that you have custom billing policies available, you can attach them to their corresponding user groups that you created earlier. Although you can attach a policy directly to a user or role, we recommend (in accordance with IAM best practices) that you use user groups instead.
To attach billing policies to your user groups
1. In the navigation pane, choose Policies to display the full list of policies available to your AWS account. To attach each policy to its appropriate user group, follow these steps:
Full access
a. In the policy search box, type BillingFullAccess, and then select the check box next to the policy name.
b. Choose Actions, and then choose Attach.
c. In the identity (user, user group, and role) search box, type BillingFullAccessGroup, select the check box next to the name of the user group, and then choose Attach policy.
Read-only access
a. In the policy search box, type BillingViewAccess, and then select the check box next to the policy name.
b. Choose Actions, and then choose Attach.
c. In the identity (user, user group, and role) search box, type BillingViewAccessGroup, select the check box next to the name of the user group, and then choose Attach policy.
Step 4: Test access to the billing console
Step 4: Test access to the billing console
We recommend that you test access by signing in as each of the test users to learn what your users might experience. Use the following steps to sign in using both test accounts to see the difference between access rights.
To test billing access by signing in with both test user accounts
1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.
Note
For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.2. Sign in with each account using the steps provided below so you can compare the different user experiences.
Full access
a. Sign in to your AWS account as the user FinanceManager.
b. On the navigation bar, choose FinanceManager@<account alias or ID number> , and then choose My Billing Dashboard.
c. Browse through the pages and choose the various buttons to ensure that you have full modify permissions.
Read-only access
a. Sign in to your AWS account as the user FinanceUser.
b. On the navigation bar, choose FinanceUser@<account alias or ID number>, and then choose My Billing Dashboard.
c. Browse through the pages. Notice that you can display costs, reports, and billing data with no problems. However, if you choose an option to modify a value, you receive an Access Denied message. For example, on the Preferences page, choose any of the check boxes on the page, and then choose Save preferences. The console message informs you that you need ModifyBilling permissions to make changes to that page.
Related resources
For related information found in the AWS Billing and Cost Management User Guide, see the following resources:
• Activating Access to the Billing and Cost Management Console
• Allow full access to AWS services but deny IAM users access to the Billing and Cost Management console.
• Billing Permissions Descriptions
For related information in the IAM User Guide, see the following resources:
• Managed policies and inline policies (p. 392)
• Controlling user access to the AWS Management Console (p. 80)
Summary
• Attaching a policy to an IAM user group (p. 164)
Summary
You've now successfully completed all of the steps necessary to delegate user access to the Billing and Cost Management console. As a result, you've seen firsthand what your users billing console experience will be like. You can now proceed to implement this logic in your production environment at your convenience.
IAM tutorial: Delegate access across AWS accounts using IAM roles
This tutorial teaches you how to use a role to delegate access to resources in different AWS accounts that you own called Production and Development. You share resources in one account with users in a different account. By setting up cross-account access in this way, you don't have to create individual IAM users in each account. In addition, users don't have to sign out of one account and sign into another in order to access resources in different AWS accounts. After configuring the role, you see how to use the role from the AWS Management Console, the AWS CLI, and the API.
Note
IAM roles and resource-based policies delegate access across accounts only within a single partition. For example, assume that you have an account in US West (N. California) in the standard aws partition. You also have an account in China (Beijing) in the aws-cn partition. You can't use an Amazon S3 resource-based policy in your account in China (Beijing) to allow access for users in your standard aws account.
In this tutorial, the Production account manages live applications. Developers and testers use the Development account as a sandbox to freely test applications. In each account, you store application information in Amazon S3 buckets. You manage IAM users in the Development account, where you have two IAM user groups: Developers and Testers. Users in both user groups have permissions to work in the Development account and access resources there. From time to time, a developer must update the live applications in the Production account. The developers store these applications in an Amazon S3 bucket called productionapp.
At the end of this tutorial, you have the following:
• Users in the Development account (the trusted account) allowed to assume a specific role in the Production account.
• A role in the Production account (the trusting account) allowed to access a specific Amazon S3 bucket.
• The productionapp bucket in the Production account.
Developers can use the role in the AWS Management Console to access the productionapp bucket in the Production account. They can also access the bucket by using API calls authenticated by temporary credentials provided by the role. Similar attempts by a Tester to use the role fail.
This workflow has three basic steps:
Prerequisites