How to Grant Access to AWS Billing Data

Granting IAM users access to AWS Billing data is a bit tricky. Here are some simple steps to solve it.

Access to the AWS Billing Portal is handled differently than all of the other permissions you grant Identity and Access Management (IAM) users.  But you can’t hold IT accountable for cost if they can’t see the billing data.  By following these steps you can grant read only or full access to you AWS Billing data to IAM users.

Enable IAM User Access

For the first step, log in as the root user for your account.  In the upper right hand corner, click your user name and the “My Account” as shown below.

root-account-enble-billing-access-1

Scroll down to the “IAM User Access to Billing Information” and click edit

grant-IAM-user-AWS-billing-access-1

Then enable access to billing for IAM Users.

grant-IAM-user-AWS-billing-access-2.png

Create IAM Billing Policies

Nearly every other AWS Service has predefined ReadOnly and FullAccess polices, but not billing.  Because IAM user access is not enabled by default, there are no predefined policies.  You have to create them yourself.

Start by switching to the IAM service.  In the left hand column, click “Policies.”  If this is your first time editing policies, you will see a “Get Started” button.  Click it.

Full Access

The click the “Create Policy” button.

create-AWS-IAM-policy

Select the “Policy Generator” button on the next page.

On the “Edit Permissions” page, select “AWS Billing” as the AWS Service.  Under Actions, select “All Actions”.  The click “Add Statement” and “Next Step.”  Full-Control-AWS-Billing-Policy

Name your policy “BillingFullAccess” the click “Create Policy.”  You now have a policy that allows full access to those users to whom you wish to grant such access.

Read Only

Repeat the steps to create a “Read Only” policy.  Click “Create Policy” and “Policy Generator.”  Select “AWS Billing”, but then, rather than selecting “All Actions,” select only the “View Actions.”

Read-Only-AWS-Billing-Policy

click “Add Statement,” then “Next Step” and name your policy “BillingReadOnly.”  Click “Create Policy.”

Create Groups

Now that you have the policies created, you need groups to map users to policies.  Mapping policies to groups and then adding users to groups is considered a best practice.  Assigning policies directly to users can become difficult to manage over time.

To create groups, start by clicking “Groups” in the left hand column of the IAM Service console.  The click the “Create Group” button.

create-iam-group-aws

On the next screen, name your group “BillingFullAccess” or another name that will clearly convey the purpose of the group.  Go to the next screen to attach policies to your group.  Type “billing” in the filter box to show only policies with “billing” in their name.  Check the box next to your “BillingFullAccess” policy, then click next step.

attach-IAM-policies-to-group

Complete the process of creating the group, then repeat the steps to create a “BillingReadOnly” group and attach the “BillingReadOnly” policy to that group.

Add Users to the Groups

The last step is to add users who need full access or read only access to billing to the appropriate group.  From the IAM Groups page, click the appropriate group name.  On the next page, click the “Add Users to Group” button and select the users to add to the group.

Congratulations!  You have now granted access to AWS billing data for your IAM users.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s