Access to the AWS Billing Portal is handled differently than all of the other permissions you grant Identity and Access Management (IAM) users. But you can’t hold IT accountable for cost if they can’t see the billing data. By following these steps you can grant read only or full access to you AWS Billing data to IAM users.
Enable IAM User Access
For the first step, log in as the root user for your account. In the upper right hand corner, click your user name and the “My Account” as shown below.
Scroll down to the “IAM User Access to Billing Information” and click edit
Then enable access to billing for IAM Users.
Create IAM Billing Policies
Nearly every other AWS Service has predefined ReadOnly and FullAccess polices, but not billing. Because IAM user access is not enabled by default, there are no predefined policies. You have to create them yourself.
Start by switching to the IAM service. In the left hand column, click “Policies.” If this is your first time editing policies, you will see a “Get Started” button. Click it.
The click the “Create Policy” button.
Select the “Policy Generator” button on the next page.
On the “Edit Permissions” page, select “AWS Billing” as the AWS Service. Under Actions, select “All Actions”. The click “Add Statement” and “Next Step.”
Name your policy “BillingFullAccess” the click “Create Policy.” You now have a policy that allows full access to those users to whom you wish to grant such access.
Repeat the steps to create a “Read Only” policy. Click “Create Policy” and “Policy Generator.” Select “AWS Billing”, but then, rather than selecting “All Actions,” select only the “View Actions.”
click “Add Statement,” then “Next Step” and name your policy “BillingReadOnly.” Click “Create Policy.”
Now that you have the policies created, you need groups to map users to policies. Mapping policies to groups and then adding users to groups is considered a best practice. Assigning policies directly to users can become difficult to manage over time.
To create groups, start by clicking “Groups” in the left hand column of the IAM Service console. The click the “Create Group” button.
On the next screen, name your group “BillingFullAccess” or another name that will clearly convey the purpose of the group. Go to the next screen to attach policies to your group. Type “billing” in the filter box to show only policies with “billing” in their name. Check the box next to your “BillingFullAccess” policy, then click next step.
Complete the process of creating the group, then repeat the steps to create a “BillingReadOnly” group and attach the “BillingReadOnly” policy to that group.
Add Users to the Groups
The last step is to add users who need full access or read only access to billing to the appropriate group. From the IAM Groups page, click the appropriate group name. On the next page, click the “Add Users to Group” button and select the users to add to the group.
Congratulations! You have now granted access to AWS billing data for your IAM users.