I need to access Billing and Cost Management Dashboard through IAM user. Currently It is being accessed through root user.
According to AWS document I have created an IAM user and granted full access of Billing Policy, but it doesn't work.
Here are the screen shots.
IAM User getting error
Billing Policy assigned to IAM user
To allow IAM users to access the billing information, you need the IAM policy and to allow IAM access to billing.
This is done as the root account in the settings of the account.
more information here: docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_billing.html
Related
I have one organization with multiple sub accounts. I would like to create IAM Policies that grant users full administrator access to any resources in specific sub account (or sub accounts). How can this be achieved?
From an AWS Organization perspective, you have control over the accounts and resources via Service Control policies (SCPs).
"However, an SCP never grants permissions. Instead, SCPs are JSON policies that specify the maximum permissions for the affected accounts."
With that in mind, you can't grant users full administrator access to any resources in a specific subaccount(s) using AWS Organization and AWS IAM Policies only.
This leads us to (roughly) 3 paths:
By default, if you create a member account as part of your organization, AWS automatically creates a role in the account that grants administrator permissions to IAM users in the management account who can assume the role.
The IAM Role in question is OrganizationAccountAccessRole. You can customize its name and use it to grant your users full administrator access across all the resources inside the AWS account.
See: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
Observations: Since this IAM Role is created in every account. You would need to intervene and limit the IAM Cross-Account access manually in each sub-account.
You can use AWS CloudFormation StackSets to deploy across multiple AWS accounts a list of IAM Roles your users could use for admin purposes (eg RoleFullAdmin, RoleReadOnly, RoleDevOps), and AWS Organizations enables you to create stack sets with service-managed permissions, using a service-linked role that has the relevant permission in each member account.
From your AWS Organizations management account (or delegated administrator account) you can deploy Stack Sets to current accounts and they are automatically deployed to every new account your create, keeping your resources in sync.
You can target accounts via account ID or organizational units (OUs).
See: https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html
Observations: Similar to 1, since you are using IAM Role Cross-Account access, you need to manually intervene in the policy trust relationship.
Add AWS IAM Identity Center (successor to AWS Single Sign-On) to your AWS Organizations
What you are looking for can be achieved by Permission Sets in the AWS IAM Identity Center.
You can customize the access per user and have a many-to-many relationship between User <-> Accounts <-> Roles. You can define one or more IAM Policies in the Permission Set.
AWS provides predefined permissions that you can use too.
See: https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html and https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetpredefined.html
Observations: You need to add an extra resource to your AWS Organization and configure the identity source of your users. This also requires a change in the process of "how to login to our aws account". Now you need to use the AWS SSO etc.
I want to add an IAM user to AWS with all permissions policies except for the ability to see billing and close account or change any information they don't need, that the root user has.
What policies should I add to this new group that the IAM user will be added to?
It would appear that no action is necessary.
By default, IAM Users are not able to see billing. You would need to specifically allow them to see billing information. If this capability is set, you can still deny access by not giving (or by Denying) the aws-portal:ViewBilling permission.
See: Using identity-based policies (IAM policies) for AWS Billing - AWS Billing
It seems that AWS Account can only be closed by the root account (but I couldn't find anything that definitively states this).
See: Close your AWS account
If you are using AWS Organizations, it appears that the account closure must be performed from the management account (rather than the account itself): "When you sign in to the organization's management account, you can close member accounts that are part of your organization."
I am using AWS Free Tier account and logged in as a root user. When I tried to access the cost explorer, it said:
The IAM policy for the current user does not allow access to this page. IAM policies need to be enabled in order to access the Billing & Cost Management Console.
Actually the IAM user/role access to billing information is activated.
How to let the root user access the billing information? Please advise.
I added both Administrator and Billing policies to the admin group that I created, and added a user admin1 to this group. When I login as admin1, I get an error message saying I don't have privileges to see billing information of the account. What am I missing?
Use Case : In my startup, I want to have all my developers have access to "Root Account's Billing information" so they know the costs incurred. Also, you wouldn't want to login-as as root user to just view the billing information, correct.
How do I create an IAM user with privileges to view the account's billing information?
In addition to granting billing privileges to IAM users, you have to login as root and activate IAM user access to the Billing Console.
See: Granting Access to Your Billing Information and Tools
I try to make a policy to read Billing & Cost Management for Amazon AWS.
I created the new policy AccessJustBillingReports:
Then i attached this policy to a new user:
But if i loggin with this user and I open the Billing & Cost Management Dashboard i have no access!
What do i wrong?
By default IAM users cannot access billing as mentioned here: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#user-permissions
Note These policies require that you activate IAM user access to the
AWS Billing and Cost Management console on the Account Settings
console page. For more information about activating IAM user access,
see Activate Access to the AWS Website.
If you login as root and scroll down a bit you'll notice a section about allowing IAM access like this:
Once you activate IAM access you should be able to access the billing section.