I have an root aws account and also created one IAM users. The IAM user have full permission for EC2 service. He/She create a Instance(virtual machine - t2.nano) from his IAM account.
I am check my bill from root account. I am seeing as combined usage of root user and IAM user. Is it possible to separate the billing usage for IAM user alone?
Thanks,
There is no way to track the billing usage for a IAM user unless you create a (cost allocation) tag for that user and track it in billing reports. Even then, you can track only the compute costs (instance cost) not the costs associated with storage, data transfer etc.,
Related
I need to access Billing and Cost Management Dashboard through IAM user. Currently It is being accessed through root user.
According to AWS document I have created an IAM user and granted full access of Billing Policy, but it doesn't work.
Here are the screen shots.
IAM User getting error
Billing Policy assigned to IAM user
To allow IAM users to access the billing information, you need the IAM policy and to allow IAM access to billing.
This is done as the root account in the settings of the account.
more information here: docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_billing.html
I am using AWS Free Tier account and logged in as a root user. When I tried to access the cost explorer, it said:
The IAM policy for the current user does not allow access to this page. IAM policies need to be enabled in order to access the Billing & Cost Management Console.
Actually the IAM user/role access to billing information is activated.
How to let the root user access the billing information? Please advise.
My business partner has created an Amazon AWS RDS instance in his account. In the event that he is incapacitated, how can I access the RDS instance and take and use a snapshot without having his admin credentials?
I see a way to share a manually created snapshot but that's not what I want. I need at any time to be able to create and extract a snapshot without permission barriers. Can this be handled by IAM?
You will need one of:
An IAM User in their account that has permissions to create and extract the snapshot. When necessary, you would login to his user and access the data. OR
An IAM Role in their account with the necessary RDS permissions, with a Trust Policy that allows your IAM User in your Account to assume that role, so that you can then create and extract the snapshot.
Either way, they are granting you permissions to perform those steps. They should limit the permissions granted so that you can't accidentally or intentionally do damage (eg delete the database).
I have an AWS account with n number of IAM users. Each user will have access only to a specific list of services based on their role. Now I need to analyze the billing by each IAM user. This will provide the detailed view of each user for further cost optimization and other analysis.
But the AWS billing dashboard shows only the overall costs of that account. Can you please help me on this?
Billing details per IAM entities or which IAM user has spent how much is NOT possible. Also, resources are owned by the account itself (not the user who creates it) and IAM users/roles/groups are not for billing purpose.
If you wish to analyze costs of different persons, then you can consider creating (or inviting) multiple accounts in AWS Organizations.
I would like to write a policy for a new IAM user so that he can have a full access to AWS Services such as EC2, RDS, Cloud Front, S3, etc. However he should be only able to view (describe) and manage the instances/services that he launches. He can't see other existing/future instances/services created by other users.
This case happens in a company that wants to outsource some projects to an outsourced company. So the new IAM user is for giving access to the outsourced company to setup the staging & production environments in AWS that belongs to the company. How can I achieve this?
Thanks.
Best Regards,
Mark
AFAICT there are no conditions on creator.
One obvious alternative is having a separated dependent and linked account with consolidated billing. You can find some detail in the third scenario of this paper
https://media.amazonwebservices.com/AWS_Setting_Up_Multiuser_Environments_Education.pdf
[...] an administrator creates separate AWS accounts for each user who
needs a new AWS account. These accounts can optionally be linked
together and a single AWS account can be designated as the paying
account using consolidated billing, which provides a single bill for
multiple AWS accounts. The administrator then creates an IAM user in
each AWS account and applies an access control policy to each user.
Users are given access to the IAM user within their AWS account, but
do not have access to the root credentials of the AWS account.
Users can log into the AWS Management Console with their IAM
credentials and then they can launch and access different AWS
services, subject to the access control policies applied to their
account. Users have direct control over the access credentials for
their resources and they can also share these resources with other
users as necessary.