AWS Security Blog
Don’t Forget to Enable Access to the Billing Console!
We’ve seen a question appear periodically on the IAM forum about granting IAM users access to the AWS Billing console. The question is this: even after an administrator sets appropriate permissions for an IAM user to access the console, the user can’t get to the console. Why not?
Access to the console actually requires two steps. One step is to grant IAM users permissions to the console. In July, Graham Evans posted a blog entry that described recent enhancements to IAM capabilities for access to the billing console and that walked through a few scenarios that illustrated how to set permission for different levels of access.
The other step—and the step that people sometimes miss—is to enable access to the billing console. In addition to setting permissions, the account owner needs to go to the Account Settings page for the account using the root (account) password. (Note that IAM users, even with full permissions, cannot get to this page.) On the account settings page, there’s a section titled IAM User Access to Billing Information. The account owner should click Edit, select the Activate IAM Access check box, and then click Update:
After access has been enabled like this, IAM users in the account who’ve been granted appropriate permissions can view and work with the billing console.
Something that isn’t well documented is that this same setting is required in order to provide console access for federated users. If you want to grant federated users access to the billing console, you’ll likewise need to select the Activate IAM Access check box and then click Update.
For more information, please see Controlling Access to Your Billing Information in the AWS Billing and Cost Management documentation. If you have other questions about permissions for the billing console, post them on the IAM forum.
– Mike
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.