How can I troubleshoot access denied errors related to the Billing and Cost Management console?
Last updated: 2022-04-06
I want to grant AWS Identity and Access Management (IAM) users or groups the permissions needed to access my account's billing information. But, they are still encountering permissions issues despite taking the necessary actions. How do I troubleshoot the issue?
IAM users might encounter permissions issues when accessing the AWS Billing and Cost Management console if the root user hasn't delegated the IAM entity (user or role) access to the billing information. This also happens if the IAM entity doesn't have the required IAM policies to allow them access.
Grant the IAM entity permissions to access the Billing and Cost Management console
1. Activate the IAM User and Role Access to Billing Information setting in the Billing and Cost Management console. If you haven't enabled this setting, then your IAM users and roles can't access the Billing and Cost Management console, even if they have admin permissions and the required IAM policies in place. Because this setting is disabled by default, it must be manually activated by the root user. For more information on activating this setting, see Granting access to your billing information and tools.
2. Make sure that you have the required permissions attached to your IAM entity to access the Billing and Cost Management console. The minimum permissions required are as follows:
- aws-portal:ViewBilling - This permission is required to view the Billing and Cost Management console pages.
- aws-portal:ModifyBilling - This permission is required to perform modifications in the Billing and Cost Management console pages.
The IAM entity has at least one IAM policy attached. For examples of Billing and Cost Management console policies, see Using identity-based policies (IAM policies) for AWS Billing. AWS managed policies such as AWSBillingReadOnlyAccess or Billing can also be used.
Check that the IAM entity isn't denied access to the Billing and Cost Management console
If you follow these best practices and you still encounter an AccessDenied issue, you might have a policy attached that denies access to the Billing and Cost Management console. Check all applicable policies (IAM policies, permissions boundary, SCP) to be sure that they aren't causing an explicit deny for Billing and Cost Management console access.
You can also use the IAM policy simulator to identify the policy that's preventing access to the Billing and Cost Management console.
- An SCP/IAM policy that restricts access to specific Regions is enforced on the IAM entity. Billing services are global and all actions performed in the Billing and Cost Management console are logged in the us-east-1 Region. If you have an IAM/SCP policy that denies you access to specific Regions, then modify this to exempt the specific billing permissions required. For more information, see AWS: Denies access to AWS based on the requested Region.
- An SCP/IAM policy with a deny effect is enforced and allowing access to services only when the IAM entity is MFA authenticated. Your MFA device must be configured so that you are always authenticated with an MFA token to have access to the Billing and Cost Management console.
- The IAM entity has a permissions boundary attached that doesn't allow access to the Billing and Cost Management console. Despite having the required IAM policies in place, your IAM entity can't access the Billing console if there is a permissions boundary configured that prevents this permission. Your permissions boundary must have a policy statement with an Allow effect for the Billing and Cost Management console permissions you require.