AWS Cloud Financial Management
Changes to AWS Billing, Cost Management, and Account Consoles Permissions
Launch update: Until July 6, 2023, you can switch between using the new fine-grained IAM actions and the old IAM actions with the newly launched feature. It helps you experiment with the new IAM actions to ensure your intended permissions are in place. It also allows you to plan your own migration, if you decide to complete sooner than July 6, 2023, or extend the support of existing IAM actions till July 6, 2023 for accounts or organizations created after March 6, 2023. See details in “How to toggle accounts between new fine-grained actions or existing IAM Actions?”
AWS will be retiring AWS Identity and Access Management (IAM) actions for the Billing, Cost Management, and Account Consoles under the service prefix aws-portal and two actions under purchase order namespace, purchase-orders:ViewPurchaseOrders, and purchase-orders:ModifyPurchaseOrders. We are replacing them with new fine-grained service specific permissions that give you more control over access to Billing, Cost Management, and Account services. These new permissions will also provide a single set of IAM actions that govern access to both console and programmatic interfaces.
In this blog, we will show you what is changing and how you can perform modifications to IAM policies and permissions to allow/deny access to Billing, Cost Management, and Account services in order to prepare for this change. We will also discuss impact to existing AWS Managed Policies and migration timelines along with the tools or options you have to make this transition easier.
Background
Currently you control access to Billing, Cost Management, and Account consoles using IAM actions with the aws-portal service prefix (referred to as existing permissions/IAM actions in this blog). For example, when you provide a user access to the aws-portal:ViewBilling and aws-portal:ModifyBilling action, you authorize the user access to multiple console pages, including AWS Cost Explorer, AWS Budgets, consolidated billing, billing preferences, credits, tax settings, payment methods, purchase orders, and cost allocation tags. If you want to allow access to a specific cost management service console page, e.g. Cost Explorer, but deny access to Bills page, you cannot do so today. This limitation could make it challenging for you to run a decentralized cloud cost management model, where individual users have access to specific services per their role. Many of you have told us you want more fine-grained control over access to Billing, Cost Management, and Account services, and the changes described here provide this flexibility.
Additionally, today you control access to Billing, Cost Management, and Account services through programmatic interfaces using a different set of IAM actions than for the console. For example, when a customer wants to provide a user access to Cost Explorer through both the console and the Cost Explorer API, this user will need permissions to both aws-portal:ViewBilling and ce:*. The new IAM actions provide a single set of permissions that control access to Billing, Cost Management, and Account services via console and programmatic interfaces, making it easier and less error prone to set up access to Billing, Cost Management, and Account services.
What we are launching
AWS is now launching fine-grained IAM actions with 4 new service prefixes, consolidated billing, freetier, invoicing, and payments, and are adding new permissions under 5 existing service prefixes, billing, accounts, cur, purchase-orders, and tax.
We will be retiring aws-portal service prefix and all actions under it. Additionally, we will be retiring purchase-orders:ViewPurchaseOrders and purchase-orders:ModifyPurchaseOrders permissions.
When these new IAM actions take effect depends on the date of your AWS account creation, or the date of your management account creation if your account is part of an AWS Organization. Details can be found in the “Permission migration timeline” section.
If you have been using AWS Managed policies or IAM root user to access AWS Billing, Cost Management, and Account consoles, you do not need to take any action, as AWS has updated existing AWS Managed Policies. Information can be found in the “Updates to Existing Managed Policies” section.
New service prefix and permissions
| New service prefix | Service authorization reference | Summary |
| consolidatedbilling | link | Provides access to Consolidated Billing features like Account role |
| freetier | link | Provides access to Free Tier features on AWS Billing Console |
| invoicing | link | Provides access to Invoicing resources on AWS Billing Console |
| payments | link | Provides access to Payments and Payment Methods on AWS Billing Console |
Updates to existing service prefix and permissions
| Existing service prefix | Service authorization reference | Summary |
| billing | link | Provides access to Billing features on AWS Billing Console – Home, Bills, Credits, Billing preferences |
| account | link | Provide access to AWS Account Management resources |
| cur | link | Provide access to Cost and Usage reports on AWS Billing Console |
| purchase-orders | link | Provide access to Purchase orders experience on AWS Billing Console |
| tax | link | Provide access to Tax Settings on AWS Billing Console |
Note that these new IAM actions control access to console features today. In the future, we will be launching new APIs for Billing, Payments, Tax settings to provide programmatic access to the same resources (like spend summary, bills, payments summary, transaction, tax registrations) that are only available through console today. These future APIs will be controlled using the new IAM actions launched today.
Service prefixes and permission to be retired
| Retiring service prefix and permission | Service authorization reference | Summary |
| aws-portal | link | We will be retiring this service prefix and all IAM actions within this service prefix after the permission migration timeline |
| purchase-orders | link | We will be retiring purchase-orders:ViewPurchaseOrders and purchase-orders:ModifyPurchaseOrders permissions after the permission migration timeline. We are releasing additional permissions in place of these two. |
Permission migration timeline
Starting today, you can attach these new IAM actions to your IAM identities (users, groups of users, or roles) and Service control policies (SCPs) to your member accounts, based on their job function. However, the date when these new IAM actions take effect depends on the following factors.
For standalone accounts that are created on or after March 6, 2023, 11AM Pacific Time, or are part of an AWS Organization whose management account is created on or after March 6, 2023, 11AM Pacific Time, you are immediately required to use the new, fine-grained actions in your IAM policies and SCPs and these actions will take effect within minutes after creation.
If your accounts were created before March 6, 2023, 11AM Pacific Time, or if you are part of an AWS Organization whose management account was created before March 6, 2023, 11AM Pacific Time, you will have a transition period, during which time, you can continue using the existingaws-portal IAM actions until July 6, 2023, when AWS retires the aws-portal IAM actions. AWS encourages you to start adding the new fine-grained permissions at your earliest convenience, so you can make sure all affected policies are updated by July 6, 2023, to maintain access to AWS Billing, Cost Management, and Account consoles. If you want to start using the fine-grained actions immediately or want to test these fine-grained actions, use the feature described in the “How to toggle accounts between new fine-grained actions or existing IAM Actions?”
New Account Group (accounts or organization’s management account created on or after March 6, 2023, 11AM Pacific Time)
If your account is created on or after March 6, 2023, 11AM Pacific Time or joins an Organization whose management account is created on or after March 6, 2023, 11AM Pacific Time, you are required to use the new, fine-grained IAM actions immediately. For example, let’s say you want to provide users access to services on the Cost Management console, such as Cost Explorer and Savings Plans/RI Recommendations, but deny access to Bills or Tax Settings. With fine-grained actions, you can now achieve this by constructing your policy as shown below. This is an example policy. For permissions required by each console page, review the AWS Cost Management Console user guide.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ce:*",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": [
"tax:*",
"billing:*",
"invoicing:*"
],
"Resource": "*"
}
]
}
Existing Account Group (Accounts or organization’s management account created before March 6, 2023, 11AM Pacific Time)
In this example, let’s say your account was created before March 6, 2023, 11AM Pacific Time or joined an Organization whose management account was created before March 6, 2023, 11AM Pacific Time and you have the below identity-based policy named “AllowViewAccessToBillingAndCost ManagementConsole” in your account that has the existing IAM action “aws-portal:ViewBilling” to allow view access across AWS Billing and Cost Management consoles.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": " VisualEditor0 ",
"Effect": "Allow",
"Action": "aws-portal:ViewBilling",
"Resource": "*"
}
]
}
You will need to update this policy to add fine-grained actions. In the example policy below, you will see the fine-grained IAM actions are added under the block of statement “ThesePermissionsWillHaveNoEffectTillEndOfMigration”. As mentioned in the “Permission migration timeline” section, there is a migration period, when the existing IAM actions will remain working and new IAM actions won’t take effect until after the retirement of the existing actions. You can see in the example below, the policy also contains existing actions under block of statement “ThisPermissionWillContinueProvidingAccessAsNormal”, as they control access to our consoles through July 6, 2023. Please also note that the existing action “aws-portal:ViewBilling” provides view access to services on Billing and Cost Management consoles before July 6, 2023. The updated list of actions as shown below will maintain the same level of access after the retirement of the existing actions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ThesePermissionsWillHaveNoEffectTillEndOfMigration",
"Effect": "Allow",
"Action": [
"ce:Get*",
"ce:Describe*",
"ce:List*",
"account:GetAccountInformation",
"billing:Get*",
"payments:List*",
"payments:Get*",
"tax:List*",
"tax:Get*",
"consolidatedbilling:Get*",
"consolidatedbilling:List*",
"invoicing:List*",
"invoicing:Get*",
"cur:Get*",
"cur:Validate*",
"freetier:Get*"
],
"Resource": "*"
},
{
"Sid": "ThisPermissionWillContinueProvidingAccessAsNormal",
"Effect": "Allow",
"Action": "aws-portal:ViewBilling",
"Resource": "*"
}
]
}To help you identify whether you have IAM policies that require updates, AWS has built a tool, called “Affected Policies” to simplify the process. The tool lists the affected IAM policies. You can review each policy and make necessary changes within your logged-in account. Details can be found in the “How to update affected policies in your account?” section. The tool also provides a self-service capability for you to test and enable new fine-grained actions in your account or accounts within your organization (in case of management account), prior to July 6, 2023. You can extend support for old actions in accounts created after March 6, 2023. Details can be found in the “How to toggle accounts between new fine-grained or existing IAM Actions?” section.
Please note that the Affected Policies console only shows impacted IAM policies within the logged-in account and does not display Service control policies (SCPs) that are impacted by this change. You will need to log into the AWS Organizations console to view the affected Service Control Policies. The remainder of the blog provides details on how you can transition from the existing IAM actions to fine-grained actions in the console. If you manage and maintain IAM policies in a version-controlled repository, be sure to make these same changes to your automation. In case of further questions, contact AWS support.
Updates to existing managed policies
As part of this launch, AWS has updated following AWS Managed policies to include the new fine-grained permissions. These aws-portal IAM actions in the AWS Managed policies will remain working till July 6, 2023, so that you can continue using these managed policies like before. After July 6, 2023, AWS will remove aws-portal IAM actions from these managed policies. If you are exclusively using AWS Managed Policies, you do not need to take any action, as AWS will make the updates.
AWSBillingReadOnlyAccess (arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess)Billing (arn:aws:iam::aws:policy/job-function/Billing)ReadOnlyAccess (arn:aws:iam::aws:policy/ReadOnlyAccess)AWSAccountActivityAccess (arn:aws:iam::aws:policy/AWSAccountActivityAccess)AWSPurchaseOrdersServiceRolePolicy (arn:aws:iam::aws:policy/AWSPurchaseOrdersServiceRolePolicy)
AWS will be launching additional AWS managed policies to provide fine-grained access to Billing, Cost Management, and Accounts services, after the retirement of the existing actions.
How to update affected policies in your account?
There are three main steps: 1) determine if you must take action, 2) identify what policies need to be updated, and 3) update polices to use the new IAM actions. In the example below, we will focus on accounts who were, or accounts who are part of an organization that was created before March 6, 2023, 11AM Pacific Time. As for the new accounts or new organizations that are created on or after March 6, 2023, 11AM Pacific Time, you’ll already be using the new granular actions.
Step 1: Determine if you must take action
Any policies with the below list of IAM actions will need to be migrated to using new permissions.
aws-portal:ViewAccountaws-portal:ViewBillingaws-portal:ViewPaymentMethodsaws-portal:ViewUsageaws-portal:ModifyAccountaws-portal:ModifyBillingaws-portal:ModifyPaymentMethodspurchase-orders:ViewPurchaseOrderspurchase-orders:ModifyPurchaseOrders
As mentioned above, if you have been using AWS Managed policies to access AWS Billing, Cost Management, and Account consoles, you do not need to take any action, as AWS has updated the managed policies. If you have been using root credentials you will not need to take any action.
Let’s say you have an identity-policy named “AllowViewAccessToBillingAndCostManagementConsole ” and still use the existing IAM action “aws-portal:ViewBilling” as below. This policy is attached to six IAM Users.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": " VisualEditor0",
"Effect": "Allow",
"Action": "aws-portal:ViewBilling",
"Resource": "*"
}
]
}
Step 2: Identify what policies need to be updated
Please visit Affected Policies console in your logged-in account. To access, use an IAM user/role with iam:GetAccountAuthorizationDetails action included in your IAM policy or assign any of these AWS Managed policies to your IAM user/role – SystemAdministrator, AdministratorAccess, IAMFullAccess, or IAMReadOnlyAccess.
Log in to your account and access Affected Policy console to view all IAM policies that reference the existing aws-portal IAM actions, which will be retired on July 6, 2023. You can also view the number of IAM entities (IAM user, role, or group) that are attached to the affected policy, so you can prioritize updates to the policies that are assigned to the greatest number of IAM entities. This tool will display both customer managed policies and inline policies that need update.
You will see that the policy “AllowViewAccessToBillingAndCostManagementConsole” in Step 1 is listed (see the screenshot below). It shows how many IAM entities this policy is attached to, which is “6” in this example. This tool also shows the offending IAM action(s) – in this case aws-portal:ViewBilling.
Figure 1: Affected Policies console for Existing Account Group
You can also download a list of affected policies along with the policies ARNs by clicking on “Export all affected policies” button on the Affected Policies console.
Figure 2: “Export all affected policies” button
To update the Service Control Policies (SCPs), you will need to log into the AWS Organizations console. Instructions are provided below in the “How to update Service Control Policies to new actions” section.
Step 3: Update policies in your account to new IAM actions
From the affected policies list, you can click on a policy name and update the IAM customer-managed or inline policies in the IAM console. You can update the IAM policy as you normally would. You can review Editing IAM policies to see how policy updates can be made. Before updating your policies to new actions, please make a note of your current default policy version. You can revert your policies to this version, if you encounter issues with your changes.
In Steps 1 and 2, you have identified that the policy named “AllowViewAccessToBillingAndCost ManagementConsole” needs to be updated. Once you navigate to the IAM console, you may make the following changes to your policy to maintain access to Billing and Cost Management consoles. As this is an example from the Existing Account Group, you will need to retain the current actions while adding new fine-grained actions in the policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ThesePermissionsWillHaveNoEffectTillEndOfMigration",
"Effect": "Allow",
"Action": [
"ce:Get*",
"ce:Describe*",
"ce:List*",
"account:GetAccountInformation",
"billing:Get*",
"payments:List*",
"payments:Get*",
"tax:List*",
"tax:Get*",
"consolidatedbilling:Get*",
"consolidatedbilling:List*",
"invoicing:List*",
"invoicing:Get*",
"cur:Get*",
"cur:Validate*",
"freetier:Get*"
],
"Resource": "*"
},
{
"Sid": "ThisPermissionWillContinueProvidingAccessAsNormal",
"Effect": "Allow",
"Action": "aws-portal:ViewBilling",
"Resource": "*"
}
]
}After you added the new, granular IAM actions to the affected policy, since you’re keeping the existing IAM actions during the migration period, you will continue to see this policy listed in the Affected Policy console. After the retirement (July 6, 2023) of the existing IAM actions, you are encouraged to update the policy by removing the existing IAM actions for policy hygiene best practices, and after the removal of the existing IAM actions, you will no longer see this policy in the Affected Policy console.
You can refer to these Billing console and Cost Management user guides to understand the fine-grained IAM actions for each of Billing, Cost Management, and Account services.
How to update Service Control Policies to new actions
Service Control Policy (SCP) feature is only available when all features are enabled in your AWS Organizations.
- You’ll need to log into your management account of your AWS organization
- View SCPs created in your management account by visiting the AWS Organizations console
- Click on “Policies” in the left navigation panel and select “Service control policies”
Figure 3: Service control policies under AWS Organizations
- Click on an SCP that you’ve created for AWS Billing, Cost Management, and Account consoles.
- Click on Edit Policy button to update your SCP.
Figure 4: Edit policy button for Service Control Policy
- Update contents of the policy to include new IAM actions. Keep your existing IAM actions to maintain access through the migration period
Figure 5: Edit content for Service Control Policy
- You can also view which member accounts the SCP is applied to in the “Targets” tab so you can prioritize updates to the SCPs that are assigned to the most member accounts.
Figure 6: “Targets” tab for Service Control Policy
Detailed instructions on how to update your Service Control Policies can be found in this user guide.
How to toggle accounts between new fine-grained actions or existing IAM Actions?
This self-service feature allows you to switch between the new fine-grained actions and the existing (old) IAM actions. You can test the new actions in your account or across a subset of accounts within your organization (in case of a management account). After July 6, 2023, all accounts will need to use new actions and the self-service feature will no longer be available. In the meantime, you have the flexibility to start using the new IAM actions now, or revert to the old IAM actions even for new accounts/organizations created on and after March 6, 2023.
The above operations can be accessed via the Affected Policies console. To use these features via the console, you need to use an IAM user/role with ce:GetConsoleActionSetEnforced, aws-portal:GetConsoleActionSetEnforced, purchase-orders:GetConsoleActionSetEnforced (to view the enforced action status), and ce:UpdateConsoleActionSetEnforced , aws-portal:UpdateConsoleActionSetEnforced, purchase-orders:UpdateConsoleActionSetEnforced (to toggle actions). In case of AWS Organizations, the feature is only available to management account users.
Visit Affected Policies console in your logged-in account
If you are not using a management account and don’t belong to AWS Organizations, you will be restricted to toggle the actions set for your own account. Figure 7 shows that for the current logged-in user, "Existing" IAM actions are enforced. You can select the “Enable New actions for your account” option and select “Apply changes”. This will enable the new IAM actions for your account.
Figure 7. Existing (Old) IAM action enforced, toggle to New (fine-grained) actions
Similarly, if the "Fine Grained" IAM actions are enforced, you can select the “Enable old actions for your account” option and select “Apply changes” (see Figure 8). The account will revert to using old IAM actions, which will only be available until July 6, 2023.
Figure 8. New (fine-grained) IAM action enforced, toggle to old IAM actions
As a management account owner, you can toggle the actions set for all or a subset of member accounts within your organization. If the "Existing" IAM actions are enforced (see Figure 9), you can enable new IAM actions for the entire organization or specific accounts within the organization. For the latter, you need to provide account numbers (up to 10).
Figure 9. Management Account view - Existing (Old) IAM actions enforced within organization, toggle to New (fine-grained) actions across all or a subset of accounts within the organization
Similarly, when new IAM actions are enforced (see figure 10), you can revert to old actions for the entire organization or specific accounts within the organization. For the latter, you need to provide account numbers (up to 10).
Figure 10. Management Account view - New (fine-grained) IAM actions enforced within organization, toggle to old IAM actions across all or subset of accounts within organization
In case a subset of accounts within the organization are overridden (to use old or new IAM actions), the “Current Action Set Enforced” status will appear in the following format, with a link to download the csv file. The csv file will contain the overridden accounts, using either the new or old IAM actions.
Figure 11. Management Account user view - New (fine-grained) IAM actions enforced within organization with subset of accounts using old IAM actions
Conclusions
The launch of these granular permissions under the new service specific namespaces allows least privilege access to Billing, Cost Management, and Account consoles and services. To take advantage of the enhanced access control capability and maintain access to your AWS Billing, Cost Management, and Account consoles, make sure you refer to the Cost Management user guide and Billing Console user guide for details and take action accordingly. Don’t hesitate to reach out to your AWS contact and support team if you have any questions.