AWS Cloud Financial Management
Changes to AWS Billing, Cost Management, and Account Consoles Permissions
The blog is only applicable to those accounts who have not completed the migration of old IAM actions to the new fine-grained actions. If you have an AWS account, or are a part of an AWS Organizations created on or after March 6, 2023, 11:00AM (PDT), this blog is not applicable to you, as fine-grained actions are already in effect for you and your organization.
AWS has retired AWS Identity and Access Management (IAM) actions for the Billing, Cost Management, and Account Consoles under the service prefix aws-portal and two actions under purchase order namespace, purchase-orders:ViewPurchaseOrders, and purchase-orders:ModifyPurchaseOrders. We have replaced them with new fine-grained service specific permissions that give you more control over access to Billing, Cost Management, and Account services. These new permissions will also provide a single set of IAM actions that govern access to both console and programmatic interfaces.
In this blog, we will show you what is changing and how you can perform modifications to IAM policies and permissions to allow/deny access to Billing, Cost Management, and Account services in order to prepare for this change. We will also discuss impact to existing AWS Managed Policies and migration timelines along with the tools or options you have to make this transition easier.
Background
Currently you control access to Billing, Cost Management, and Account consoles using IAM actions with the aws-portal service prefix (referred to as existing permissions/IAM actions in this blog). For example, when you provide a user access to the aws-portal:ViewBilling and aws-portal:ModifyBilling action, you authorize the user access to multiple console pages, including AWS Cost Explorer, AWS Budgets, consolidated billing, billing preferences, credits, tax settings, payment methods, purchase orders, and cost allocation tags. If you want to allow access to a specific cost management service console page, e.g. Cost Explorer, but deny access to Bills page, you cannot do so today. This limitation could make it challenging for you to run a decentralized cloud cost management model, where individual users have access to specific services per their role. Many of you have told us you want more fine-grained control over access to Billing, Cost Management, and Account services, and the changes described here provide this flexibility.
Additionally, today you control access to Billing, Cost Management, and Account services through programmatic interfaces using a different set of IAM actions than for the console. For example, when a customer wants to provide a user access to Cost Explorer through both the console and the Cost Explorer API, this user will need permissions to both aws-portal:ViewBilling and ce:*. The new IAM actions provide a single set of permissions that control access to Billing, Cost Management, and Account services via console and programmatic interfaces, making it easier and less error prone to set up access to Billing, Cost Management, and Account services.
What we have launched
On January 10, 2023, AWS launched fine-grained IAM actions with 4 new service prefixes, consolidated billing, freetier, invoicing, and payments, and added new permissions under 5 existing service prefixes, billing, accounts, cur, purchase-orders, and tax.
We have retired aws-portal service prefix and all actions under it. Additionally, we have retired purchase-orders:ViewPurchaseOrders and purchase-orders:ModifyPurchaseOrders permissions.
If you have been using AWS Managed policies for IAM users or root users to access AWS Billing, Cost Management, and Account consoles, you do not need to take any action, as AWS has updated existing AWS Managed Policies. However, if you need to access Cost Explorer, you would need to create a customer managed policy with actions related to Cost Explorer. Information can be found in the “Updates to Existing Managed Policies” section.
New service prefix and permissions
| New service prefix | Service authorization reference | Summary |
| consolidatedbilling | link | Provides access to Consolidated Billing features like Account role |
| freetier | link | Provides access to Free Tier features on AWS Billing Console |
| invoicing | link | Provides access to Invoicing resources on AWS Billing Console |
| payments | link | Provides access to Payments and Payment Methods on AWS Billing Console |
Updates to existing service prefix and permissions
| Existing service prefix | Service authorization reference | Summary |
| billing | link | Provides access to Billing features on AWS Billing Console – Home, Bills, Credits, Billing preferences |
| account | link | Provide access to AWS Account Management resources |
| cur | link | Provide access to Cost and Usage reports on AWS Billing Console |
| purchase-orders | link | Provide access to Purchase orders experience on AWS Billing Console |
| tax | link | Provide access to Tax Settings on AWS Billing Console |
Note that these new IAM actions control access to console features today. In the future, we will be launching new APIs for Billing, Payments, Tax settings to provide programmatic access to the same resources (like spend summary, bills, payments summary, transaction, tax registrations) that are only available through console today. These future APIs will be controlled using the new IAM actions launched today.
Retired service prefixes and permissions
| Retiring service prefix and permission | Service authorization reference | Summary |
| aws-portal | link | We will be retiring this service prefix and all IAM actions within this service prefix after the permission migration timeline |
| purchase-orders | link | We will be retiring purchase-orders:ViewPurchaseOrders and purchase-orders:ModifyPurchaseOrders permissions after the permission migration timeline. We are releasing additional permissions in place of these two. |
How should you get started?
To use the fine-grained access controls, you’ll need to migrate your policies from under aws-portal to the new IAM actions.
The following IAM actions in your permission policies or service control policies (SCP) need to be updated with new fine-grained actions:
aws-portal:ViewAccountaws-portal:ViewBillingaws-portal:ViewPaymentMethodsaws-portal:ViewUsageaws-portal:ModifyAccountaws-portal:ModifyBillingaws-portal:ModifyPaymentMethodspurchase-orders:ViewPurchaseOrderspurchase-orders:ModifyPurchaseOrders
AWS encourages you to start adding the new fine-grained permissions immediately, so you can make sure all affected policies are updated prior to their retirement, to maintain access to AWS Billing, Cost Management, and Account consoles. If you want to start using the fine-grained actions immediately or want to test these fine-grained actions, use the feature described in the “How to toggle accounts between new fine-grained actions or existing IAM Actions?”
For example, you have the below identity-based policy named “AllowViewAccessToBillingAndCost ManagementConsole” in your account that has the existing IAM action “aws-portal:ViewBilling” to allow view access across AWS Billing and Cost Management consoles.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": " VisualEditor0 ",
"Effect": "Allow",
"Action": "aws-portal:ViewBilling",
"Resource": "*"
}
]
}
You will need to update this policy to add fine-grained actions. In the example policy below, you will see the fine-grained IAM actions are added under the block of statement “ThesePermissionsWillHaveNoEffectTillEndOfMigration”. You can see in the example below, the updated policy also contains existing actions under block of statement “ThisPermissionWillContinueProvidingAccessAsNormal”, as they control access to our consoles through the retirement date.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ThesePermissionsWillHaveNoEffectTillEndOfMigration",
"Effect": "Allow",
"Action": [
"ce:Get*",
"ce:Describe*",
"ce:List*",
"account:GetAccountInformation",
"billing:Get*",
"payments:List*",
"payments:Get*",
"tax:List*",
"tax:Get*",
"consolidatedbilling:Get*",
"consolidatedbilling:List*",
"invoicing:List*",
"invoicing:Get*",
"cur:Get*",
"cur:Validate*",
"freetier:Get*"
],
"Resource": "*"
},
{
"Sid": "ThisPermissionWillContinueProvidingAccessAsNormal",
"Effect": "Allow",
"Action": "aws-portal:ViewBilling",
"Resource": "*"
}
]
}To help you identify and update the affected IAM policies, AWS has provided the following resources. In this blog, we will share details around how you can use “Affected Policies” and the “Toggle account” feature to make changes to your permissions. You can review the instructions for the other resources in the user guides below.
- Affected Policies (user guide)- The tool lists the affected IAM policies within the account. You can review each policy and make necessary changes within your logged-in account
- Bulk Policy migrator (user guide) – The scripts allow you to identify and update all affected policies within your organization. You can run these scripts from the payer account of your organization If you are working within an AWS Organization setup with multiple linked accounts, use the Bulk Policy Migrator scripts for efficiently updating all accounts within the organization.
- Mapping guide (user guide) : This is a mapping of the existing(old) to new fine-grained actions for each IAM action that we’re retiring.
- Toggle account: This self-service feature allows you to switch between the new fine-grained actions and the existing (old) IAM actions. Once the new fine grained actions are added, you can immediately start using the new IAM actions in your accounts using the Toggle account feature (See “How to toggle accounts between new fine-grained or existing IAM Actions?” section).
Updates to existing managed policies
As part of this launch, AWS has updated the following AWS Managed policies to include the new fine-grained permissions. These aws-portal IAM actions in the AWS Managed policies will remain working till the retirement date, so that you can continue using these managed policies like before. After the retirement, AWS will remove aws-portal IAM actions from these managed policies. If you are exclusively using AWS Managed Policies, you do not need to take any action, as AWS will make the updates. However, if you need to access Cost Explorer, you would need to create a customer managed policy with actions related to the Cost Explorer.
AWSBillingReadOnlyAccess (arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess)Billing (arn:aws:iam::aws:policy/job-function/Billing)ReadOnlyAccess (arn:aws:iam::aws:policy/ReadOnlyAccess)AWSAccountActivityAccess (arn:aws:iam::aws:policy/AWSAccountActivityAccess)AWSPurchaseOrdersServiceRolePolicy (arn:aws:iam::aws:policy/AWSPurchaseOrdersServiceRolePolicy)
How to update affected policies in your account?
There are two main steps: 1) identify what policies need to be updated, and 2) update polices to use the new IAM actions. In the example below, we will focus on accounts who were, or accounts who are part of an organization that was created before March 6, 2023, 11AM Pacific Time. As for the new accounts or new organizations that are created on or after March 6, 2023, 11AM Pacific Time, you’ll already be using the new granular actions.
Please note that the Affected Policies console only shows impacted IAM policies within the logged-in account and does not display Service control policies (SCPs) that are impacted by this change. Please use the Bulk Policy Migrator scripts to identify and update IAM policies for all accounts within the organization. You will need to log into the AWS Organizations console to view the affected Service Control Policies (SCPs). The remainder of the blog provides details on how you can transition from the existing IAM actions to fine-grained actions in the console. If you manage and maintain IAM policies in a version-controlled repository, be sure to make these same changes to your automation. In case of further questions, contact AWS support.
Step 1: Identify what policies need to be updated
Please visit Affected Policies console in your logged-in account. You are able to access the Affected Policies console, when you search for the term “Affected Policies” on the AWS console home page. You can also locate the “Migrate to new IAM actions” widget on the Getting started – more resource page in the new Billing and Cost Management Console. To access, use an IAM user/role with iam:GetAccountAuthorizationDetails action included in your IAM policy or assign any of these AWS Managed policies to your IAM user/role – SystemAdministrator, AdministratorAccess, IAMFullAccess, or IAMReadOnlyAccess.
Log in to your account and access Affected Policy console to view all IAM policies that reference the existing aws-portal IAM actions, which will be retired. You can also view the number of IAM entities (IAM user, role, or group) that are attached to the affected policy, so you can prioritize updates to the policies that are assigned to the greatest number of IAM entities. This tool will display both customer managed policies and inline policies that need update.
For example, you have an identity policy “AllowViewAccessToBillingAndCostManagementConsole” using the existing IAM action “aws-portal:ViewBilling” that is attached to six IAM users.
You will see that the policy “AllowViewAccessToBillingAndCostManagementConsole” is listed (see the screenshot below). It shows how many IAM entities this policy is attached to, which is “6” in this example. This tool also shows the offending IAM action(s) – in this case aws-portal:ViewBilling.
Figure 1: Affected Policies console for Existing Account Group
You can also download a list of affected policies along with the policies ARNs by clicking on “Export all affected policies” button on the Affected Policies console.
Figure 2: “Export all affected policies” button
To update the Service Control Policies (SCPs), you will need to log into the AWS Organizations console. Instructions are provided below in the “How to update Service Control Policies to new actions” section.
Step 2: Update policies in your account to new IAM actions
From the affected policies list, you can click on a policy name and update the IAM customer-managed or inline policies in the IAM console. You can update the IAM policy as you normally would. You can review Editing IAM policies to see how policy updates can be made. Before updating your policies to new actions, please make a note of your current default policy version. You can revert your policies to this version, if you encounter issues with your changes.
In Steps 1, you have identified that the policy named “AllowViewAccessToBillingAndCost ManagementConsole” needs to be updated. Once you navigate to the IAM console, you add the new IAM actions. Please use the “Mapping guide” to confirm the desired new IAM actions to be added for the corresponding old IAM actions. You will need to retain the current actions while adding new fine-grained actions in the policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ThesePermissionsWillHaveNoEffectTillEndOfMigration",
"Effect": "Allow",
"Action": [
"ce:Get*",
"ce:Describe*",
"ce:List*",
"account:GetAccountInformation",
"billing:Get*",
"payments:List*",
"payments:Get*",
"tax:List*",
"tax:Get*",
"consolidatedbilling:Get*",
"consolidatedbilling:List*",
"invoicing:List*",
"invoicing:Get*",
"cur:Get*",
"cur:Validate*",
"freetier:Get*"
],
"Resource": "*"
},
{
"Sid": "ThisPermissionWillContinueProvidingAccessAsNormal",
"Effect": "Allow",
"Action": "aws-portal:ViewBilling",
"Resource": "*"
}
]
}After you added the new, granular IAM actions to all affected policies, since you’re keeping the existing IAM actions during the migration period, you will continue to see this policy listed in the Affected Policy console. After the retirement of the existing IAM actions, you are encouraged to update the policy by removing the existing IAM actions for policy hygiene best practices, and after the removal of the existing IAM actions, you will no longer see this policy in the Affected Policy console. We also encourage you to use self-service tool on payer account / regular accounts affected policies console to toggle the account to using the new IAM actions immediately. See details in “How to toggle accounts between new fine-grained actions or existing IAM Actions?”
You can refer to these Billing console and Cost Management user guides to understand the fine-grained IAM actions for each of Billing, Cost Management, and Account services.
How to update Service Control Policies to new actions
Service Control Policy (SCP) feature is only available when all features are enabled in your AWS Organizations.
- You’ll need to log into your management account of your AWS organization
- View SCPs created in your management account by visiting the AWS Organizations console
- Click on “Policies” in the left navigation panel and select “Service control policies”
Figure 3: Service control policies under AWS Organizations
- Click on an SCP that you’ve created for AWS Billing, Cost Management, and Account consoles.
- Click on Edit Policy button to update your SCP.
Figure 4: Edit policy button for Service Control Policy
- Update contents of the policy to include new IAM actions. Keep your existing IAM actions to maintain access through the migration period
Figure 5: Edit content for Service Control Policy
- You can also view which member accounts the SCP is applied to in the “Targets” tab so you can prioritize updates to the SCPs that are assigned to the most member accounts.
Figure 6: “Targets” tab for Service Control Policy
Detailed instructions on how to update your Service Control Policies can be found in this user guide.
How to toggle accounts between new fine-grained actions or existing IAM Actions?
This self-service feature allows you to switch between the new fine-grained actions and the existing (old) IAM actions. You can test the new actions in your account or across a subset of accounts within your organization (in case of a management account). After the retirement, all accounts will need to use new actions and the self-service feature will no longer be available.
The above operations can be accessed via the Affected Policies console. To use these features via the console, you need to use an IAM user/role with ce:GetConsoleActionSetEnforced, aws-portal:GetConsoleActionSetEnforced, purchase-orders:GetConsoleActionSetEnforced (to view the enforced action status), and ce:UpdateConsoleActionSetEnforced , aws-portal:UpdateConsoleActionSetEnforced, purchase-orders:UpdateConsoleActionSetEnforced (to toggle actions). In case of AWS Organizations, the feature is only available to management account users.
Visit Affected Policies console in your logged-in account
You are able to access the Affected Policies console, when you search for the term "Affected Policies" on the AWS console home page. You can also locate the "Migrate to new IAM actions" widget on the Getting started - more resource page in the new Billing and Cost Management Console. If you are not using a management account and don’t belong to AWS Organizations, you will be restricted to toggle the actions set for your own account. Figure 7 shows that for the current logged-in user, "Existing" IAM actions are enforced. You can select the “Enable New actions for your account” option and select “Apply changes”. This will enable the new IAM actions for your account.
Figure 7. Existing (Old) IAM action enforced, toggle to New (fine-grained) actions
Similarly, if the "Fine Grained" IAM actions are enforced, you can select the “Enable old actions for your account” option and select “Apply changes” (see Figure 8). The account will revert to using old IAM actions, which will only be available until the retirement date.
Figure 8. New (fine-grained) IAM action enforced, toggle to old IAM actions
As a management account owner, you can toggle the actions set for all or a subset of member accounts within your organization. If the "Existing" IAM actions are enforced (see Figure 9), you can enable new IAM actions for the entire organization or specific accounts within the organization. For the latter, you need to provide account numbers (up to 10).
Figure 9. Management Account view - Existing (Old) IAM actions enforced within organization, toggle to New (fine-grained) actions across all or a subset of accounts within the organization
Similarly, when new IAM actions are enforced (see figure 10), you can revert to old actions for the entire organization or specific accounts within the organization. For the latter, you need to provide account numbers (up to 10).
Figure 10. Management Account view - New (fine-grained) IAM actions enforced within organization, toggle to old IAM actions across all or subset of accounts within organization
In case a subset of accounts within the organization are overridden (to use old or new IAM actions), the “Current Action Set Enforced” status will appear in the following format, with a link to download the csv file. The csv file will contain the overridden accounts, using either the new or old IAM actions.
Figure 11. Management Account user view - New (fine-grained) IAM actions enforced within organization with subset of accounts using old IAM actions
Conclusions
The launch of these granular permissions under the new service specific namespaces allows least privilege access to Billing, Cost Management, and Account consoles and services. To take advantage of the enhanced access control capability and maintain access to your AWS Billing, Cost Management, and Account consoles, make sure you refer to the Cost Management user guide and Billing Console user guide for details and take action accordingly. Don’t hesitate to reach out to your AWS contact and support team if you have any questions.