- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Hi,
I can see that you are trying to use the new fine-grained billing policies for your existing aws-portal:* action.
There is a script that can help you to identify affected policies and provide recommendations for your current IAM policies. The references can be found in:
- https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/migrate-iam-permissions.html
- https://github.com/aws-samples/bulk-policy-migrator-scripts-for-account-cost-billing-consoles
I have created an IAM policy with the aws-portal:* action in the lab. After that I run the above migration tool and I can see the following suggestions are provided:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SuggestedPermissions",
"Effect": "Allow",
"Action": [
"account:CloseAccount",
"account:DeleteAlternateContact",
"account:GetAccountInformation",
"account:GetAlternateContact",
"account:GetChallengeQuestions",
"account:GetContactInformation",
"account:PutAlternateContact",
"account:PutChallengeQuestions",
"account:PutContactInformation",
"billing:GetBillingData",
"billing:GetBillingDetails",
"billing:GetBillingNotifications",
"billing:GetBillingPreferences",
"billing:GetContractInformation",
"billing:GetCredits",
"billing:GetIAMAccessPreference",
"billing:GetSellerOfRecord",
"billing:ListBillingViews",
"billing:PutContractInformation",
"billing:RedeemCredits",
"billing:UpdateBillingPreferences",
"billing:UpdateIAMAccessPreference",
"ce:CreateAnomalyMonitor",
"ce:CreateAnomalySubscription",
"ce:CreateNotificationSubscription",
"ce:CreateReport",
"ce:DeleteAnomalyMonitor",
"ce:DeleteAnomalySubscription",
"ce:DeleteNotificationSubscription",
"ce:DeleteReport",
"ce:DescribeNotificationSubscription",
"ce:DescribeReport",
"ce:GetAnomalies",
"ce:GetAnomalyMonitors",
"ce:GetAnomalySubscriptions",
"ce:GetCostAndUsage",
"ce:GetCostAndUsageWithResources",
"ce:GetCostCategories",
"ce:GetCostForecast",
"ce:GetDimensionValues",
"ce:GetPreferences",
"ce:GetReservationCoverage",
"ce:GetReservationPurchaseRecommendation",
"ce:GetReservationUtilization",
"ce:GetRightsizingRecommendation",
"ce:GetSavingsPlansCoverage",
"ce:GetSavingsPlansPurchaseRecommendation",
"ce:GetSavingsPlansUtilization",
"ce:GetSavingsPlansUtilizationDetails",
"ce:GetTags",
"ce:GetUsageForecast",
"ce:ListCostAllocationTags",
"ce:ListSavingsPlansPurchaseRecommendationGeneration",
"ce:ProvideAnomalyFeedback",
"ce:StartSavingsPlansPurchaseRecommendationGeneration",
"ce:UpdateAnomalyMonitor",
"ce:UpdateAnomalySubscription",
"ce:UpdateCostAllocationTagsStatus",
"ce:UpdateNotificationSubscription",
"ce:UpdatePreferences",
"consolidatedbilling:GetAccountBillingRole",
"consolidatedbilling:ListLinkedAccounts",
"cur:GetClassicReport",
"cur:GetClassicReportPreferences",
"cur:GetUsageReport",
"cur:PutClassicReportPreferences",
"cur:ValidateReportDestination",
"freetier:GetFreeTierAlertPreference",
"freetier:GetFreeTierUsage",
"freetier:PutFreeTierAlertPreference",
"invoicing:GetInvoiceEmailDeliveryPreferences",
"invoicing:GetInvoicePDF",
"invoicing:ListInvoiceSummaries",
"invoicing:PutInvoiceEmailDeliveryPreferences",
"payments:CreatePaymentInstrument",
"payments:DeletePaymentInstrument",
"payments:GetPaymentInstrument",
"payments:GetPaymentStatus",
"payments:ListPaymentPreferences",
"payments:MakePayment",
"payments:UpdatePaymentPreferences",
"tax:BatchPutTaxRegistration",
"tax:DeleteTaxRegistration",
"tax:GetTaxInheritance",
"tax:GetTaxRegistrationDocument",
"tax:ListTaxRegistrations",
"tax:PutTaxInheritance"
],
"Resource": "*"
},
{
"Sid": "ExistingPoliciesToBeDeletedAfterRetirement",
"Effect": "Allow",
"Action": "aws-portal:*",
"Resource": "*"
}
]
}
Please note that according to https://aws.amazon.com/blogs/aws-cloud-financial-management/changes-to-aws-billing-cost-management-and-account-consoles-permissions/, you will need to retain the current actions (i.e. "aws-portal:*") while adding new fine-grained actions in the policy. After you added the new, granular IAM actions to all affected policies, since you’re keeping the existing IAM actions during the migration period, you will continue to see this policy listed in the Affected Policy console. After the retirement of the existing IAM actions, you are encouraged to update the policy by removing the existing IAM actions.
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 mesi fa