Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How can I resolve "Access Denied" errors when I access the AWS Billing console with IAM permissions?

3 minute read
0

I have AWS Identity and Access Management (IAM) permissions to access billing information in my AWS account. However, I get an "Access Denied" error when I try to view the AWS Billing console.

Resolution

By default, IAM users and roles can't access the AWS Billing console. IAM policies that grant access to billing features might not grant access to the Billing console.

Activate IAM access to billing information

The AWS account root user must first activate IAM access to billing for the account. Complete the following steps:

  1. Sign in to the AWS Management Console as the root user. Use the email address and password associated with the account.
  2. In the navigation bar, choose your account name, and then select Account.
  3. Navigate to the IAM User and Role Access to Billing Information section.
  4. Choose Edit.
  5. Select the check box to activate IAM access.
  6. Choose Update.

After you complete these steps, you see a message that says "IAM user/role access to billing information is activated".

Verify IAM permissions

When you activate IAM access to billing, make sure that your IAM user or role has the appropriate permissions to access billing data. To do this, complete these steps:

  1. Use AWS managed policies such as "AWSBillingReadOnlyAccess" or "AWSBillingFullAccess".
  2. Create custom IAM policies that grant specific billing permissions.

For example, to grant read-only access to billing information, attach the "AWSBillingReadOnlyAccess" managed policy to your IAM user or role.

Check for policy conflicts

Access is denied if you have IAM policy conflicts, specifically if the following apply:

  • A policy explicitly denies access to billing actions without multi-factor authentication (MFA).
  • This explicit denial overrides any allow statements in other IAM policies.

Check for policy conflicts through the following steps:

  1. Review all policies attached to your IAM user or role.
  2. Look for any explicit Deny statements that might be blocking access to billing actions.
  3. If you find conflicting policies, then you might need to edit the IAM policies or use MFA when you access the Billing console.

Verify account settings in AWS Organizations

If you created your account through AWS Organizations or AWS Control Tower, then billing access might be controlled by organization-wide settings. Verify the following:

  1. There are no Service Control Policies (SCPs) in AWS Organizations that are blocking access to billing for your IAM entity.
  2. The organization settings allow member accounts to have billing access activated.

Clear browser cache and cookies

In some cases, you can clear your browser cache and cookies to resolve persistent access issues. After you clear your browser data, complete the following steps:

  1. Sign out of the AWS Management Console.
  2. Sign back in with your IAM credentials.
  3. Try to access the Billing console again.

If you're still experiencing issues after following these steps, then contact AWS Support for further assistance.

Related information

Granting access to your billing information and tools

What is IAM?

AWS Billing and Cost Management permissions reference

Topics
Cloud Financial ManagementSecurity, Identity, & Compliance
Tags
AWS IAM Identity CenterIAM PoliciesAWS Billing
Language
English
AWS OFFICIALUpdated a month ago
No comments

Relevant content