How can I troubleshoot access denied errors related to the Billing and Cost Management console?

3 minute read
0

I want to troubleshoot issues with AWS Identity and Access Management (IAM) users or groups accessing my account's billing information.

Resolution

If your IAM users encounter permission issues when accessing the AWS Billing and Cost Management console, then confirm the following:

  • The root user has delegated the IAM entity (user or role) access to the billing information.
  • The IAM entity has the required IAM policies to allow them access.

Grant the IAM entity permissions to access the Billing and Cost Management console

To allow users and roles access to the Billing and Cost Management console, complete the following steps:

  1. Sign in to the AWS Management Console with your AWS account root user credentials.
  2. In the navigation bar, choose your account name, and then choose Account.
  3. Next to IAM user and Role Access to Billing Information, choose Edit.
  4. Select the Activate IAM Access check box to activate access to the Billing and Cost Management console pages.
    Note: Because this setting is deactivated by default, the root user must manually activate it. For more information on activating this setting, see Granting access to your billing information and tools.
  5. Choose Update.
  6. Make sure that you have added the required permissions to your IAM entity to access the Billing and Cost Management console. The IAM entity must have at least one IAM policy attached. For examples of Billing and Cost Management console policies, see Using identity-based policies (IAM policies) for AWS Billing. AWS managed policies such as AWSBillingReadOnlyAccess or Billing can also be used.

Check that the IAM entity isn't denied access to the Billing and Cost Management console

If you still encounter an AccessDenied issue, then you might have a policy attached that denies access to the Billing and Cost Management console.

Use the IAM policy simulator to identify the policy that's preventing access to the Billing and Cost Management console. Check all applicable policies, such as IAM policies, permissions boundary, and SCP, for policies that specifically deny access to the Billing and Cost Management console.

Common issues

To troubleshoot common issues, complete the following tasks:

An SCP/IAM policy that restricts access to specific AWS Regions is enforced on the IAM entity

Billing services are global and all actions performed in the Billing and Cost Management console are logged in the us-east-1 Region. If you have an IAM/SCP policy that denies you access to specific Regions, then modify this to exempt the specific billing permissions required. For more information, see AWS: Denies access to AWS based on the requested Region.

An SCP/IAM policy with a deny effect is enforced and allowing access to services only when the IAM entity is MFA authenticated

Your MFA device must be configured so that you're always authenticated with an MFA token to have access to the Billing and Cost Management console.

The IAM entity has a permissions boundary attached that doesn't allow access to the Billing and Cost Management console

Your IAM entity can't access the Billing console if there's a permissions boundary configured that prevents this permission. Your permissions boundary must have a policy statement with an Allow effect for the Billing and Cost Management console permissions you require.

Related information

Overview of managing access permissions

IAM tutorial: Delegate access to the billing console

Changes to AWS Billing, Cost Management, and Account Consoles Permissions

AWS OFFICIAL
AWS OFFICIALUpdated a month ago