I want to troubleshoot issues with AWS Identity and Access Management (IAM) users or groups accessing my account's billing information.
If your IAM users encounter permission issues when accessing the AWS Billing and Cost Management console, then confirm the following:
- The root user has delegated the IAM entity (user or role) access to the billing information.
- The IAM entity has the required IAM policies to allow them access.
Grant the IAM entity permissions to access the Billing and Cost Management console
First, to allow users and roles access to the Billing and Cost Management console, do the following:
- Sign in to the AWS Management Console with your AWS account root user credentials.
- In the navigation bar, choose your account name, and then choose Account.
- Next to IAM user and Role Access to Billing Information, choose Edit.
- Select the Activate IAM Access check box to activate access to the Billing and Cost Management console pages.
Note: Because this setting is deactivated by default, the root user must manually activate it. For more information on activating this setting, see Granting access to your billing information and tools.
- Choose Update.
Then, make sure that you have added the required permissions to your IAM entity to access the Billing and Cost Management console.
The following are the minimum permissions required:
- aws-portal:ViewBilling - This permission is required to view the Billing and Cost Management console pages.
- aws-portal:ModifyBilling - This permission is required to perform modifications in the Billing and Cost Management console pages.
The IAM entity must have at least one IAM policy attached. For examples of Billing and Cost Management console policies, see Using identity-based policies (IAM policies) for AWS Billing. AWS managed policies such as AWSBillingReadOnlyAccess or Billing can also be used.
Check that the IAM entity isn't denied access to the Billing and Cost Management console
If you still encounter an AccessDenied issue, then you might have a policy attached that denies access to the Billing and Cost Management console.
Use the IAM policy simulator to identify the policy that's preventing access to the Billing and Cost Management console. Check all applicable policies (IAM policies, permissions boundary, and SCP) for policies that specifically deny access to the Billing and Cost Management console.
- An SCP/IAM policy that restricts access to specific AWS Regions is enforced on the IAM entity. Billing services are global and all actions performed in the Billing and Cost Management console are logged in the us-east-1 Region. If you have an IAM/SCP policy that denies you access to specific Regions, then modify this to exempt the specific billing permissions required. For more information, see AWS: Denies access to AWS based on the requested Region.
- An SCP/IAM policy with a deny effect is enforced and allowing access to services only when the IAM entity is MFA authenticated. Your MFA device must be configured so that you're always authenticated with an MFA token to have access to the Billing and Cost Management console.
- The IAM entity has a permissions boundary attached that doesn't allow access to the Billing and Cost Management console. Your IAM entity can't access the Billing console if there's a permissions boundary configured that prevents this permission. Your permissions boundary must have a policy statement with an Allow effect for the Billing and Cost Management console permissions you require.
Overview of managing access permissions
IAM tutorial: Delegate access to the billing console