How do I troubleshoot IAM permission issues for the Billing and Cost Management console?

Resolution

If your IAM users or groups experience permission issues when they try to access the AWS Billing and Cost Management console, then confirm the following actions:

• The account root user delegated the access to the billing information.
• You tested your permissions through the IAM policy simulator.
• The IAM entity has the required IAM policies that allow them to access the Billing and Cost Management console.
• The AWS Organizations member account doesn't have a service control policy (SCP) that's blocking access for the IAM entity or root user.
• You configured multi-factor authentication (MFA) devices to always allow authentication.
• You attached permissions boundaries to IAM entities that allow access to the Billing and Cost Management console.

Grant the IAM entity permission to access the Billing and Cost Management console

Complete the following steps:

1. Sign in to the AWS Management Console with your account root user credentials.
   Important: It's a best practice to use only the root user for tasks that require root user credentials.
2. In the navigation pane, choose your account name, and then choose Account.
3. Next to IAM user and Role Access to Billing Information, choose Edit.
4. Select Activate IAM Access.
   Note: This setting is deactivated by default. For more information, see Granting access to your billing information and tools.
5. Choose Update.
6. Open the IAM console, and then attach the AWS managed permissions to the IAM entity.

Note: The IAM entity must have at least one IAM policy attached. For Billing and Cost Management console policy examples, see Identity-based policy with AWS Billing. You can also use AWS managed policies such as AWSBillingReadOnlyAccess or Billing.

Check that the IAM entity can access the Billing and Cost Management console

If you still experience permission issues, then there might be a policy attached to the IAM entity that denies access to the Billing and Cost Management console.

Use the IAM policy simulator to identify the policy that's preventing access to the Billing and Cost Management console. Check all applicable policies to determine whether they deny access to the Billing and Cost Management console.

An IAM policy or SCP that restricts access to specific AWS Regions is attached to the IAM entity

Billing services are global, and all actions that you perform in the Billing and Cost Management console are logged in the us-east-1 Region. If the IAM policy or SCP denies access to specific Regions, then modify the policy to exempt the required specific billing permissions. For more information, see AWS: Denies access to AWS based on the requested Region.

An IAM policy or SCP includes a Deny effect and allows access to services only when the IAM entity is MFA authenticated

If you use MFA, then additional configuration is required to access to the Billing and Cost Management console. You must configure your MFA device to always authenticate with an MFA token.

The IAM entity has a permissions boundary attached that doesn't allow access to the Billing and Cost Management console

Your IAM entity can't access the Billing and Cost Management console if you configure a permissions boundary to prevent this permission. Your permissions boundary must have a policy statement with an Allow effect for the required Billing and Cost Management console permissions.

Related information

Overview of managing access permissions

IAM tutorial: Delegate access across AWS accounts using IAM roles

Changes to AWS Billing, Cost Management, and Account consoles permissions