How to Allow Federated Users logged into an Organization Member Accounts to their account's Billings


Problem: Federated users logging into organization member accounts with the AWSAdministratorAccess PermissionSet cannot view the billing dash board for the account they are logged into. Specifically we want developers to be able to access the billing for their own individual sandbox accounts.


  • Multi-account Organization setup with ControlTower, and SSO and an external IdP
  • Account structure following the multi-account white paper
  • ControlTower only allows creation of resources in managed regions
  • On the Sandbox OU, the only SCP applied are full access, denying leaving the organization, denying performing actions as the root user, and those created by ControlTower.
  • Billing access for IAM is enabled in the management account
  • All Organization features are enabled including consolidate billing
  • No problems accessing billing in the management account from a Federated users with the AWSAdministratorAccess PermissionSet
  • This is a new organization (less than 1 month old)
  • The accounts were created with Account Factory for Terraform
  • There are no passwords on member account root users and we will not be adding them
  • Linked account access is granted to cost explorer.

When I test with Access Analyzer, I get that it was denied by SCP but I cannot see any SCPs that are denying.

질문됨 일 년 전430회 조회
1개 답변

Please review the Repost Knowledge Center article:

Other Document for reference. Access Management:

Billing and Cost Management Permissions Reference:

You can also find information on how to enable IAM access to billing information here:

I believe you'll find this information useful

profile pictureAWS
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인