AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관

Update your policies for continued access to Billing, Cost Management, and Account consoles

0

I understand that few of the AWS policy keyword have been deprecated. One of my accounts is using this specific action , aws-portal:* for billing access.

I could not find the new fine grained actions equivalent to this in the reference guide - https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/migrate-granularaccess-iam-mapping-reference.html

Also , if I enable new actions from console, is it guaranteed that the new actions will be equivalent to the old ones. Could there be any impact. Reference link for the above - https://us-east-1.console.aws.amazon.com/poliden/home?region=us-east-1#/

1개 답변
0

Hi,

I can see that you are trying to use the new fine-grained billing policies for your existing aws-portal:* action.

There is a script that can help you to identify affected policies and provide recommendations for your current IAM policies. The references can be found in:

I have created an IAM policy with the aws-portal:* action in the lab. After that I run the above migration tool and I can see the following suggestions are provided:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SuggestedPermissions",
            "Effect": "Allow",
            "Action": [
                "account:CloseAccount",
                "account:DeleteAlternateContact",
                "account:GetAccountInformation",
                "account:GetAlternateContact",
                "account:GetChallengeQuestions",
                "account:GetContactInformation",
                "account:PutAlternateContact",
                "account:PutChallengeQuestions",
                "account:PutContactInformation",
                "billing:GetBillingData",
                "billing:GetBillingDetails",
                "billing:GetBillingNotifications",
                "billing:GetBillingPreferences",
                "billing:GetContractInformation",
                "billing:GetCredits",
                "billing:GetIAMAccessPreference",
                "billing:GetSellerOfRecord",
                "billing:ListBillingViews",
                "billing:PutContractInformation",
                "billing:RedeemCredits",
                "billing:UpdateBillingPreferences",
                "billing:UpdateIAMAccessPreference",
                "ce:CreateAnomalyMonitor",
                "ce:CreateAnomalySubscription",
                "ce:CreateNotificationSubscription",
                "ce:CreateReport",
                "ce:DeleteAnomalyMonitor",
                "ce:DeleteAnomalySubscription",
                "ce:DeleteNotificationSubscription",
                "ce:DeleteReport",
                "ce:DescribeNotificationSubscription",
                "ce:DescribeReport",
                "ce:GetAnomalies",
                "ce:GetAnomalyMonitors",
                "ce:GetAnomalySubscriptions",
                "ce:GetCostAndUsage",
                "ce:GetCostAndUsageWithResources",
                "ce:GetCostCategories",
                "ce:GetCostForecast",
                "ce:GetDimensionValues",
                "ce:GetPreferences",
                "ce:GetReservationCoverage",
                "ce:GetReservationPurchaseRecommendation",
                "ce:GetReservationUtilization",
                "ce:GetRightsizingRecommendation",
                "ce:GetSavingsPlansCoverage",
                "ce:GetSavingsPlansPurchaseRecommendation",
                "ce:GetSavingsPlansUtilization",
                "ce:GetSavingsPlansUtilizationDetails",
                "ce:GetTags",
                "ce:GetUsageForecast",
                "ce:ListCostAllocationTags",
                "ce:ListSavingsPlansPurchaseRecommendationGeneration",
                "ce:ProvideAnomalyFeedback",
                "ce:StartSavingsPlansPurchaseRecommendationGeneration",
                "ce:UpdateAnomalyMonitor",
                "ce:UpdateAnomalySubscription",
                "ce:UpdateCostAllocationTagsStatus",
                "ce:UpdateNotificationSubscription",
                "ce:UpdatePreferences",
                "consolidatedbilling:GetAccountBillingRole",
                "consolidatedbilling:ListLinkedAccounts",
                "cur:GetClassicReport",
                "cur:GetClassicReportPreferences",
                "cur:GetUsageReport",
                "cur:PutClassicReportPreferences",
                "cur:ValidateReportDestination",
                "freetier:GetFreeTierAlertPreference",
                "freetier:GetFreeTierUsage",
                "freetier:PutFreeTierAlertPreference",
                "invoicing:GetInvoiceEmailDeliveryPreferences",
                "invoicing:GetInvoicePDF",
                "invoicing:ListInvoiceSummaries",
                "invoicing:PutInvoiceEmailDeliveryPreferences",
                "payments:CreatePaymentInstrument",
                "payments:DeletePaymentInstrument",
                "payments:GetPaymentInstrument",
                "payments:GetPaymentStatus",
                "payments:ListPaymentPreferences",
                "payments:MakePayment",
                "payments:UpdatePaymentPreferences",
                "tax:BatchPutTaxRegistration",
                "tax:DeleteTaxRegistration",
                "tax:GetTaxInheritance",
                "tax:GetTaxRegistrationDocument",
                "tax:ListTaxRegistrations",
                "tax:PutTaxInheritance"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ExistingPoliciesToBeDeletedAfterRetirement",
            "Effect": "Allow",
            "Action": "aws-portal:*",
            "Resource": "*"
        }
    ]
}

Please note that according to https://aws.amazon.com/blogs/aws-cloud-financial-management/changes-to-aws-billing-cost-management-and-account-consoles-permissions/, you will need to retain the current actions (i.e. "aws-portal:*") while adding new fine-grained actions in the policy. After you added the new, granular IAM actions to all affected policies, since you’re keeping the existing IAM actions during the migration period, you will continue to see this policy listed in the Affected Policy console. After the retirement of the existing IAM actions, you are encouraged to update the policy by removing the existing IAM actions.

profile pictureAWS
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인