By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Access to billing details that was granted by my boss refuses to take effect

0

For starters, a background.

Back in September, I, [*************], was given a major opportunity at a startup that's using AWS to get off the ground, as head of DevSecOps. The security controls I've implemented for the company have since worked wonders in terms of stopping fuzzing attempts in their tracks, and it goes without saying that studying the modus operandi of ways in which hackers try to get in for close to a year and a half is part of what allowed me to convince my boss as to why I was making them as strong as I was. For a while, this was going great. That is, until he asked me how to have one of our RDS developers access the database without exposing the database to the Internet, and I suggested using VPC as a solution to this problem, which turned out to be a major mistake given how expensive it was turning out to be. Keep in mind, he asked me this question and I offered this solution while my ability to view how much said changes would cost looked like this:

No access to billing info

When the costs finally hit and turned out to be $70 for just 2 weeks, he was in shock ― understandably ― as was I. I sent him the above screenshot in response, and he chose to in turn grant access to a bunch of IAM roles that should, at least on paper, allow one to see how much a solution would cost so something like this doesn't happen again. However, despite him adding me to as many admin-related roles as he possibly could, my BCM dashboard still looks the same. Hence, my question: how can my employer possibly give me the ability to view these numbers so I'm not working blind when offering solutions to security problems?

*Edit: Removed - Full Name & Linkedin URL — Elle G.

  • I suggest removing your boss's name and the name of the organisation you work for. It doesn't add any value to your question, and it could have negative consequences further down the line.

2 Answers
1
Accepted Answer

The issue you're experiencing with access to billing details is a common one, even after being granted permissions by an administrator. There are a few key steps that need to be taken to ensure IAM users can access billing information:

  1. Activate IAM user access to billing information: By default, even if IAM users are granted billing-related permissions, they cannot view billing information. The AWS account root user needs to explicitly activate this feature.

  2. Ensure proper IAM policies are attached: The administrator (in this case, Pablo) needs to attach the appropriate IAM policies to your user or to a group you're a member of. These policies should include permissions for viewing and accessing billing information.

  3. Verify the policies: Make sure the policies attached to your IAM user or group include the necessary permissions for accessing the Billing and Cost Management console.

  4. Wait for data preparation: Sometimes, when you first access the Billing and Cost Management console, AWS needs time to prepare your cost and usage data. This process can take up to 24 hours.

To resolve this issue, I recommend the following steps:

  1. Ask Pablo (as the root user) to verify that IAM user access to billing information has been activated for the account.

  2. Have Pablo review the IAM policies attached to your user or group to ensure they include the necessary permissions for billing access.

  3. If the above steps have been completed correctly, try logging out and logging back in to refresh your session.

  4. If you're still unable to access the billing information after 24 hours, it may be worth contacting AWS support for further assistance.

Remember, granting access to billing information is a two-step process: activating IAM access for billing and attaching the appropriate IAM policies. Both steps are necessary for IAM users to view and manage billing information.
Sources
Troubleshooting AWS Billing identity and access - AWS Billing
Billing: Access Denied | AWS re:Post
Overview of managing access permissions - AWS Billing

profile picture
answered 8 days ago
AWS
EXPERT
reviewed 8 days ago
1

There is an AWS-managed policy for the Billing job function which sounds like what you need https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_accounts-payable

Get this policy attached to your user, either directly in IAM or as a Permission Set in IAM Access Analyser.

If the AWS account is part of AWS Organisations then check to see that any billing: actions are not restricted for users of the account.

profile picture
EXPERT
answered 8 days ago
  • Already attached but still doing nothing. Apparently the problem was that my boss didn't go through the feature list to enable IAM access to billing information to begin with. He did that this morning; will check this when I get home this afternoon.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions