By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

"Update your Policies" email - but only AWS-managed policies have the old permission!

0

We're getting the emails about "Update your policies for enhanced Billing, Cost Management, and Account consoles access" but the only policies we have that have the retired permissions are AdministratorAccess - AWS managed - job function ( arn:aws:iam::aws:policy/AdministratorAccess ) Billing - AWS managed - job function ( arn:aws:iam::aws:policy/job-function/Billing ) which have

  • purchase-orders:ViewPurchaseOrders
  • purchase-orders:ModifyPurchaseOrders

I thought AWS would update any AWS - managed policies. Did they miss these, or are AdministratorAccess and Billing somehow outdated, or what? Are we going to have a problem? We are not using Organizations

(also, without a higher-level account, is this the only way to ask?) Thanks very much

Topics
Security, Identity, & ComplianceCloud Financial Management
Tags
AWS Identity and Access ManagementAWS Billing
Language
English
betsysad
asked 4 months ago205 views
3 Answers
0

Hello.

All operations are already permitted for "AdministratorAccess" in the AWS management policy, so there is no need to update it.
Also, AWS managed policies cannot be updated by us users.
AWS will update automatically.
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#managed-policies

An AWS managed policy is a standalone policy that's created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases. AWS managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.

You can't change the permissions defined in AWS managed policies. AWS occasionally updates the permissions that are defined in an AWS managed policy. When this occurs, the update affects all principal entities (users, groups, and roles) that the policy is attached to.

I think if you check the managed policies for "AdministratorAccess" and "Billing", the old policies will probably be gone.

profile picture
EXPERT
Riku_Kobayashi
answered 4 months ago
0

Hello,

I apologize for any inconvenience this has caused you. Our Accounts & Billing team would be happy to address your concerns this concern, you can create a case from our Support Center: https://go.aws/support-center. After researching, it does seem these permissions have been retired & require your action, you can find more details from our blog: https://aws.amazon.com/blogs/aws-cloud-financial-management/changes-to-aws-billing-cost-management-and-account-consoles-permissions/.

- Rick N.

profile pictureAWS
EXPERT
AWS Support - Rick
answered 4 months ago
  • betsysad
    4 months ago

    Hi, thank you but our account does not allow us to enter a case. And the link you provide does not address the issue of an AWS-provided policy containing an outdated permission.

0

I still see the incorrect permissions in the AWS-managed policies:

arn:aws:iam::aws:policy/AdministratorAccess arn:aws:iam::aws:policy/job-function/Billing

Are these not the right policies, or am I getting an outdated version somehow, or are the policies incorrect? I did try creating a new user and applying the policy and still see the permissions. We only have eight user-managed policies and none of them include any of the outdated permissions

betsysad
answered 4 months ago
  • betsysad
    9 days ago

    I never did get an answer, but AWS has stopped nagging us about it, for now

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content