使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

"Update your Policies" email - but only AWS-managed policies have the old permission!

0

We're getting the emails about "Update your policies for enhanced Billing, Cost Management, and Account consoles access" but the only policies we have that have the retired permissions are AdministratorAccess - AWS managed - job function ( arn:aws:iam::aws:policy/AdministratorAccess ) Billing - AWS managed - job function ( arn:aws:iam::aws:policy/job-function/Billing ) which have

  • purchase-orders:ViewPurchaseOrders
  • purchase-orders:ModifyPurchaseOrders

I thought AWS would update any AWS - managed policies. Did they miss these, or are AdministratorAccess and Billing somehow outdated, or what? Are we going to have a problem? We are not using Organizations

(also, without a higher-level account, is this the only way to ask?) Thanks very much

主題
安全性、身分識別與合規雲端財務管理
標籤
AWS Identity and Access ManagementAWS Billing
語言
English
betsysad
已提問 5 個月前檢視次數 220 次
3 個答案
0

Hello.

All operations are already permitted for "AdministratorAccess" in the AWS management policy, so there is no need to update it.
Also, AWS managed policies cannot be updated by us users.
AWS will update automatically.
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#managed-policies

An AWS managed policy is a standalone policy that's created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases. AWS managed policies make it easier for you to assign appropriate permissions to users, groups, and roles than if you had to write the policies yourself.

You can't change the permissions defined in AWS managed policies. AWS occasionally updates the permissions that are defined in an AWS managed policy. When this occurs, the update affects all principal entities (users, groups, and roles) that the policy is attached to.

I think if you check the managed policies for "AdministratorAccess" and "Billing", the old policies will probably be gone.

profile picture
專家
Riku_Kobayashi
已回答 5 個月前
0

Hello,

I apologize for any inconvenience this has caused you. Our Accounts & Billing team would be happy to address your concerns this concern, you can create a case from our Support Center: https://go.aws/support-center. After researching, it does seem these permissions have been retired & require your action, you can find more details from our blog: https://aws.amazon.com/blogs/aws-cloud-financial-management/changes-to-aws-billing-cost-management-and-account-consoles-permissions/.

- Rick N.

profile pictureAWS
專家
AWS Support - Rick
已回答 5 個月前
  • betsysad
    5 個月前

    Hi, thank you but our account does not allow us to enter a case. And the link you provide does not address the issue of an AWS-provided policy containing an outdated permission.

0

I still see the incorrect permissions in the AWS-managed policies:

arn:aws:iam::aws:policy/AdministratorAccess arn:aws:iam::aws:policy/job-function/Billing

Are these not the right policies, or am I getting an outdated version somehow, or are the policies incorrect? I did try creating a new user and applying the policy and still see the permissions. We only have eight user-managed policies and none of them include any of the outdated permissions

betsysad
已回答 5 個月前
  • betsysad
    25 天前

    I never did get an answer, but AWS has stopped nagging us about it, for now

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容