Navigating AWS IAM Policies: Restricting Access to Billing and Cost Management

You most likely heard that AWS has retired AWS Identity and Access Management (IAM) actions for the Billing, Cost Management, and Account Consoles under the service prefix aws-portal and two actions under the purchase order namespace. These have been replaced by more granular, service-specific permissions, enhancing control over Billing, Cost Management, and Account Services access. As a result, if your AWS organization hadn't previously set up strict access controls, you might now find that all members can view sensitive financial information such as billing, taxes, and cost data.

Not every employee in an organization needs, or should have, access to sensitive financial details like billing and taxes. Not every employee should have access to sensitive financial details like billing and taxes. This kind of information is typically meant for the eyes of specific departments, such as Finance or Accounting.

One of the ways to address this is to create a policy to restrict access to Billing, Cost Management, Account Services, and Tax information. A practical approach is to develop a policy that specifically limits access and apply it across the organization at the account level. It’s important to note that the implementation of this policy will vary based on your organization’s account setup, whether it’s IAM policy-based, uses SSO with permission sets, or Service Control Policies (SCP). For more detailed guidance on these setups, refer to the AWS documentation.

*IAM Policy Example: *
Here’s an IAM policy snippet designed to deny access to various billing and cost-related actions across AWS resources:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyBillingViewOnHomepage",
            "Effect": "Deny",
            "Action": [
                "aws-portal:View*",
                "billing:*",
                "purchase-orders:*",
                "tax:*",
                "payments:*",
                "cur:*",
                "ce:*"
            ],
            "Resource": "*"
        }
    ]
}

ONE MORE TIP:

Unchecking “Linked Account Access” in Cost Management Preferences under Billing and Cost Management might seem like a quick fix to restrict access to cost and usage data in Cost Explorer and the AWS Console HomeView. However, this doesn’t completely solve the issue, as users will still see a link to access Bills, Tax information, etc. Therefore, I recommend implementing a comprehensive IAM policy rather than relying on this setting.