How can I create an IAM policy to restrict permissions to billing/payment management?
It is now possible to control access to payments and usage using IAM.
When logged in as the root account, go to Account Settings in the Billing and Cost Management area, scroll down to "IAM User Access to Billing Information", click "Edit", and enable the option.
With that done, the following policy will permit access to the payment and usage activity view:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1423852703000",
"Effect": "Allow",
"Action": [
"aws-portal:ModifyBilling",
"aws-portal:ModifyPaymentMethods",
"aws-portal:ViewBilling",
"aws-portal:ViewPaymentMethods"
],
"Resource": [
"*"
]
}
]
}
An IAM user with this policy would be able to view and modify payment methods and billing information, but not view usage data or anything else in the console.
Adding aws-portal:ViewUsage to the list of actions gives access to the usage data, while you may wish to remove aws-portal:ModifyBilling if the user should only be able to update payment methods without making other changes to billing preferences.
The Billing and Cost Management Permissions Reference has full descriptions of the available actions.
Unfortunately this is not possible with AWS Identity and Access Management (IAM) the way you might have envisioned it - IAM enables Controlling User Access to Your AWS Account Billing Information, but this only includes granting IAM users access to view the respective pages (the required permissions aws-portal:ViewBilling and aws-portal:ViewUsage carry this in their names):
The AWS website integrates with AWS Identity and Access Management (IAM) so you can grant users access to billing information. You can control access to the Account Activity page and the Usage Reports page. The Account Activity page displays invoices and detailed information about charges and account activity, itemized by service and by usage type. The Usage Reports page provides detailed usage reports for each service you are subscribed to.
Workaround
Of course your use case is sound and frequently encountered - AWS provides a different solution aptly named Consolidated Billing, which enables you to consolidate payment for multiple Amazon Web Services (AWS) accounts within your company by designating a single paying account:
Consolidated Billing enables you to see a combined view of AWS charges incurred by all accounts, as well as obtain a detailed cost report for each of the individual AWS accounts associated with your paying account.
So The paying account is billed for all charges of the linked accounts, thus you need to grant the user(s) in charge of the payment management access to this consolidated billing account only, which is no problem concerning the desired protection of the resources in your other accounts:
However, each linked account is completely independent in every other way (signing up for services, accessing resources, using AWS Premium Support, etc.). The paying account owner cannot access data belonging to the linked account owners (e.g., their files in Amazon S3). Each account owner uses their own AWS credentials to access their resources (e.g., their own AWS Secret Access Key). [emphasis mine]
Caveat
While Consolidated Billing ensures separation of concerns and respective protection of resources/data and billing/payment from each other, you still need to share the main AWS account credentials (i.e. email/password) of the consolidated billing account with the user(s) in charge of payment management, which is an unfortunate exception to the otherwise highly recommended advise to facilitate IAM users only going forward.
- Accordingly, AWS recommends to at least secure your paying account by using AWS Multi-Factor Authentication and a strong password. For more information, see Security for the Paying Account.