Menu
I have a need to give billing access of amazon to my client. Is there a way to setup an account that will have access to Account Activity only. I know I can setup IAM for aws but thats not the issue is here. I definitely need one password separate password for billing which is Account Activity link.
thanks
341
On the navigation bar, choose your account name, and then choose Account . Next to IAM User and Role Access to Billing Information, choose Edit. Select the Activate IAM Access check box to activate access to the Billing and Cost Management console pages. Choose Update.
After closing your accountAfter 90 days, any content remaining in your account will be permanently deleted, and AWS services that aren't already terminated will be terminated. However, service attributes might be retained as long as necessary for billing and administration purposes.
AWS has recently introduced New IAM Features: Password Management and Access to Account Activity and Usage Reports Pages, which do address your use case now:
This new feature allows you to create separate and distinct IAM users for business and technical purposes. You can grant your business users access to the Account Activity and/or Usage Reports pages of the AWS website to allow them to access billing and usage data without giving them access to other AWS resources such as EC2 instances or files in S3. [emphasis mine]
You can find more details at Controlling User Access to Your AWS Account Billing Information - here's a sample IAM Policy to allow users access to both the Account Activity and Usage Reports pages:
{
"Statement": [
{
"Action": [
"aws-portal:ViewBilling",
"aws-portal:ViewUsage"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Is there a way to setup an account that will have access to Account Activity only.
Probably not exactly how you might have envisioned this, however, Amazon offers Consolidated Billing for this purpose. The introductory blog post New AWS Feature: Consolidated Billing provides a good overview, and here is the relevant topic from the AWS Consolidated Billing Guide regarding your specification:
The paying account is billed for all costs of the linked accounts. However, each linked account is completely independent in every other way (signing up for services, accessing resources, using AWS Premium Support, etc.). The paying account owner cannot access data belonging to the linked account owners (e.g., their files in Amazon S3). Each account owner uses their own AWS credentials to access their resources (e.g., their own AWS Secret Access Key). [emphasis mine]
Please consult the AWS Consolidated Billing Guide for more details on how all this works, and how to eventually save cost with this via Volume Discounts as well.
Obviously this functionality is targeted at larger customers, but depending on your scenario you might be able to come up with a solution to separate your AWS accounts and resources as needed still.
161
Being able to set up a login (IAM) that can only access account billing information is a frequently requested feature. You can add your +1 here, where Amazon is listening:
https://forums.aws.amazon.com/thread.jspa?threadID=62756
If/when they release this ability, it will probably be announced on that forum thread in addition to other places like the blog.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
