By default, IAM users do not have access to the Billing section of the AWS console. Follow these steps in order to delegate access to an IAM user so that you can follow best practices and not use the root account unless it is absolutely necessary:
- Log in to your AWS account as the root user.
- Click the name of your account at the upper right of the console and then click My Account.
- Scroll down to IAM User and Role Access to Billing Information, as shown in the following diagram. Click Edit:
The Edit link to activate IAM access is subtle. It is indicated with the yellow arrow here.
- Check the box to Activate IAM Access, and then click Update:
Activating access to billing information for IAM users
- Go to the IAM dashboard and select the IAM user account (or group) that you wish to delegate for billing access.
- Add the following policy:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"aws-portal:ViewBilling",
"aws-portal:ModifyBilling",
"budgets:ViewBudget",
"budgets:ModifyBudget"
],
"Resource": [
"*"
]
}
]
}
Once these steps have been completed, you can log out of the root account and back in as the IAM user.