Now that you have custom billing policies available, you can attach them to their corresponding groups that you created earlier. Although you can attach a policy directly to a user or role, we recommend (in accordance with IAM best practices) that you use groups instead. For more information, see Use groups to assign permissions to IAM users.
To attach billing policies to your groups
- In the navigation pane, choose Policies to display the full list of policies available to your AWS account. To attach each policy to its appropriate group, follow these steps:Full access
- In the search box, type
BillingFullAccess
, and then select the check box next to the policy name. - Choose Policy actions, and then choose Attach.
- In the search box, type
FinanceManager
, select the check box next to the name of the group, and then choose Attach policy.
Read-only access
- In the search box, type
BillingViewAccess
, and then select the check box next to the policy name. - Choose Policy actions, and then choose Attach.
- For Filter, choose Groups. In the search box, type
FinanceUser
, select the check box next to the name of the group, and then choose Attach policy.
- In the search box, type
- Sign out of the console, and then test access.
Testing access to Billing Console
You can test user access in a couple of ways. For this tutorial, we recommend that you test access by signing in as each of the test users so you can see what your users might experience. Another (optional) way to test user access permissions is to use the IAM policy simulator. Use the following steps if you want to see another way to view the effective result of these actions.
Select either of the following procedures based on your preferred testing method. In the first one, you sign in using both test accounts to see the difference between access rights.
To test billing access by signing in with both test user accounts
- Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.
Note
For your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a different user, choose Sign in to a different account near the bottom of the page to return to the main sign-in page. From there, you can type your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.
- Sign-in with each account using the steps provided below so you can compare the different user experiences.Full access
- Sign in to your AWS account as the user FinanceManager.
- On the navigation bar, choose FinanceManager@
<account alias or ID number>
, and then choose Billing & Cost Management. - Browse through the pages and choose the various buttons to ensure that you have full modify permissions.
Read-only access
- Sign in to your AWS account as the user FinanceUser.
- On the navigation bar, choose FinanceUser@
<account alias or ID number>
, and then choose Billing & Cost Management. - Browse through the pages. Notice that you can display costs, reports, and billing data with no problems. However, if you choose an option to modify a value, you receive an Access Denied message. For example, on the Preferences page, choose any of the check boxes on the page, and then choose Save preferences. The console message informs you that you need ModifyBilling permissions to make changes to that page.
The following optional procedure demonstrates how you could alternatively use the IAM policy simulator to test your delegated user’s effective permissions to billing pages.
To test billing access by viewing effective permissions in the IAM policy simulator
- Open the IAM policy simulator at https://policysim.aws.amazon.com/. (If you are not already signed in to AWS, you are prompted to sign in).
- Under Users, Groups, and Roles, select one of the users that is a member of the group you recently attached the policy to.
- Under Policy Simulator, choose Select service, and then choose Billing.
- Next to Select actions, choose Select All.
- Choose Run Simulation and compare the user’s listed permissions with all possible billing-related permission options to make sure that the correct rights have been applied.