Allow Users to Create Budgets
To allow users to create budgets in the Billing and Cost Management console, you must also allow users to view your billing information, create CloudWatch alarms, and create Amazon SNS notifications.
The following policy example allows a user to modify the Budgetconsole page.
,
Allow Users to Modify Billing Information
To allow users to modify account billing information in the Billing and Cost Management console, you must also allow users to view your billing information.
The following policy example allows a user to modify the Consolidated Billing, Preferences, and Creditsconsole pages.
It also allows a user to view the following Billing and Cost Management con.
,
Deny AWS Console Cost and Usage Widget Access For Member Accounts
To restrict member (linked) account access to cost and usage data, use your management (payer) account to access the Cost Explorer preferences tab and uncheck Linked Account Access.
This will deny access to cost and usage data from the Cost Explorer (AWS Cost Management) console, Cost Explorer API, and AWS Console Home page's cost and usage widget .
,
Deny AWS Console Cost and Usage Widget Access For Specific Users and Roles
To deny AWS Console cost and usage widget access for specific users and roles, use the permissions policy below.
,
Deny Users Access to The Billing and Cost Management Console
To explicitly deny a user access to the all Billing and Cost Management console pages, use a policy similar to this example policy.
,
Deposit Reports Into An Amazon S3 Bucket
The following policy allows Billing and Cost Management to save your detailed AWS bills to an Amazon S3 bucket, as long as you own both the AWS account and the Amazon S3 bucket.
Note that this policy must be applied to the Amazon S3 bucket, instead of to a user.
That is, it's a resource-based policy, not a user-based policy.
You should deny user ac.
,
Enable and Disable AWS Regions
For an example IAM policy that allows users to enable and disable Regions, see AWS: Allows Enabling and Disabling AWS Regions in the IAM User Guide.
,
How can I test IAM policies?
With the IAM policy simulator, you can test and troubleshoot identity-based policies, IAM permissions boundaries, Organizations service control policies (SCPs), and resource-based policies.
Here are some common things you can do with the policy simulator:
Test policies that are attached to IAM users user groups or roles in your AWS account. ,
How do I create an IAM policy in AWS?
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane on the left, choose Policies.
If this is your first time choosing Policies, the Welcome to Managed Policies page appears.
Choose Get Started.
Choose Create policy.
,
How does AWS IAM Policy help secure workloads?
Use IAM to manage and scale workload and workforce access securely supporting your agility and innovation in AWS.
Create granular permissions based on user attributes—such as:
department job role and team name—by using attribute-based access control. ,
View and Update The Cost Explorer Preferences Page
This policy allows a user to view and update using the Cost Explorer preferences page.
The following policy allows users to view Cost Explorer, but deny permission to view or edit the Preferencespage.
The following policy allows users to view Cost Explorer, but deny permission to edit the Preferencespage.
,
View, Create, Update, and Delete Using The Cost Explorer Reports Page
This policy allows a user to view, create, update, and delete using the Cost Explorer reports page.
The following policy allows users to view Cost Explorer, but deny permission to view or edit the Reportspage.
The following policy allows users to view Cost Explorer, but deny permission to edit the Reportspage.
,
What are IAM policies used for?
You can use IAM policies to control what your users can do to an identity by creating a policy that you attach to all users through a user group.
To do this, create a policy that limits what can be done to an identity, or who can access it.
For example, you can create a user group named AllUsers, and then attach that user group to all users.