Aws cost management iam policy

How does IAM policy work?
IAM policies define permissions for an action regardless of the method that you use to perform the operation.
For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API..
Is IAM a no cost AWS account feature?
AWS Identity and Access Management (IAM) and AWS Security Token Service (AWS STS) are features of your AWS account offered at no additional charge.
You are charged only when you access other AWS services using your IAM users or AWS STS temporary security credentials..
What does AWS Identity Access Management IAM provide?
With AWS Identity and Access Management (IAM), you can specify who or what can access services and resources in AWS, centrally manage fine-grained permissions, and analyze access to refine permissions across AWS..
What is the use of IAM policy in AWS?
IAM policies define permissions for an action regardless of the method that you use to perform the operation.
For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API..
The AWS Billing console allows you to easily understand your AWS spending, view and pay invoices, manage billing preferences and tax settings, and access additional Cloud Financial Management services.
To add permissions to an IAM identity (IAM user, group, or role), you create a policy, validate the policy, and then attach the policy to the identity.
You can attach multiple policies to an identity, and each policy can contain multiple permissions.

This topic contains example policies that you can attach to your IAM role or group to control access to your account's billing information and tools. The Allow full access to AWS Allow users to view the Billing

Allow Users to Create Budgets

To allow users to create budgets in the Billing and Cost Management console, you must also allow users to view your billing information, create CloudWatch alarms, and create Amazon SNS notifications.
The following policy example allows a user to modify the Budgetconsole page.

Allow Users to Modify Billing Information

To allow users to modify account billing information in the Billing and Cost Management console, you must also allow users to view your billing information.
The following policy example allows a user to modify the Consolidated Billing, Preferences, and Creditsconsole pages.
It also allows a user to view the following Billing and Cost Management con.

Deny AWS Console Cost and Usage Widget Access For Member Accounts

To restrict member (linked) account access to cost and usage data, use your management (payer) account to access the Cost Explorer preferences tab and uncheck Linked Account Access.
This will deny access to cost and usage data from the Cost Explorer (AWS Cost Management) console, Cost Explorer API, and AWS Console Home page's cost and usage widget .

Deny AWS Console Cost and Usage Widget Access For Specific Users and Roles

To deny AWS Console cost and usage widget access for specific users and roles, use the permissions policy below.

Deny Users Access to The Billing and Cost Management Console

To explicitly deny a user access to the all Billing and Cost Management console pages, use a policy similar to this example policy.

Deposit Reports Into An Amazon S3 Bucket

The following policy allows Billing and Cost Management to save your detailed AWS bills to an Amazon S3 bucket, as long as you own both the AWS account and the Amazon S3 bucket.
Note that this policy must be applied to the Amazon S3 bucket, instead of to a user.
That is, it's a resource-based policy, not a user-based policy.
You should deny user ac.

Enable and Disable AWS Regions

For an example IAM policy that allows users to enable and disable Regions, see AWS: Allows Enabling and Disabling AWS Regions in the IAM User Guide.

How can I test IAM policies?

With the IAM policy simulator, you can test and troubleshoot identity-based policies, IAM permissions boundaries, Organizations service control policies (SCPs), and resource-based policies.
Here are some common things you can do with the policy simulator:

Test policies that are attached to IAM users

user groups

or roles in your AWS account.

How do I create an IAM policy in AWS?

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane on the left, choose Policies.
If this is your first time choosing Policies, the Welcome to Managed Policies page appears.
Choose Get Started.
Choose Create policy.

How does AWS IAM Policy help secure workloads?

Use IAM to manage and scale workload and workforce access securely supporting your agility and innovation in AWS.
Create granular permissions based on user attributes—such as:

department

job role

and team name—by using attribute-based access control.

View and Update The Cost Explorer Preferences Page

This policy allows a user to view and update using the Cost Explorer preferences page.
The following policy allows users to view Cost Explorer, but deny permission to view or edit the Preferencespage.
The following policy allows users to view Cost Explorer, but deny permission to edit the Preferencespage.

View, Create, Update, and Delete Using The Cost Explorer Reports Page

This policy allows a user to view, create, update, and delete using the Cost Explorer reports page.
The following policy allows users to view Cost Explorer, but deny permission to view or edit the Reportspage.
The following policy allows users to view Cost Explorer, but deny permission to edit the Reportspage.

What are IAM policies used for?

You can use IAM policies to control what your users can do to an identity by creating a policy that you attach to all users through a user group.
To do this, create a policy that limits what can be done to an identity, or who can access it.
For example, you can create a user group named AllUsers, and then attach that user group to all users.