25th of February, 2019 / matthew merriel / No Comments

Today I’ve going to cover off an issue that I’ve seen in a couple of customer environments recently and that’s around allowing users the correct level of access to their AWS billing, Budgets, and account settings. This is an important topic as cost optimization and operational excellence are two of the 5 pillars of the AWS Well Architected Framework and if you can’t monitor your spend, it’s hard to ensure your delivering business value.

AWS Cost Management Tools

Firstly, when we talk about billing and cost management within AWS, there are typically 4 main tools/dashboards that you might want to use:

Billing & Cost Management Dashboard. This is the main dashboards that you can use to see the current months spend across the AWS services, your forecast spends for the month and how your tracking compared to last month. Below is an example of the dashboard.

Billing Details. The bills page is a breakdown of all AWS charges for a particular month by service and (if you have AWS Organizations or consolidated billing enabled) account as shown in the below screenshot.

AWS Cost Explorer. AWS Cost Explorer is a reporting and graphing tool that can be used to show and report on costs, usage, and trends across your AWS accounts. This tool can be useful for things such as trend analysis, breakdown by cost allocation tags and tracking budgets. Below is an example of the Cost & usage report.

BudgetsThe Budgets page does pretty much what you’d expect, it allows you to set budgets across AWS services and allows for alerts to be raised based on actual or forecast spend. An example of a basic EC2 spend budget is shown below and the alert is triggered.

Enabling IAM Access to Cost Management Tools

By default, an AWS account is configured to only allow the Root user to access the 4 key areas to view and report on costs. Given that we’re following AWS best practice and not using our AWS Root account (and if you are, please stop), how do we go about enabling our IAM users to access them? Firstly, we need to enable IAM user/role access to billing information. To do this is a four-step process:

Log into your AWS account as the Root user.
Browse to https://console.aws.amazon.com/billing/home?#/account or select “My Account” from the Account dropdown as shown below

Scroll down to “IAM User and Role Access to Billing Information” and click edit.

Tick “Active IAM Access” and click “Update

Configuring IAM Policies

What this has done is allowed access to billing and cost management features from IAM policies, allowing you to assign these features to your users. This means the next step is to configure an IAM policy and assign it to the users that require billing visibility and control. The exact configuration of IAM policies will change form organization to organization but for the purposes of this article and keeping with the notation of least privilege, we’re going to focus on two main use cases.

Firstly, for users that simply require the ability to view the billing information we can set a simple IAM policy that just allows access to “aws-portal:ViewBillig” which will provide them with view access to:

Billing Dashboard
Bills
Cost Explorer
Budgets
Payment History
Consolidated Billing
Preferences
Credits

The policy itself is rather simple:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Action": "aws-portal:ViewBilling",

            "Resource": "*"

        }

    ]

}

If we also want to allow them access to our reports, we can simply add an additional Action to our policy:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Action": [

                "aws-portal:ViewUsage",

                "aws-portal:ViewBilling"

            ],

            "Resource": "*"

        }

    ]

}

For users who in addition to needing visibility over your AWS also need to be able to set budgets and alerts, we need to expand our policy a little bit and give them modify rights as well as permission to setup CloudWatch and SNS resources (used for setting alerts) as shown below:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Action": [

                "aws-portal:ViewBilling",

                "aws-portal:ModifyBilling",

                "budgets:ViewBudget",

                "budgets:ModifyBudget"

            ],

            "Resource": [

                "*"

            ]

        },

        {

            "Effect": "Allow",

            "Action": [

                "cloudwatch:*"

            ],

            "Resource": [

                "*"

            ]

        },

        {

            "Effect": "Allow",

            "Action": [

                "sns:*"

            ],

            "Resource": [

                "*"

            ]

        }

    ]

}

You could further secure the policy by defining appropriate regions for resource usage.

Summary

And that’s it, once you assign the new policy to IAM users they will now have access to your billing and cost reporting information. In future articles, we will be taking a more in-depth look at the AWS Cost explorer as well as providing some useful template for alerts and reports. If you have questions or queries about controlling your AWS spend or anything in this article, please feel free to reach out to us using the contact us feature located at the top of the page.

Category:

Amazon Web Services