Latest Change to AWS Cost and Usage Report Access Control Policies

There has been a change to the Billing Console experience that was deployed on August 19, 2019. Currently, you can manage Cost and Usage Reports through a public API and through the Reports page on the Billing and Cost Management console. While both the API and the Reports page support the same set of actions, the IAM policies governing access to the actions are currently different. To provide consistent access controls, AWS have changed the IAM policies associated with the Reports page.

Starting on August 19th, IAM users will need the permissions below to perform the associated actions on the Reports page. For example, IAM users with only the aws-portal:ViewBilling permission will not be able to view Cost and Usage Reports on the console, and IAM users with only the aws-portal:ModifyBilling permissions will not be able to modify Cost and Usage Reports on the console. Please ensure that your IAM users have the necessary Report permissions before August 19.

(1) aws-portal:ViewBilling: Allow or deny IAM users permission to view Billing and Cost Management console pages, including the AWS Cost and Usage Reports page [1].
(2) aws-portal:ModifyBilling: Allow or deny IAM users permission to modify Billing and Cost Management console pages, including the AWS Cost and Usage Reports page [1].
(3) cur:DescribeReportDefinitions: Allow or deny IAM users permission to view Cost and Usage Reports on the Billing and Cost Management console. This permission already applies to Cost and Usage Report API today. For an example policy, see Example 10: Create, view, or delete an AWS Cost and Usage report [2].
(4) cur:PutReportDefinition: Allow or deny IAM users permission to create Cost and Usage Reports on the Billing and Cost Management console. This permission already applies to Cost and Usage Report API today. For an example policy, see Example 10: Create, view, or delete an AWS Cost and Usage report [2].
(5) cur:DeleteReportDefinition: Allow or deny IAM users permission to delete Cost and Usage Reports on the Billing and Cost Management console. This permission already applies to Cost and Usage Report API today. For an example policy, see Example 10: Create, view, or delete an AWS Cost and Usage report [2].
(6) cur:ModifyReportDefinition: Allow or deny IAM users permission to edit Cost and Usage Reports on the Billing and Cost Management console. For an example policy, see Example 10: Create, view, or delete an AWS Cost and Usage report [2]

Please refer to the Billing and Cost Management Permissions Reference [3] user guide if you have any questions.

[1] https://console.aws.amazon.com/billing/home?#/reports
[2] https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html#example-policy-report-definition
[3] https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html