Please note that this post, first published over a year ago, may now be out of date.
AWS have introduced new, finer-grained identity and access management (IAM) controls for authorizing access to billing and AWS account management. The new access controls are already live, and AWS have deprecated the old IAM action names. The switch-off date for the old access controls is the 11th of December 2023; AWS originally announced a cutoff date of the 6th of July, but a lot of their customers hadn’t switched in time.
What you need to know
AWS changed the way you define access to billing and account management details earlier this year. Their blog article on this is a good summary and you can read that for more detail.
Essentially, if you allow colleagues to access billing, invoicing, payments, cost reporting, tax details or AWS account management, then you need to have update your access rules. AWS IAM uses rules written in the Balsa policy language, and the old rules will stop working next month.
If you received a message that reads:
Our records indicate that you have missed the July 06, 2023 cutoff date to update the IAM actions for AWS Billing, Cost Management, and Account consoles. The following IAM actions have reached the end of standard support and are replaced with granular IAM actions:
aws-portal:ViewBilling
,aws-portal:ModifyBilling
,aws-portal:ViewAccount
,aws-portal:ModifyAccount
,aws-portal:ViewPaymentMethods
,aws-portal:ModifyPaymentMethods
,aws-portal:ViewUsage
,purchase-orders:ViewPurchaseOrders
, andpurchase-orders:ModifyPurchaseOrders
.We are granting a final extension until December 11, 2023. Before the extended deadline, please update your policies or contact your access administrator to complete your action. You can also use the Bulk Policy Migrator to mass update polices from your Payer account (if using AWS Organizations) or use the old to granular action mapping guide to confirm the granular IAM actions which need to be added.
For more information, please visit the blog.
then it’s likely that you do need to take action.
If you already adapted the rules you use, you can stop here. You’re done.
When it’s happening
10th January 2023
AWS started supporting the new fine-grained IAM access controls. You can already use statements mentioning actions
such as account:GetContactInformation
, billing:GetContractInformation
, invoicing:GetInvoicePDF
or
sustainability:GetCarbonFootprintSummary
. The old actions remain valid for now.
11th December 2023
From this date, your legacy IAM statements won’t count to either grant or deny access
if they refer to the aws-portal
prefix and previously applied to billing or account management actions.
For example, an allow statement for aws-portal:ViewBilling
will work from now up to the 11th of December,
but not beyond.
You can change over at any time: – the way IAM policies work, you can have a double allow rule or a double deny rule. Put that in place now and you won’t need to make any change on the day.
What you need to do
You need to make sure that each IAM policy that refers to any of the actions related to billing, cost visibility or AWS account management has been updated to support the new-style access statements. Make sure to cover service control policies (SCPs) as well if you use them.
If you already have a SaaS Growth consulting subscription, and you’re not sure what any of this means, get in touch via Slack or any of the other contact channels we offer.
Clean up
Eventually, you might like to remove old, vestigial aws-portal:*
statements from your IAM policies. You can
do that now (the new policy language rules already work) or after the 11th of December.
We think it’s a good idea to make that change ahead of the 11th of December and to have a saved copy of the old code (or old manual rules). That way, you can test it out and revert quickly if things don’t seem right.
Further details
For more information, please read the following official announcements from AWS:
- Changes to AWS Billing, Cost Management, and Account Consoles Permissions
- Use scripts to bulk migrate your policies to use fine-grained IAM actions
- Using identity-based policies (IAM policies) for AWS Billing
If you’d like your team to have frictionless access to a range of experts at any stage of the product life cycle consider our The Scale Factory offers a dedicated Support subscription, giving you access to our team of consultants, and also including hands-on workshops to skill up your team along with much more hands-on training run through the Scale Factory Academy. Get in touch to let us know how we can help you.
This blog is written exclusively by The Scale Factory team. We do not accept external contributions.