On December 11, Amazon Cloud Technology will retire the billing, cost management, and account console under the service prefix aws-portal (https://docs.amazonaws.cn/en_us/service-authorization/latest/reference/list_awsbillingconsole.html ) Amazon Identity and Access Management (IAM) operation (https://docs.amazonaws.cn/en_us/iam/), and two operations under the purchase order namespace, namely purchase-orders:ViewPurchaseOrders and purchase-orders: ModifyPurchaseOrders. We will replace it with new granular service permissions. With these permissions, you have greater control over billing, cost management, and access to account services. These new permissions will also provide a set of IAM actions for managing access to the console and programming interfaces.
In this article, we'll show you what's changing and how to prepare for it by modifying IAM policies and permissions to allow/deny access to billing, cost management, and account services. We'll also discuss the impact of this change on your existing Amazon hosting strategy and migration timeline, and what tools or options you can use to ease this transition.
background
Currently, you can use IAM actions with the aws-portal service prefix (referred to in this article as existing permissions/IAM actions) to control access to the Billing, Cost Management, and Account consoles. For example, when you provide a user with access to the aws-portal:ViewBilling and aws-portal:ModifyBilling actions, you grant the user access to multiple console pages, including Amazon Cost Explorer, Amazon Budgets, Consolidated Billing, Billing Preferences, Points, tax settings, payment methods, purchase orders, and cost allocation labels. If you want to allow users to access a specific Cost Management service console page (such as Cost Explorer), but not the billing page, this is currently not possible. This limitation can make it difficult to run a decentralized cloud cost management model in which individual users can access specific services based on their roles. Many users told us they wanted more granular control over access to billing, cost management and account services, and the changes we mentioned above enable that flexibility.
In addition, you can now control access to billing, cost management, and account services through programmatic interfaces using a different set of IAM actions than the set of console IAM actions. For example, when a customer wants to provide a user with access to Cost Explorer through the console and the Cost Explorer API, the user will need permissions for aws-portal:ViewBilling and ce:*. New IAM actions provide a set of permissions that allow you to control and easily set access to billing, cost management, and account services through a console and programmatic interface, with less error.
Launched content
On August 23, 2023, Amazon Cloud Technology launched fine-grained IAM operations and 4 new service prefixes (consolidated billing, freetier, invoicing, and payments), and 5 existing service prefixes (billing, accounts, cur, and purchase) -orders ) added new permissions.
On December 11, 2023, we will retire the aws-portal service prefix and all operations within it. Additionally, we are retiring the purchase-orders:ViewPurchaseOrders and purchase-orders:ModifyPurchaseOrders permissions.
If you have been using Amazon Managed Policies to give IAM users or root users access to the Amazon Billing, Cost Management, and Account Console, you do not need to take any action because Amazon Web Services is updating your existing Amazon Managed Policies. You can view related information in the "Updates to existing managed policies" section (https://aws.amazon.com/cn/blogs/china/enable-new-granular-service-permissions-to-better-control-access -to-billing-cost-management-and-account-services/#_Updates_to_existing).
New service prefixes and permissions
consolidatedbilling
Provides access to consolidated billing features such as account roles https://docs.amazonaws.cn/en_us/service-authorization/latest/reference/list_awsconsolidatedbilling.html
freetier
Provides access to free tier features on Amazon Billing Console
https://docs.amazonaws.cn/en_us/service-authorization/latest/reference/list_awsfreetier.html
invoicing
Provide access to invoicing resources on the Amazon Billing Console
https://docs.amazonaws.cn/en_us/service-authorization/latest/reference/list_awsinvoicingservice.html
payments
Provides access to payments and payment methods on the Amazon Billing Console
https://docs.amazonaws.cn/en_us/service-authorization/latest/reference/list_awspayments.html
Updates to existing service prefixes and permissions
billing
Provides access to billing functionality on the Amazon Billing Console (Home, Billing, Points, Billing Preferences)
https://docs.amazonaws.cn/en_us/service-authorization/latest/reference/list_awsbillingconsole.html
account
Provides access to Amazon account management resources
https://docs.amazonaws.cn/en_us/service-authorization/latest/reference/list_awsaccountmanagement.html
cur
Provides access to cost and usage reports on the Amazon Billing Console
purchase-orders
Provides access to the purchase order experience on the Amazon Billing Console
https://docs.amazonaws.cn/en_us/service-authorization/latest/reference/list_awspurchaseordersconsole.html
Note that these new IAM actions now control access to console features. In the future, we will launch new APIs for Billing, Payments, and Tax settings, allowing you to programmatically access the same resources (such as Spend Summary, Billing, Payment Summary, Transactions, Tax Registration) that are currently only accessible through the console. These future APIs will be controlled using new IAM actions launched today.
Disabled service prefixes and permissions
aws-portal
After the permissions migration is complete, we will deactivate this service prefix and all IAM operations within it
https://docs.amazonaws.cn/en_us/service-authorization/latest/reference/list_awsbillingconsole.html
purchase-orders
After the permissions migration is complete, we will deactivate the purchase-orders:ViewPurchaseOrders and purchase-orders:ModifyPurchaseOrders permissions. We will release additional permissions to replace these two permissions.
https://docs.amazonaws.cn/en_us/service-authorization/latest/reference/list_awspurchaseordersconsole.html
How should you get started?
To use fine-grained access control, you need to migrate the policies from under aws-portal to the new IAM action.
The following IAM actions in your permissions policy or service control policy (SCP) need to be updated with the new granular action:
aws-portal:ViewAccount
aws-portal:ViewBilling
aws-portal:ViewPaymentMethods
aws-portal:ModifyAccount
aws-portal:ModifyBilling
aws-portal:ModifyPaymentMethods
purchase-orders:ViewPurchaseOrders
purchase-orders:ModifyPurchaseOrders
Amazon Cloud Technologies recommends that you start adding new granular permissions now so you can ensure that all affected policies are updated before they are deactivated to ensure uninterrupted access to Amazon Billing, Cost Management, and the Account Console. If you want to start using or testing granular actions right away, use the functionality described in "How do I switch accounts between new granular actions or existing IAM actions?" (https://aws.amazon.com/cn/blogs /china/enable-new-granular-service-permissions-to-better-control-access-to-billing-cost-management-and-account-services/#_How_to_toggle).
For example, you have the following identity-based policy named "AllowViewAccessToBillingAndCost ManagementConsole" in your account that has an existing IAM action " aws-portal:ViewBilling " that allows users to view the contents of the Amazon Billing and Cost Management Console.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": " VisualEditor0 ",
"Effect": "Allow",
"Action": "aws-portal:ViewBilling",
"Resource": "*"
}
]
}Swipe left to see more
You need to update this policy to add granular actions. In the example policy below, you'll see that granular IAM actions have been added under the "ThesePermissionsWillHaveNoEffectTillEndOfMigration" statement block. You can see in the example below that the updated policy also includes the existing actions under the "ThisPermissionWillContinueProvidingAccessAsNormal" statement block as they control access to our console before the retirement date.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ThesePermissionsWillHaveNoEffectTillEndOfMigration",
"Effect": "Allow",
"Action": [
"ce:Get*",
"ce:Describe*",
"ce:List*",
"account:GetAccountInformation",
"billing:Get*",
"payments:List*",
"payments:Get*",
"consolidatedbilling:Get*",
"consolidatedbilling:List*",
"invoicing:List*",
"invoicing:Get*",
"cur:Get*",
"cur:Validate*",
"freetier:Get*"
],
"Resource": "*"
},
{
"Sid": "ThisPermissionWillContinueProvidingAccessAsNormal",
"Effect": "Allow",
"Action": "aws-portal:ViewBilling",
"Resource": "*"
}
]
}Swipe left to see more
To help you identify and update affected IAM policies, Amazon Cloud Technologies provides the following resources. In this article, we'll detail how to use the Affected Policies and Switch Account features to change permissions. You can view instructions for additional resources in the user guide below.
Affected Policies: This tool lists the affected IAM policies within the account. You can review each policy and make any necessary changes in your logged in account.
User Guide: https://docs.amazonaws.cn/en_us/cost-management/latest/userguide/migrate-security-iam-tool.html
Bulk Policy Migrator: You can use these scripts to identify and update all affected policies within your organization. You can run these scripts from your organization's payer account. If you use an Amazon Organization account with multiple associated accounts, use the bulk policy migrator script to efficiently update all accounts in the organization.
User Guide: https://docs.amazonaws.cn/en_us/awsaccountbilling/latest/aboutv2/migrate-iam-permissions.html
Mapping Guide: This is our mapping from the existing (legacy) actions for each IAM action to the new granular actions that will be retired soon.
User Guide: https://docs.amazonaws.cn/en_us/awsaccountbilling/latest/aboutv2/migrate-granularaccess-iam-mapping-reference.html
Switch Account: This self-service feature lets you switch between new granular actions and existing (legacy) IAM actions. After you add a new granular action, you can use the Switch Account feature to immediately start using the new IAM action in your account (see the "How do I switch accounts between new granular or existing IAM actions?" section).
https://aws.amazon.com/cn/blogs/china/enable-new-granular-service-permissions-to-better-control-access-to-billing-cost-management-and-account-services/#_How_to_toggle
Updates to existing hosting policies
With this release, Amazon Cloud Technology has updated the following Amazon hosting policies to include new granular permissions. These aws-portal IAM actions in Amazon managed policies will remain in effect until the retirement date, so you can continue to use these managed policies as before. Upon deactivation, Amazon Web Services will remove the aws-portal IAM actions from these managed policies. If you are using only Amazon hosting policies, you do not need to take any action as Amazon Cloud Technologies will update.
AWSBillingReadOnlyAccess (arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess)
Billing (arn:aws:iam::aws:policy/job-function/Billing)
ReadOnlyAccess (arn:aws:iam::aws:policy/ReadOnlyAccess)
How do I update the affected policies in my account?
There are two main steps: 1) identify the policies that need to be updated; 2) update the policies to use the new IAM actions. In the examples below, we'll focus on accounts that were or currently belong to this organization that were created before 11 a.m. PT on March 6, 2023. The new granular actions will be directly available to new accounts or organizations created on or after March 6, 2023, 11 a.m. PT.
Note that the affected policy console only displays the affected IAM policies in logged-in accounts, not the Service Control Policies (SCPs) affected by this change. Use the bulk policy migrator script to identify and update IAM policies for all accounts in your organization. You need to log in to the Amazon Organizations console to view the affected service control policies (SCPs). The remainder of this article details how to transition from existing IAM operations to granular operations in the console. If you manage and maintain IAM policies in a version-controlled repository, be sure to make the same changes to your automation. If you have other questions, please contact Amazon Support (https://console.amazonaws.cn/support/home#/).
Step 1: Identify the policies that need updating
Please log in to your account to access the affected policy console. To access, use your IAM user/role with the iam:GetAccountAuthorizationDetails action included in the IAM policy, or assign any of the following Amazon managed policies to your IAM user/role: SystemAdministrator, AdministratorAccess, IAMFullAccess, or IAMReadOnlyAccess.
Sign in to your account and visit the affected policy console to view all IAM policies that reference existing aws-portal IAM actions that will be disabled. You can also view the number of IAM entities (IAM users, roles, or groups) attached to the affected policy, so you can prioritize updates to the policies assigned the highest number of IAM entities. This tool will display customer managed policies and inline policies that need to be updated.
For example, you create the identity policy "AllowViewAccessToBillingAndCostManagementConsole" using the existing IAM action " aws-portal:ViewBilling " that is attached to six IAM users.
You'll see the "AllowViewAccessToBillingAndCostManagementConsole" policy listed (see screenshot below). This tool displays how many IAM entities this policy is attached to, in this case "6". The tool also displays the offending IAM action, in this case aws-portal:ViewBilling .
Figure 1: Affected policy console for existing account groups
You can also download the list of affected policies along with the policy ARN by clicking the "Export all affected policies" button on the affected policies console.
Figure 2: "Export all affected policies" button
To update the Service Control Policy (SCP), you need to log in to the Amazon Organizations console. Instructions are provided in the "How to update the service control policy to a new operation" section later.
Step 2: Update the policy in the account to the new IAM action
In the list of affected policies, you can click the policy name and update the IAM customer-managed or inline policy in the IAM console. You can update the IAM policy as usual. You can view Edit IAM policy to learn how to update the policy. Before updating your policy to a new action, make a note of your current default policy version. If you encounter problems while making changes, you can revert the policy to this version.
In step 1, you determined that you need to update the policy named "AllowViewAccessToBillingAndCost ManagementConsole". Once you navigate to the IAM console, you can add a new IAM action. Please use the Mapping Guide to identify the required new IAM actions to be added for the corresponding legacy IAM actions. When adding new granular actions to a policy, you need to retain the current actions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ThesePermissionsWillHaveNoEffectTillEndOfMigration",
"Effect": "Allow",
"Action": [
"ce:Get*",
"ce:Describe*",
"ce:List*",
"account:GetAccountInformation",
"billing:Get*",
"payments:List*",
"payments:Get*",
"consolidatedbilling:Get*",
"consolidatedbilling:List*",
"invoicing:List*",
"invoicing:Get*",
"cur:Get*",
"cur:Validate*",
"freetier:Get*"
],
"Resource": "*"
},
{
"Sid": "ThisPermissionWillContinueProvidingAccessAsNormal",
"Effect": "Allow",
"Action": "aws-portal:ViewBilling",
"Resource": "*"
}
]
}Swipe left to see more
After you add a new granular IAM action to all affected policies, you will continue to see this policy in the affected policy console because you retained the existing IAM actions during the migration. Once the existing IAM action is deactivated, we recommend that you update the policy to comply with policy hygiene best practices by deleting the existing IAM action; after deleting the existing IAM action, you will no longer see this in the affected policy console Strategy. We also recommend that you use the self-service tool on the policy console for the affected payer account/general account to switch the account to use the new IAM action immediately. For more information, see "How do I switch accounts between new granular operations or existing IAM operations?" (https://aws.amazon.com/cn/blogs/china/enable-new-granular-service-permissions-to- better-control-access-to-billing-cost-management-and-account-services/#_How_to_toggle)
You can refer to these Billing Console and Cost Management user guides to learn about granular IAM operations for each billing, cost management, and account service.
How to update a service control policy to a new action
The Service Control Policy (SCP) feature is only available if all features are enabled in your Amazon Organizations.
You need to log in to your Amazon Organizations administrative account
Visit the Amazon Organizations console to view the SCPs created in your management account
Click Policies in the left navigation panel and select Service Control Policy
Figure 3: Service control policies in Amazon Organizations
Click the SCP you created for Amazon Billing, Cost Management, and Account Console.
Click the "Edit Policy" button to update your SCP.
Figure 4: Edit policy button for service control policy
Update the contents of the policy to add the new IAM action. Preserve existing IAM actions so you have access throughout the migration
Figure 5: Editing the contents of a service control policy
You can also see which member accounts the SCP applies to in the Targets tab, so you can prioritize updating SCPs assigned to the highest number of member accounts.
Figure 6: Targets tab of service control policy
Detailed instructions on how to update service control policies are in this user guide: https://docs.amazonaws.cn/en_us/organizations/latest/userguide/orgs_manage_policies_scps_create.html
How do I switch accounts between new granular actions or existing IAM actions?
This self-service feature lets you switch between new granular actions and existing (legacy) IAM actions. You can test new actions within your account, or across some accounts within your organization (in the case of administrative accounts). After deactivation, all accounts will require new actions and self-service functionality will no longer be available.
You can access the above actions through the affected policy console. To use these features through the console, you need to use ce:GetConsoleActionSetEnforced , aws-portal:GetConsoleActionSetEnforced , purchase-orders:GetConsoleActionSetEnforced (to view the status of the enforced action), and ce:UpdateConsoleActionSetEnforced , aws-portal: IAM user/role for UpdateConsoleActionSetEnforced , purchase-orders:UpdateConsoleActionSetEnforced (for switch actions). For Amazon Organizations, this feature is only available to administrative account users.
Access the affected policy console in the account you are signed in to
If you are not using a managed account and are not part of Amazon Organizations, you can only switch actions set for your account. As shown in Figure 7, the system will force an "existing" IAM action for the currently logged in user. You can select the "Enable new actions for your account" option and then select "Apply changes." New IAM actions will then be enabled for your account.
Figure 7: Existing (legacy) IAM action enforced, switch to new (granular) action
Likewise, if you are forcing "granular" IAM operations, you can select the "Enable legacy operations for your account" option and then select "Apply changes" (see Figure 8). The account will revert to using legacy IAM actions, which were only available before the retirement date.
Figure 8: New (granular) IAM operations forced, switching to legacy IAM operations
As a management account owner, you can toggle the actions set for all or some member accounts in your organization. If an "existing" IAM action is enforced (see Figure 9), a new IAM action can be enabled for the entire organization or for specific accounts within the organization. For the latter, you need to provide account numbers (maximum 10).
Figure 9: Manage accounts view, existing (legacy) IAM actions enforced within the organization, switching to new (granular) actions for all accounts or subsets of accounts within the organization
Likewise, when forcing new IAM actions (see Figure 10), you can restore legacy actions for the entire organization or for specific accounts within the organization. For the latter, you need to provide account numbers (maximum 10).
Figure 10: Manage accounts view, new (granular) IAM actions enforced within the organization, switching to legacy IAM actions for all or some accounts within the organization
If some accounts within your organization are overwritten (either with legacy or new IAM actions), the "Current Action Set Enforced" status will be displayed in the format below with a link to download the CSV file. The CSV file will contain covered accounts operating with both old and new IAM.
Figure 11: Administrative account user view, new (granular) IAM actions enforced within the organization, some of which use legacy IAM actions
in conclusion
Enabling these fine-grained permissions under the new service-specific namespace provides minimum-privilege access to Billing, Cost Management, Account Console, and Services. To take advantage of enhanced access controls and ensure uninterrupted access to the Amazon Billing, Cost Management, and Account consoles, be sure to see the Cost Management User Guide (https://docs.amazonaws.cn/en_us/cost-management /latest/userguide/migrate-granularaccess-whatis.html) and Billing Console User Guide (https://docs.amazonaws.cn/en_us/awsaccountbilling/latest/aboutv2/migrate-granularaccess-whatis.html) to learn more and take action Appropriate measures. If you have any questions, please feel free to contact your Amazon contact and support team (https://console.amazonaws.cn/support/home#/).
The star will not get lost and development will be faster!
After following, remember to star "Amazon Cloud Developer"
I heard, click the 4 buttons below
You won’t encounter bugs!
