< Return to Blog

HOWTO: Providing Clients with an IAM Account to Manage Billing & Payment Methods for their Root AWS Account

Start by heading to the IAM management console within your AWS console, and head to Policies. Create a policy and name it ViewAndManageBilling.

Use the policy document provided below to configure this policy.

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "Stmt1460354930000",
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Effect": "Deny",
            "Action": "aws-portal:*Account",
            "Resource": "*"

Create a group called 'Billing' in Groups and now you can create your client IAM accounts and assign them to the Billing group. It's a good idea to log-in and confirm everything is working as it should, and I have done so for this policy.

Since IAM works as a whitelisted ACL approach, a user associated without any policies would have no access granted by default. As such the Deny entry above is spurious at best but I left it in for good measure.

We aren't done yet, now head to your account details

Look for this bit,

Click on the elusive 'edit' on the top-right and enable it.

Boom, your IAM account will now have access to billing and payment management!