Start by heading to the IAM management console within your AWS console, and head to Policies. Create a policy and name it ViewAndManageBilling.
Use the policy document provided below to configure this policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1460354930000",
"Effect": "Allow",
"Action": [
"aws-portal:ModifyBilling",
"aws-portal:ModifyPaymentMethods",
"aws-portal:ViewBilling",
"aws-portal:ViewPaymentMethods"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": "aws-portal:*Account",
"Resource": "*"
}
]
}
Create a group called 'Billing' in Groups and now you can create your client IAM accounts and assign them to the Billing group. It's a good idea to log-in and confirm everything is working as it should, and I have done so for this policy.
Since IAM works as a whitelisted ACL approach, a user associated without any policies would have no access granted by default. As such the Deny entry above is spurious at best but I left it in for good measure.
We aren't done yet, now head to your account details
Look for this bit,
Click on the elusive 'edit' on the top-right and enable it.
Boom, your IAM account will now have access to billing and payment management!