Featured in this episode of Chaos Lever
In July, AWS will be retiring IAM permissions that use the service prefix aws-portal for access control in the AWS Billing and Cost Management Console. This will also affect two additional actions under purchase-orders: ViewPurchaseOrders and ModifyPurchaseOrders.
Overall, these fine-grained controls are going to be a benefit to administrators looking to minimize unnecessary permissions in the console. It is very important to keep an eye on the timeline, as there is a hard stop to the old permissions. Based on the date your accounts were created, here is a breakdown of what is happening when (note that this applies in both Service Control Policies (SCPs) and in IAM policies.):
Either way, on July 6th, 2023: All previously-working aws-portal actions will cease functioning, and access that relied on them will stop working. Note that everything I just said is only a concern for custom policies. If you are using AWS Managed Policies, they will be updated automatically.
Confused? Of course you are.
It’s AWS IAM, confused is what they’re usually going for, which means of course that this is one of those rare times where you really should read the linked article.