AWS Changes to Billing and Cost Management Permissions Taking Effect Both Yesterday, And Also in July

Posted on Tuesday, Mar 7, 2023 by Chris Hayner

Featured in this episode of Chaos Lever

In July, AWS will be retiring IAM permissions that use the service prefix aws-portal for access control in the AWS Billing and Cost Management Console. This will also affect two additional actions under purchase-orders: ViewPurchaseOrders and ModifyPurchaseOrders.

Overall, these fine-grained controls are going to be a benefit to administrators looking to minimize unnecessary permissions in the console. It is very important to keep an eye on the timeline, as there is a hard stop to the old permissions. Based on the date your accounts were created, here is a breakdown of what is happening when (note that this applies in both Service Control Policies (SCPs) and in IAM policies.):

  1. Before March 6th, 2023 (which is to say, yesterday) : You will be able to continue using the existing aws-portal actions (and the two sunsetting purchase-orders actions).
  2. After March 6th, 2023: You will be required to use the new fine-grained actions.

Either way, on July 6th, 2023: All previously-working aws-portal actions will cease functioning, and access that relied on them will stop working. Note that everything I just said is only a concern for custom policies. If you are using AWS Managed Policies, they will be updated automatically.

Confused? Of course you are.

It’s AWS IAM, confused is what they’re usually going for, which means of course that this is one of those rare times where you really should read the linked article.