Add a billing admin user to secure an AWS root account

Published on

Last Updated on

Estimated Reading Time: 3 min

When you first create your AWS account, you create a root user. A root user can access everything that AWS offers, and you cannot reduce the permissions associated with it.

Amazon best practices recommend that you can create an admin group for administrative tasks. However, IAM users do not have access to the AWS Billing and Cost Management Console by default, so we need to explicitly enable access.

Let's see how we can create a user with administrator and Billing Access rights to reduce the number of reasons we need to log in as a root user.

First login as the root user

Enable Access to Billing Information for IAM users

On the navigation bar, choose the account name and click on My Account.

My Account

Enable Access to Billing Information

Activate IAM Access

In the IAM User and Role Access to Billing Information section, select the Activate IAM Access checkbox and click on the Update button.

Secure root user

Navigate to the IAM(Identity and Access Management) console.

IAM Service

  • Activate MFA on the root account to secure it.

  • Change the sign-in link to be more friendly by clicking on the Customize button. Customize Sign-in Link

Add User with Administrator Rights

Click on the User item in the navigation pane and click the Add User button.

Manage Users

Set User Details

Add user

  • Add the username, e.g. user.
  • Select the Programmatic Access and AWS Management Console Access checkboxes.
  • Select Autogenerated password for Console Password.
  • Select the Require Password Reset checkbox.
  • Click the Next: Permissions button.

Set Permissions

Set Permissions

  • Select the Add user to group item.
  • Click on the Create group button.

Create Admin Group

Create Admin group

  • Add the group name. e.g. Admin.
  • Select the AdminstratorAccess policy from the list of the policies.
  • Click Create Group. This will take you back to the Set Permissions screen.

Add user to Admin group

Add user to Admin Group

  • Select the Admin group that you just created.
  • Click on Next: Tags.

Add tags

Adding tags is optional, so we will skip tags.

Add Tags

Click on Next: Review.

Review User

Add User review

Review the settings, and if everything is correct, press the Create user button.

Download Credential Information

User Access Keys

Once the user has been created, you can download the credential information. Remember that this will be the only time you can access this information.

Create a group and policy for accessing Billing Service

Click on the Policies item in the navigation pane and click the Create Policy button.

Create Policy

Add Billing Service

Create Policy

In the Select a service section, search for Billing and then select Billing.

Add Allowed Actions for Billing Policy

Add allowed actions

  • Select the All Billing actions checkbox.
  • Click on the Review policy button.

Create Billing Policy

Create Billing Policy

  • Add the name for the policy, e.g. BillingFullAccess.
  • Click the Create Policy button.

Create Billing Group

Create Billing Group

Click on the Groups item in the navigation pane and click the Create New Group button.

Set group name

Set Group Name

  • Give a name for the Billing group, e.g. BillingFullAccess.
  • Click on the Next Step button.

Attach Policy

Attach Billing Policy

  • Search for Billing in the filter.
  • Select the BillingFullAccess policy checkbox.
  • Click on the Next Step button.

Review Group

Review

  • Click the Create Group button.

Add User to the Billing Group

Select User

Click on the Users item in the navigation pane and click the user you want to add to the group.

Groups

Select Group

Select the Groups tab.

Add user to group

Add User to group

Click on the Add User to Group Button.

Select Billing group

Select Billing Group

  • Select the BillingFullAccessGroup checkbox.
  • Click on the Add to Groups button.

Conclusion

We now have an IAM user with administrator rights for our AWS account and has full access to the AWS Billing and Cost Management Console. It is also easy to give other users access to either Administrator rights or Billing rights.