Gruntwork
Update Permissions associated with allow-billing-only-access-from-other-accounts role #766
Replies: 1 comment 1 reply
-
|
Hello @timrwilliams, The Reference Architecture uses the AWS Managed Billing Policy (arn:aws:iam::aws:policy/job-function/Billing) to control access to Billing information, which should automatically get updated by AWS for this change. The new permission sets should already be added to the policy, and after retirement, AWS will automatically remove the old permissions. Just to confirm what is in your Reference Architecture, can you take a look at the billing policy currently in place and confirm that the new permissions are in place (the new prefixes are |
Beta Was this translation helpful? Give feedback.
-
|
I'm not sure that the policy will automatically get updated, as gruntwork don't use At time of writing, the aws managed policy contains the deprecated permissions, as can be seen here: I think we'll just have to wait and see what happens in December 2023? |
Beta Was this translation helpful? Give feedback.
-
As per this AWS Blog a number of IAM permissions relating to the Billing Console have been deprecated and need to be updated prior to December 2023.
These permissions are referenced in the IAM role inline policy created by the Reference Architecture named
allow-billing-only-access-from-other-accounts.The following are deprecated:
purchase-orders:*PurchaseOrders, aws-portal:*Usage, aws-portal:*PaymentMethods, aws-portal:*BillingThe new granular permissions are:
aws-portal:ViewBilling, aws-portal:ModifyBilling, aws-portal:ViewAccount, aws-portal:ModifyAccount, aws-portal:ViewPaymentMethods, aws-portal:ModifyPaymentMethods, aws-portal:ViewUsage, purchase-orders:ViewPurchaseOrders, and purchase-orders:ModifyPurchaseOrdersWhat is the best way to update this policy with the new, equivalent AWS permissions?
https://github.com/gruntwork-io/terraform-aws-security
Tracked in ticket #110426
Beta Was this translation helpful? Give feedback.
All reactions