Enabling Cost Explorer

If you have recently started using AWS one thing you you need to get a clear understanding of is what AWS is billing you. A lot of things are in the ‘free’ tier but you can still get a nasty cost shock if you’re not careful.

One of the tools AWS offers to help manage and monitor costs is Cost Explorer. This allows you to see where your spend is going on various AWS tools and services. Cost Explorer is not enabled by default. The first time you visit Cost Explorer in the AWS console you will see the following:

Best Practice
A quick digression to security. You should never, ever use your root user account for anything other than initial setup. For day to day management of your AWS account you should setup an IAM (Identity and Access Management) admin user and give that account appropriate permissions. Oh and whilst you are at it, setup 2FA authentication on all of your accounts to further secure them (paranoia is good when it comes to security).

By default some areas are restricted to IAM users, such as cost explorer, billing etc. If you try to access these pages, you will get the following helpful prompt:

Enabling access to these pages for an IAM admin user is a 2-step process:

  1. Enable IAM User and Role Access to Billing Information from your root user account (it cannot be enabled from an admin account).
  2. Setup an IAM policy for your IAM user that gives permission to access cost explorer etc. You can be as granular as you like setting up access policies to your AWS resource i.e. You can give access to

If you are new to AWS and IAM then have a look at the AWS documentation to get an idea of what it is and how it works. A good start is https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html

Step 1 – Enable IAM User and Role Access to Billing Information
Select My Account page (top right hand corner of the AWS console):

Select Account and scroll down until you see the following section:

Click the Edit link and select :Activate IAM Access”:

You will get the prompt:

As you can see from the text alongside this option, it states that this setting alone wont grant us access to these console pages.

If we now visit the AWS Cost Explorer console page we should now have access (you may have to wait up to 24 hours as per the original prompt shown at the top of this page).

Having enabled Activate IAM Access you will now have access to the following pages:

  • Home
  • Cost Explorer
  • Reports
  • Rightsizing recommendations
  • Savings Plans recommendations
  • Savings Plans utilization report
  • Savings Plans coverage report
  • Reservations overview
  • Reservations recommendations
  • Reservations utilization report
  • Reservations coverage report
  • Preferences

Important – The Activate IAM Access setting doesn’t control access to the following pages and resources:

  • The console pages for AWS Cost Anomaly Detection, Savings Plans overview, Savings Plans inventory, Purchase Savings Plans, and Savings Plans cart
  • The Cost Management view in the AWS Console Mobile Application
  • The Billing and Cost Management SDK APIs (AWS Cost Explorer, AWS Budgets, and AWS Cost and Usage Reports APIs)
  • AWS Systems Manager Application Manager

We now need to setup an appropriate IAM user policy that will then allow our admin user access to these console pages.

Step 2 – Add and configure our IAM user policy
Although we have activated access to Billing Information, if our user doesn’t have the correct permissions you will not be able to access these console pages.

Depending on how you have setup your admin privileges you may not need to follow this second step. In a production environment we want to follow the best practice of what AWS calls “least privilege”. We give just enough permissions to the user/group they need to get the job done. This then reduces the damage that an actual (or malicious) user can do with that account.

In a dev or test environment you may be happy with providing your Admins with access all areas. For example if your admin has the AWS AdministratorAccess managed policy as shown below they will have access to all AWS functions anyway, so there will be no need to follow this step.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Depending on how you have configured your AWS users you may or may not be using User Groups. User Groups are a way to group common users into task/category areas e.g. Admin Groups would be the group for all Admins. This way, rather than having to change the permissions of every admin when you need to make a change, you just make a change to the Admin Group and the permissions associated with the User Group are propagated automatically to the Users within the Admin Group.

Go to the IAM console page and select User Groups:

Select your Admin user group:

Select Permissions:

Select the Add Permissions drop down menu and select Attach policies :

Type “billing” into the filter policies by property or policy name and press enter:

You will then see a Policy name called Billing. This is an AWS managed policy specifically for granting access to billing and cost management.

Select this policy and clock “Add Permissions”

If successful the following prompt will confirm that the policy has been added to to your user group:

Adding an AWS managed policy to a user is a very similar process, but it is only attached to a single user rather than the group.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.