AWS Cloud Financial Management

Introducing custom billing views: tailored cost and usage view for your stakeholders

Today, we are excited to announce custom billing views, a new feature within AWS Billing and Cost Management that allows you to grant member accounts in your organization access to cost and usage view spanning multiple member accounts. Many of you have teams that own multiple AWS accounts and told us that you want to have a single view of cost data for each team. At the same time, you want to minimize the number of people who have access to the management account that owns the organization-level cost data. With the newly launched custom billing views, you can now make cost and usage data spanning multiple member accounts available to a designated member account in your organization. Let’s dive into how you can set this up.

Why custom billing views

Different user personas need access to different sets of cost and usage data. If you’re a business unit and application owner, you need access to a specific subset of the organization’s cost and usage data for the multiple member accounts that you own. To access this data, you needed to manually aggregate cost and usage data across these accounts you own. If you’re FinOps practitioners, you need a comprehensive organization-wide view of cost and usage data to make recommendations and optimizations. To access this data, you are often given access to the management account of the organization.

With custom billing views, as a management account owner, you can give these owners access to the relevant cost and usage data they need from a member account by creating a custom billing view. You can either share the scoped down, cross-account cost and usage view with an existing member account, or create a designated FinOps account and then share the scoped down view or an entire cost and usage view with it. To allow the designated FinOps account to perform their FinOps tasks without accessing resources beyond their responsibilities, you can use identity providers such as Active Directory or Okta, in combination with IAM policies to federate access for the designated account.

In this blog post, we will dive deeper into how you can set up your custom billing views to meet the needs of business and application owners, as well as create the designated account and share custom billing views for FinOps practitioners, in your organization. These approaches will streamline access to cost and usage data for your end users, while minimizing the number of people who require access to the management account. If you need to learn how to connect your existing identity source in your AWS Organizations management account to an organization instance of IAM Identity Center, visit IAM Identity Center Identity source tutorials.

Prerequisites

Before getting started with custom billing views, you need to enable AWS Cost Explorer and migrate to fine-grained access controls for AWS Cost Management. You will also require permissions to create custom billing views. This requires access to the management account of your organization and permissions to create custom billing views. For more information, see Using identity-based policies (IAM policies) for AWS Cost Management.

You will need to use AWS Resource Access Manager (RAM) to grant other accounts in your organization access to custom billing views. RAM allows you to securely share resources, such as custom billing views across AWS accounts. In order to share custom billing views, you will need permissions to share billing views using AWS Resource Access Manager. For more information, see How AWS RAM works with IAM.

Scenario 1: sharing scoped-down cost and usage view with application owners

Imagine your organization has an application ApplicationFoo which incurs costs across multiple member accounts. To allocate these costs, you have enabled the cost allocation tag with key application to apply the value foo for usage associated with this application. The software development manager in charge of ApplicationFoo has access to all the member accounts in your organization to which ApplicationFoo contributes costs to, but primarily access account 111222333444 for day-to-day operations. To give the software development manager access to the cost and usage data associated with all the member accounts used for the application, you would take the following steps:

Step 1: Create a custom billing view filtered to all cost and usage tagged with application:foo

First, create a new custom billing view containing the cost and usage data tagged application:foo. From the management account, navigate to the Billing and Cost Management console and choose Billing View under the Cost Management Preferences page. From there, create a new custom billing view, choose “Cost allocation tags” under “Filter cost management data by”, and choose the cost allocation tag application:foo. This custom billing view will only include cost and usage data corresponding to the application ApplicationFoo.

Figure 1. Creating a custom billing view filtered by the cost allocation tag application:foo from the Billing and Cost Management console

Figure 1. Creating a custom billing view filtered by the cost allocation tag application:foo from the Billing and Cost Management console

Step 2: Share the custom billing view with account 111222333444

Once the view is created, share it with the account accessed by the software development manager. You can share the view by accessing the Sharing tab after creating the view and choosing Share. From the sharing page, choose the AWSRAMDefaultPermissionBillingView managed permission, select the account 111222333444 and choose Share. This will share the created custom billing view with the selected account.

Figure 2. Sharing a custom billing view with account 111222333444

Figure 2. Sharing a custom billing view with account 111222333444

Step 3: Attach required IAM policies to access the custom billing view

If you have administrator access to account 111222333444, you can attach an IAM policy to the roles you want to access the custom billing view from the member account. You will need the ARN corresponding to the custom billing view created in Step 1, which can be accessed from the View detail page. If you do not have administrator access to the account, ask the administrator of the recipient account to update their IAM policies to control which roles or users with access to the account should be able to access the custom billing view. Below is an example IAM policy enabling all features supported by custom billing views. When you define the policy, replace the billing view ARN used under “resource” with the ARN corresponding to the custom billing view you created.

Sample IAM policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ce:GetDimensionValues",
                "ce:GetCostAndUsageWithResources",
                "ce:GetCostAndUsage",
                "ce:GetCostForecast",
                "ce:GetTags",
                "ce:GetUsageForecast",
                "ce:GetCostCategories"
            ],
            "Resource": ["arn:aws:billing::123456789012:billingview/custom-1b3d5f7-1b3d-1234-1b3d-1bcd456789012"]
        },
        {
            "Effect": "Allow",
            "Action": [
                "billing:ListBillingViews",
                "billing:GetBillingView"
            ],
            "Resource": "*"
        }
    ]
}

When users access account 111222333444 with permissions to access the custom billing view, they will be able to access the cost and usage data defined in the custom billing view from that account in AWS Cost Explorer.

Figure 3. Accessing ApplicationFoo’s cost and usage data from Cost Explorer

Figure 3. Accessing ApplicationFoo’s cost and usage data from Cost Explorer

Scenario 2: Sharing your organization’s cost and usage view with FinOps practitioners

Imagine your organization has designated a FinOps practitioner to help keep your cloud costs in check. You want to give them access to the cost management data for your entire organization. You want the FinOps practitioner to access the cost and usage view for your organization, but do not want to grant them access to the management account. To achieve this, you will follow steps detailed in Scenario 1. Instead of sharing the view with an existing member account, you will create a new dedicated account in your organization for FinOps practitioners with specific access permissions. This will ensure they have full access to your organization’s cost and usage data while limiting access to the rest of your AWS environment. Let’s dive into setting up this recommended approach.

Step 1: Create a new account in your organization for FinOps practitioners

First, the cloud platform administrator for your AWS organization will create a dedicated account for FinOps practitioners. This will be used to restrict access to only billing and cost management tools without impacting the rest of your AWS environment. This account will be the main POC for cost management activities without being granted direct access to the management account. To create a member account in your organization, you will follow the steps mentioned here.

Step 2: Create a custom billing view with your organization’s cost and usage data

Next, create a new custom billing view containing the cost and usage data for your entire organization. To achieve this, create a new custom billing view and do not apply any filter to the data. Note that “Cost allocation tag” will be selected by default. As long as you don’t select any cost allocation tag key or accounts, the created custom billing view will be unfiltered and contain your entire organizations cost and usage data.

Step 3: Share the custom billing view with the FinOps account

Once the view is created, share it with the account you created in step 1 above. You can share the view by accessing the Sharing tab after creating the view and choosing Share. From the sharing page, choose the AWSRAMDefaultPermissionBillingView managed permission, select the FinOps account created in step 1, and choose Share. This will share the created custom billing view with the FinOps account.

Step 4: Create a new role in the FinOps account limited to accessing Cost Explorer and the shared custom billing view

Access the FinOps account and create a new IAM policy restricting access to only Cost Explorer with access to the custom billing view defined in Step 2. You can use the same example IAM policy used in Step 3 of the previous scenario. Once created, create a new role dedicated for FinOps practitioners and attach the policy. When users access the FinOps account with this role, they will be limited to only accessing cost and usage data corresponding to the custom billing view created, giving them access to your organizations cost and usage data without giving them access to your management account.

Conclusion

You can use custom billing views to share cost and usage data across multiple AWS accounts with member accounts in your organization, streamlining the process for end users to access relevant cost and usage data using AWS Cost Explorer and the Billing and Cost Management homepage. By creating targeted views and managing IAM permissions, you can provide financial transparency while following the security best practice of minimizing the number of people who require access to the management account. Consult the documentation to learn more about this features capabilities and best practices.

Erik Nestorovic

Erik Nestorovic

Erik is a Senior Technical Product Manager for AWS Billing and Cost Management services. He is focused on building tools to help customers achieve their Cloud Financial Management goals by having access to the data they need.