How can I create an IAM policy to restrict permissions to billing/payment management?

Question

I want to create a group with a user who only has the ability to manage payment for services - e.g. input credit card information for the account, etc. I don\'t want this us

Answer 1

Unfortunately this is not possible with AWS Identity and Access Management (IAM) the way you might have envisioned it - IAM enables Controlling User Access to Your AWS Account Billing Information, but this only includes granting IAM users access to view the respective pages (the required permissions aws-portal:ViewBilling and aws-portal:ViewUsage carry this in their names):

The AWS website integrates with AWS Identity and Access Management (IAM) so you can grant users access to billing information. You can control access to the Account Activity page and the Usage Reports page. The Account Activity page displays invoices and detailed information about charges and account activity, itemized by service and by usage type. The Usage Reports page provides detailed usage reports for each service you are subscribed to.

Workaround

Of course your use case is sound and frequently encountered - AWS provides a different solution aptly named Consolidated Billing, which enables you to consolidate payment for multiple Amazon Web Services (AWS) accounts within your company by designating a single paying account:

Consolidated Billing enables you to see a combined view of AWS charges incurred by all accounts, as well as obtain a detailed cost report for each of the individual AWS accounts associated with your paying account.

So The paying account is billed for all charges of the linked accounts, thus you need to grant the user(s) in charge of the payment management access to this consolidated billing account only, which is no problem concerning the desired protection of the resources in your other accounts:

However, each linked account is completely independent in every other way (signing up for services, accessing resources, using AWS Premium Support, etc.). The paying account owner cannot access data belonging to the linked account owners (e.g., their files in Amazon S3). Each account owner uses their own AWS credentials to access their resources (e.g., their own AWS Secret Access Key). [emphasis mine]

Caveat

While Consolidated Billing ensures separation of concerns and respective protection of resources/data and billing/payment from each other, you still need to share the main AWS account credentials (i.e. email/password) of the consolidated billing account with the user(s) in charge of payment management, which is an unfortunate exception to the otherwise highly recommended advise to facilitate IAM users only going forward.

• Accordingly, AWS recommends to at least secure your paying account by using AWS Multi-Factor Authentication and a strong password. For more information, see Security for the Paying Account.