# Using identity-based policies (IAM policies) for AWS Account Management
<a name="security_account-permissions-ref"></a>

For a full discussion of AWS accounts and IAM users, see [What Is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html) in the *IAM User Guide*.

For instructions on how you can update customer managed policies, see [Edit IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-managed-policy-console) in the *IAM User Guide*.

## AWS Account Management actions policies
<a name="security_account-permissions-ref-actions"></a>

This table summarizes the permissions that grant access to your account settings. For examples of policies that use these permissions, see [Identity-based policy examples for AWS Account Management](security_iam_id-based-policy-examples.md).

**Note**  
To grant IAM users write access to a specific account setting in the [https://console.aws.amazon.com/billing/home#/account](https://console.aws.amazon.com/billing/home#/account) page of the AWS Management Console, you must allow the `GetAccountInformation` permission, in addition to the permission (or permissions) that you want to use to modify that setting.


****  

| Permission name | Access level | Description | 
| --- | --- | --- | 
|  `account:ListRegions`  |  List  |  Grants permission to list the available Regions.   | 
|  `account:GetAccountInformation`  |  Read |  Grants permission to retrieve the account information for an account.  | 
|  `account:GetAlternateContact`  |  Read |  Grants permission to retrieve the alternate contacts for an account.  | 
|  `account:GetContactInformation`  |  Read |  Grants permission to retrieve the primary contact information for an account.  | 
| account:GetPrimaryEmail | Read | Grants permission to retrieve the primary email address of an account. | 
|  `account:GetRegionOptStatus`  |  Read |  Grants permission to get the opt-in status of a Region.  | 
|  `account:AcceptPrimaryEmailUpdate`  |  Write  |  Grants permission to accept the primary email address update of the member account in an AWS organization.  | 
|  `account:CloseAccount`  |  Write  |  Grants permission to close an account.  This is a permission for the console only. No API access is available for this permission.   | 
|  `account:DeleteAlternateContact`  |  Write  |  Grants permission to delete the alternate contacts for an account.  | 
|  `account:DisableRegion`  |  Write  |  Grants permission to disable use of a Region.  | 
|  `account:EnableRegion`  |  Write  |  Grants permission to enable use of a Region.  | 
|  `account:PutAccountName`  |  Write  |  Grants permission to update the name for an account.  | 
|  `account:PutAlternateContact`  |  Write  |  Grants permission to modify the alternate contacts for an account.  | 
|  `account:PutContactInformation`  |  Write  |  Grants permission to update the primary contact information for an account.  | 
|  `account:StartPrimaryEmailUpdate`  |  Write  |  Grants permission to initiate the primary email address update of the member account in an AWS organization.  |