# Security and permissions
<a name="security"></a>

Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.

Security is a shared responsibility between AWS and you. The [shared responsibility model](http://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:

**Security of the cloud:** AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](http://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to AWS Cost Management, see [AWS Services in Scope by Compliance Program](http://aws.amazon.com/compliance/services-in-scope/).

**Security in the cloud:** Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations. This documentation helps you understand how to apply the shared responsibility model when using Billing and Cost Management. The following topics show you how to configure Billing and Cost Management to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Billing and Cost Management resources.

**Topics**
+ [Identity and access management for Data Exports](bcm-data-exports-access.md)
+ [Data protection in Data Exports](data-protection.md)

# Identity and access management for Data Exports
<a name="bcm-data-exports-access"></a>

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Billing resources. IAM is an AWS service that you can use with no additional charge.

To use Data Exports, an IAM user needs to be given access to actions in the `bcm-data-exports namespace` in IAM. See the following table for the available actions.


****  

| Data Exports action | Description | Access level | Resource types | Condition keys | 
| --- | --- | --- | --- | --- | 
| CreateExport | Allows user to create an Export and specifies query, delivery configurations, schedule configurations, and content configurations. | Write |  export table  |  aws:RequestTag/\$1\$1TagKey\$1 aws:TagKeys  | 
| UpdateExport | Allows user to update an existing Export. | Write |  export table  |  aws:ResourceTag/\$1\$1TagKey\$1  | 
| DeleteExport | Allows user to delete an existing Export. | Write |  export  |  aws:ResourceTag/\$1\$1TagKey\$1  | 
| GetExport | Allows user to view an existing Export. | Read |  export  |  aws:ResourceTag/\$1\$1TagKey\$1  | 
| ListExports | Allows user to list all existing Exports. | Read |  |  | 
| GetExecution | Allows user to see details of the given Execution, including metadata and schema of the exported data. | Read |  export  |  aws:ResourceTag/\$1\$1TagKey\$1  | 
| ListExecutions | Allows user to list all Executions of the provided Export identifier. | Read |  export  |  aws:ResourceTag/\$1\$1TagKey\$1  | 
| GetTable | Allows user to get the schema of the given table. | Read |  table  |  | 
| ListTables | Allows user to list all available tables. | Read |  |  | 
| TagResource | Allows user to tag an existing Export. | Write |  export  |  aws:ResourceTag/\$1\$1TagKey\$1 aws:RequestTag/\$1\$1TagKey\$1 aws:TagKeys  | 
| UntagResource | Allows user to untag an existing Export. | Write |  export  |  aws:ResourceTag/\$1\$1TagKey\$1 aws:TagKeys  | 
| ListTagsForResource | Allows user to list tags associated with an existing Export. | Read |  export  |  aws:ResourceTag/\$1\$1TagKey\$1  | 

For more information about how to use these context keys, see [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide*.

The following table describes the resource types that are available in Data Exports.


****  

| Resource type | Description | ARN | 
| --- | --- | --- | 
| export | An export is the resource created by the CreateExport API. An export generates a billing and cost management query output on a recurring basis. | arn:\$1\$1Partition\$1:bcm-data-exports:\$1\$1Region\$1:\$1\$1Account\$1:export/\$1\$1exportName\$1-\$1UUID\$1 | 
| table | A table is data in a row-column format that a user queries with an export. Tables are created and managed by AWS for customers. Tables cannot be deleted by customers. | arn:\$1\$1Partition\$1:bcm-data-exports:\$1\$1Region\$1:\$1\$1Account\$1:table/\$1\$1TableName\$1 | 

To create exports of the COST\$1AND\$1USAGE\$1REPORT or COST\$1AND\$1USAGE\$1DASHBOARD table resources in Data Exports, IAM users must also have permissions for the respective `cur` action in IAM. This means that if an IAM user is blocked from using `cur` actions for any reason, such as lacking an explicit allow on `cur` or a service control policy (SCP) providing an explicit deny on `cur`, that IAM user will be blocked from creating or updating exports of these two tables.

The following table shows which `cur` action is required for which `bcm-data-exports` actions in Data Exports for these two tables.


****  

| Data Exports action | Table resources | Additional required actions in IAM | 
| --- | --- | --- | 
| bcm-data-exports:CreateExport |  COST\$1AND\$1USAGE\$1REPORT COST\$1AND\$1USAGE\$1DASHBOARD  | cur:PutReportDefinition | 

## Sample policy
<a name="bcm-data-exports-access-examples"></a>

Allow IAM user to have full access to CUR 2.0 exports in Data Exports.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ViewDataExportsTablesAndExports",
            "Effect": "Allow",
            "Action": [
                "bcm-data-exports:ListTables",
                "bcm-data-exports:ListExports",
                "bcm-data-exports:GetExport"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateCurExports",
            "Effect": "Allow",
            "Action": "bcm-data-exports:*",
            "Resource": [
                "arn:aws:bcm-data-exports:*:*:table/COST_AND_USAGE_REPORT",
                "arn:aws:bcm-data-exports:*:*:export/*"
                ]
        },
        {
            "Sid": "CurDataAccess",
            "Effect": "Allow",
            "Action":  "cur:PutReportDefinition",
            "Resource": "*"
         }
    ]
}
```

------

For more information on access control and IAM permissions to use Data Exports in Billing and Cost Management, see [Overview of managing access permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/control-access-billing.html).

### Create a pro forma AWS CUR 2.0
<a name="bcm-data-exports-access-examples-2"></a>

To create a pro forma CUR 2.0, you will need to include the following IAM policy:

Allow IAM user to have full access to CUR 2.0 and Billing Group Billing View.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AllowCreateCur20AnyBillingView",
            "Effect": "Allow",
            "Action": "bcm-data-exports:CreateExport",
            "Resource": [
                "arn:aws:bcm-data-exports:*:*:table/COST_AND_USAGE_REPORT",
                "arn:aws:bcm-data-exports:*:*:export/*",
                "arn:aws:billing::*:billingview/*"
            ]
        },{
            "Sid": "CurDataAccess",
            "Effect": "Allow",
            "Action": "cur:PutReportDefinition",
            "Resource": "*"
        }
    ]
}
```

------

If you want an IAM role to have access to a specific billing group, you can add the Billing View ARN the role is allowed to access.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AllowCreateSpecificBillingViewCur20",
            "Effect": "Allow",
            "Action": "bcm-data-exports:CreateExport",
            "Resource": [
                "arn:aws:bcm-data-exports:*:*:table/COST_AND_USAGE_REPORT", 
                "arn:aws:bcm-data-exports:*:*:export/*", 
                "arn:aws:billing::444455556666:billingview/billing-group-111122223333"
        ]
        },{
            "Sid": "CurDataAccess",
            "Effect": "Allow",
            "Action": "cur:PutReportDefinition",
            "Resource": "*"
        }
    ]
}
```

------

# Data protection in Data Exports
<a name="data-protection"></a>

Learn how the AWS shared responsibility model applies to data protection in Data Exports.

## S3 security best practices
<a name="s3-security-best-practices"></a>

Data Exports delivers your billing and cost management data to an Amazon S3 bucket. There are a number of steps you can take to make sure your S3 bucket is secure. For more information, see [Security best practices for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html) in the *Amazon S3 User Guide*.

## Data encryption in S3
<a name="s3-data-encryption"></a>

By default, your data exports are encrypted using server-side encryption with Amazon S3 managed keys (SSE-S3). If you want to use Amazon Key Management Service (KMS) encryption (SSE-KMS) to encrypt your exports, you need to trigger encryption with KMS after the export has been delivered. For more information, see [Setting default server-side encryption behavior for Amazon S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html) in the *Amazon S3 User Guide*.