IAM access to the root parent from the security account
>in the reference architecture how does an IAM user in the security account get access to the root parent/organization overall billing? > I am using the account-baseline-root module for the root account as well > i am curious about this as well, my guess was that you simply had to login to the root account using an IAM user from the root account to view the overall billing. that you couldnt "go the other way" but curious to see their (gruntwork's) response on it... > that’s the only way I’ve found to do it thus far.
## For managing billing The Gruntwork Reference Architecture has a list of IAM groups that you can use, in `security/_global/account-baseline/cross_account_groups.yml` You should see a group suffixed `-billing`, with a corresponding IAM role `arn:aws:iam::${id}:role/allow-billing-only-access-from-other-accounts`. If you add this IAM role to an IAM user in your `security/_global/account-baseline/users.yml` file, and `terragrunt apply` that `security/_global/account-baseline` module, that should do the trick. ## General IAM User vs Root User vs Organization Unit/Account There's some good info in our docs pertaining to the relationships that you touched on in your question. The Gruntwork Ref Arch also follows this pattern: * [Root user](https://docs.gruntwork.io/guides/build-it-yourself/landing-zone/core-concepts/root-user) * [IAM users](https://docs.gruntwork.io/guides/build-it-yourself/landing-zone/core-concepts/iam-users) * [IAM roles](https://docs.gruntwork.io/guides/build-it-yourself/landing-zone/core-concepts/iam-roles) * [AWS Orgs](https://docs.gruntwork.io/guides/build-it-yourself/landing-zone/core-concepts/aws-organizations)