# Configure your AWS account for AMS access
With the above steps completed, you’ve successfully secured your new AWS account and ensured associated costs are billed appropriately. The final step in the process is to allow AMS access to the new account for initial stack configuration and for ongoing change and provisioning requests to be fulfilled. For details, read [Delegate Access Across AWS Accounts Using IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html). The basic steps are described in this section.
# Activate access to the AWS website
In order to grant your IAM users access to your account's billing information and tools, you must activate the functionality.
Follow these steps:
1. Sign in to the AWS Management Console with your *root account* credentials (the email and password that you used to create your AWS account). Don't sign in with your IAM user credentials.
The AWS Management Console home page opens.
1. In the top navigation bar, open the drop-down menu for your account name, and then choose **My Account**.
The Billing home page opens.
1. Scroll down to the **IAM User Access to Billing Information** area, and click **Edit** on the right side. **The area does not appear unless you are logged in with root credentials**.
An **Activate IAM access** area opens.
1. Select the check box and click **Update**.
You can now use IAM policies to control which pages a user can access.
For more details on this process in AWS, see [Overview of managing access permissions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/control-access-billing.html).
# Create an IAM role with access to the AWS website
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).
1. Go to the [IAM Management Console](https://console.aws.amazon.com/iam/home?#home), click **Roles** in the left nav pane.
The Roles management page opens with information about IAM roles, a **Create role** option, and a list of existing roles. ![\[IAM roles explanation with examples of trusted entities and additional resources.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/iamConsoleRoles.PNG)
1. Click **Create role**.
The Create role **Select type of trusted entity** page opens. Click **Another AWS account** and a settings area opens up below.
Enter the AMS trusted **Account ID** provided to you by AMS. Leave the **Require external ID** and **Require MFA** options de-selected. ![\[Interface for creating a role, showing options to select trusted entity types for AWS accounts.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/iamConsoleCreateRole.PNG)
1. Click **Next: Permissions**.
The Create role **Attach permissions policies** page opens with options for creating a new policy, refreshing the page, and searching existing policies. A list of existing policies is provided. ![\[Policy list showing AdministratorAccess with full AWS service access description.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/iamConsoleCreateRolePermissionsDetail.PNG)
1. Select the **AdministratorAccess** policy and then click **Next: Review**.
The Create role **Review** page opens. ![\[Role creation interface showing name, description, trusted entity, and policy fields.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/iamConsoleCreateRoleReview.PNG)
1. Name the new role **aws\$1managedservices\$1onboarding\$1role** and type "AMS Onboarding Role" for the **Role description**. Review the settings for the new role and, if satisfied, click **Create role**.
The role management page opens with your new role listed.