diff --git a/billing-policies/README.md b/billing-policies/README.md
new file mode 100644
index 0000000..7d01a64
--- /dev/null
+++ b/billing-policies/README.md
@@ -0,0 +1,53 @@
+# aws-inf-setup :: billing-policies
+
+This defines policies to be used for billing roles. It does not create any resources.
+
+```hcl
+module "billing" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//billing-policies"
+}
+
+module "role" {
+ source = ...
+ inline_policy = [ module.billing.billing_policies["full-billing"] ]
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.full_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.limited_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [billing\_policies](#output\_billing\_policies) | Map of label and policy JSON for billing accesses |
diff --git a/billing-policies/base_tags.tf b/billing-policies/base_tags.tf
new file mode 120000
index 0000000..91c15aa
--- /dev/null
+++ b/billing-policies/base_tags.tf
@@ -0,0 +1 @@
+../common/base_tags.tf
\ No newline at end of file
diff --git a/billing-policies/data.tf b/billing-policies/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/billing-policies/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/billing-policies/defaults.tf b/billing-policies/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/billing-policies/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/billing-policies/main.tf b/billing-policies/main.tf
new file mode 100644
index 0000000..093c8fc
--- /dev/null
+++ b/billing-policies/main.tf
@@ -0,0 +1,23 @@
+/*
+* # aws-inf-setup :: billing-policies
+*
+* This defines policies to be used for billing roles. It does not create any resources.
+*
+* ```hcl
+* module "billing" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//billing-policies"
+* }
+*
+* module "role" {
+* source = ...
+* inline_policy = [ module.billing.billing_policies["full-billing"] ]
+* }
+* ```
+*/
+
+locals {
+ base_tags = {
+ "boc:tf_module_version" = local._module_version
+ "boc:created_by" = "terraform"
+ }
+}
diff --git a/billing-policies/outputs.tf b/billing-policies/outputs.tf
new file mode 100644
index 0000000..caffcaf
--- /dev/null
+++ b/billing-policies/outputs.tf
@@ -0,0 +1,18 @@
+output "billing_policies" {
+ description = "Map of label and policy JSON for billing accesses"
+ value = {
+ "full-billing" = data.aws_iam_policy_document.full_billing.json
+ "limited-billing" = data.aws_iam_policy_document.limitd_billing.json
+ }
+}
+
+# output "full_billing" {
+# description = "Map of label and policy JSON for full billing access"
+# value = { "full-billing" = data.aws_iam_policy_document.full_billing.json }
+# }
+#
+# output "limited_billing" {
+# description = "Map of label and policy JSON for limied billing access"
+# value = { "limited-billing" = data.aws_iam_policy_document.limited_billing.json }
+# }
+#
diff --git a/billing-policies/policy.tf b/billing-policies/policy.tf
new file mode 100644
index 0000000..e94a654
--- /dev/null
+++ b/billing-policies/policy.tf
@@ -0,0 +1,41 @@
+data "aws_iam_policy_document" "full_billing" {
+ statement {
+ sid = "FullBillingAccess"
+ effect = "Allow"
+ resources = ["*"]
+
+ actions = [
+ "aws-portal:View*",
+ "ce:Describe*",
+ "ce:Get*",
+ "ce:List*",
+ "ce:CreateNotificationSubscription",
+ "ce:CreateReport",
+ "ce:DeleteNotificationSubscription",
+ "ce:DeleteReport",
+ "ce:UpdateNotificationSubscription",
+ "ce:UpdateReport",
+ "ce:UpdatePreferences",
+ "budgets:View*",
+ "budgets:Describe*",
+ #"budgets:*",
+ # add others, to allow cost explorer and budgets
+ ]
+ }
+}
+
+data "aws_iam_policy_document" "limited_billing" {
+ statement {
+ sid = "LimitedBillingAccess"
+ effect = "Allow"
+ resources = ["*"]
+
+ actions = [
+ "aws-portal:View*",
+ "ce:Describe*",
+ "ce:Get*",
+ "ce:List*",
+ # put in right set of things for cost explorer and read access to billing
+ ]
+ }
+}
diff --git a/billing-policies/prefixes.tf b/billing-policies/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/billing-policies/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/billing-policies/variables.common.tf b/billing-policies/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/billing-policies/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/billing-policies/version.tf b/billing-policies/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/billing-policies/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file