diff --git a/billing-role/policy.tf b/billing-role/policy.tf
index 4a84560..e94a654 100644
--- a/billing-role/policy.tf
+++ b/billing-role/policy.tf
@@ -5,7 +5,20 @@ data "aws_iam_policy_document" "full_billing" {
     resources = ["*"]
 
     actions = [
-      "aws-portal:*",
+      "aws-portal:View*",
+      "ce:Describe*",
+      "ce:Get*",
+      "ce:List*",
+      "ce:CreateNotificationSubscription",
+      "ce:CreateReport",
+      "ce:DeleteNotificationSubscription",
+      "ce:DeleteReport",
+      "ce:UpdateNotificationSubscription",
+      "ce:UpdateReport",
+      "ce:UpdatePreferences",
+      "budgets:View*",
+      "budgets:Describe*",
+      #"budgets:*",
       # add others, to allow cost explorer and budgets
     ]
   }
@@ -18,6 +31,10 @@ data "aws_iam_policy_document" "limited_billing" {
     resources = ["*"]
 
     actions = [
+      "aws-portal:View*",
+      "ce:Describe*",
+      "ce:Get*",
+      "ce:List*",
       # put in right set of things for cost explorer and read access to billing
     ]
   }