Alternate contacts allows AWS to contact up to three alternate contacts associated with
the account. An alternate contact doesn't have to be a specific person. You could instead
add an email distribution list if you have a team that manages billing, operations and
security related issues. These are in addition to the email address associated with the
root user of the account. The primary account contact will
continue to receive all email communications sent to the root account’s email.
You can specify only one of each of the following contact types associated with an
account.
-
Billing contact
-
Operations contact
-
Security contact
You can add or edit alternate contacts differently, depending
on whether or not the accounts are standalone, or part of an organization:
-
Standalone AWS accounts – For
AWS accounts not associated with an organization, you can update your own
alternate contacts using the AWS Management Console, or via AWS CLI & SDKs.
To learn how to do this, see Update standalone
AWS account alternate contacts.
-
AWS accounts within an organization –
For member accounts that are part of an AWS organization, a user in the management
account or delegated admin account can centrally update any member account in the
organization from the AWS Organizations console, or programmatically via the AWS CLI &
SDKs. To learn how to do this, see Update AWS account
alternate contacts in your organization.
Before you proceed with updating your account's alternate contacts information, we
recommend that you first review the following requirements when entering phone numbers
and email addresses.
-
Phone numbers can only contain numbers, whitespaces and the following
characters:"+-()".
-
Email addresses can be up to 254 characters long and can include the following
special characters in the local portion of the email address in addition to the
standard alphanumeric ones: "+=.#|!&-_".
To add or edit the alternate contacts for a standalone AWS account, perform the
steps in the following procedure. The AWS Management Console procedure below always works
only in the standalone context. You can use the AWS Management Console to
access or change only the alternate contacts in the account you used to call the
operation.
- AWS Management Console
-
To add or edit the alternate contacts for a standalone
AWS account
To perform the following steps, you must have at least the following IAM permissions:
Sign in to
the AWS Management Console as an IAM user or role that has the minimum
permissions.
-
Choose your account name on the top right of the window, and
then choose Account.
-
On the Account page, scroll down
to Alternate contacts, and to the right of
the title, choose Edit.
If you don't see the Edit option, it
is likely that you are not signed in as the root user for your
account or as someone who has the minimum permissions
specified above.
-
Change the values in any of the available fields.
For business AWS accounts, it's a best practice to enter
a company phone number and email address rather than one
belonging to an individual.
-
After you have made all of your changes, choose
Update.
- AWS CLI & SDKs
-
You can retrieve, update, or delete the alternate contact
information by using the following AWS CLI commands or their AWS SDK
equivalent operations:
For each operation, you must have the permission that maps to that
operation:
If you use these individual permissions, you can grant some users
the ability to only read the contact information, and grant others
the ability to both read and write.
The following example retrieves the current Billing alternate
contact for the caller's account.
$ aws account get-alternate-contact \
--alternate-contact-type=BILLING
{
"AlternateContact": {
"AlternateContactType": "BILLING",
"EmailAddress": "saanvi.sarkar@amazon.com",
"Name": "Saanvi Sarkar",
"PhoneNumber": "+1(206)555-0123",
"Title": "CFO"
}
}
The following example sets a new Operations alternate contact for
the caller's account.
$ aws account put-alternate-contact \
--alternate-contact-type=OPERATIONS \
--email-address=mateo_jackson@amazon.com \
--name="Mateo Jackson" \
--phone-number="+1(206)555-1234" \
--title="Operations Manager"
This command produces no output if it's successful.
If you perform multiple PutAlternateContact
operations on the same AWS account and the same contact type,
the first adds the new contact, and all successive calls to the
same AWS account and contact type update the existing
contact.
The following example deletes the Security alternate contact for
the caller's account.
$ aws account delete-alternate-contact \
--alternate-contact-type=SECURITY
This command produces no output if it's successful.
If you try to delete the same contact more than once, the
first succeeds silently. All later attempts generate a
ResourceNotFound exception.
To add or edit the alternate contact details for any AWS account in your
organization, perform the steps in the following procedure.
To update alternate contacts with the AWS Organizations console, you need to do some
preliminary settings:
-
Your organization must enable all features to manage settings on your
member accounts. This allows admin control over the member accounts. This is
set by default when you create your organization. If your organization is
set to consolidated billing only, and you want to enable all features, see
Enabling all features in your organization.
-
You need to enable trusted access for AWS Account Management service. To set this up,
see Enabling
trusted access for AWS Account Management.
The AWS Organizations managed policies AWSOrganizationsReadOnlyAccess or
AWSOrganizationsFullAccess are updated to provide permission to
access the AWS Account Management APIs so you can access account data from the AWS Organizations
console. To view the updated managed policies, see Updates to Organizations AWS managed policies.
- AWS Management Console
-
To add or edit the alternate contacts for any AWS account in
your organization
-
Sign in to the AWS Organizations console with the organization's management
account credentials.
-
From AWS accounts, select
the account that you want to update.
-
Choose Contact info, and
under Alternate contacts,
locate the type of contact: Billing
contact, Security
contact, or Operations
contact.
-
To add a new contact, select Add, or to update an existing contact select
Edit.
-
Change the values in any of the available fields.
For business AWS accounts, it's a best practice to enter
a company phone number and email address rather than one
belonging to an individual.
-
After you have made all of your changes, choose
Update.
- AWS CLI & SDKs
-
You can retrieve, update, or delete the alternate contact
information by using the following AWS CLI commands or their AWS SDK
equivalent operations:
-
To perform these operations from the management account or
a delegated admin account in an organization against member
accounts, you must enable trusted access for the Account
service.
-
You can't access an account in a different organization
from the one you're using to call the operation.
For each operation, you must have the permission that maps to that
operation:
If you use these individual permissions, you can grant some users
the ability to only read the contact information, and grant others
the ability to both read and write.
The following example retrieves the current Billing alternate
contact for the caller's account in an organization. The credentials
used must be from either the organization's management account, or
from the Account Management's delegated admin account.
$ aws account get-alternate-contact \
--alternate-contact-type=BILLING \
--account-id 123456789012
{
"AlternateContact": {
"AlternateContactType": "BILLING",
"EmailAddress": "saanvi.sarkar@amazon.com",
"Name": "Saanvi Sarkar",
"PhoneNumber": "+1(206)555-0123",
"Title": "CFO"
}
}
The following example sets the Operations alternate contact for
the specified member account in an organization. The credentials
used must be from either the organization's management account, or
from the Account Management's delegated admin account.
$ aws account put-alternate-contact \
--account-id 123456789012 \
--alternate-contact-type=OPERATIONS \
--email-address=mateo_jackson@amazon.com \
--name="Mateo Jackson" \
--phone-number="+1(206)555-1234" \
--title="Operations Manager"
This command produces no output if it's successful.
If you perform multiple PutAlternateContact
operations on the same AWS account and the same contact type,
the first adds the new contact, and all successive calls to the
same AWS account and contact type update the existing
contact.
The following example deletes the Security alternate contact for
the specified member account in an organization. The credentials
used must be from either the organization's management account, or
from the Account Management's delegated admin account.
$ aws account delete-alternate-contact \
--account-id 123456789012 \
--alternate-contact-type=SECURITY
This command produces no output if it's successful.
If you try to delete the same contact more than once, the first succeeds silently.
All later attempts generate a ResourceNotFound exception.
account:AlternateContactTypes
context key
You can use the context key account:AlternateContactTypes to specify
which of the three billing types is allowed (or denied) by the IAM policy. For
example, the following example IAM permission policy uses this condition key to allow
the attached principals to retrieve, but not modify, only the BILLING
alternate contact for a specific account in an organization.
Because account:AlternateContactTypes is a multi-valued string type, you
must use the ForAnyValue or ForAllValues multi-value string
operators.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "account:GetAlternateContact",
"Resource": [
"arn:aws:account::123456789012:account/o-aa111bb222/111111111111"
],
"Condition": {
"ForAnyValue:StringEquals": {
"account:AlternateContactTypes": [
"BILLING"
]
}
}
}
]
}
