Alternate contacts allows AWS to contact up to three alternate contacts associated with the account. An alternate contact doesn't have to be a specific person. You could instead add an email distribution list if you have a team that manages billing, operations and security related issues. These are in addition to the email address associated with the root user of the account. The primary account contact will continue to receive all email communications sent to the root account’s email.
You can specify only one of each of the following contact types associated with an account.
-
Billing contact
-
Operations contact
-
Security contact
You can add or edit alternate contacts differently, depending on whether or not the accounts are standalone, or part of an organization:
-
Standalone AWS accounts – For AWS accounts not associated with an organization, you can update your own alternate contacts using the AWS Management Console, or via AWS CLI & SDKs. To learn how to do this, see Update standalone AWS account alternate contacts.
-
AWS accounts within an organization – For member accounts that are part of an AWS organization, a user in the management account or delegated admin account can centrally update any member account in the organization from the AWS Organizations console, or programmatically via the AWS CLI & SDKs. To learn how to do this, see Update AWS account alternate contacts in your organization.
Topics
Phone number and
email address requirements
Before you proceed with updating your account's alternate contacts information, we recommend that you first review the following requirements when entering phone numbers and email addresses.
-
Phone numbers can only contain numbers, whitespaces and the following characters:"
+-()". -
Email addresses can be up to 254 characters long and can include the following special characters in the local portion of the email address in addition to the standard alphanumeric ones: "
+=.#|!&-_".
Update the alternate
contacts for a standalone AWS account
To add or edit the alternate contacts for a standalone AWS account, perform the steps in the following procedure. The AWS Management Console procedure below always works only in the standalone context. You can use the AWS Management Console to access or change only the alternate contacts in the account you used to call the operation.
To add or edit the alternate contacts for a standalone AWS account
Minimum permissions
To perform the following steps, you must have at least the following IAM permissions:
-
account:GetAlternateContact(to see the alternate contact details)
-
account:PutAlternateContact(to set or update an alternate contact)
-
account:DeleteAlternateContact(to delete an alternate contact)
Sign in to the AWS Management Console
as an IAM user or role that has the minimum permissions. -
Choose your account name on the top right of the window, and then choose Account.
-
On the Account page
, scroll down to Alternate contacts, and to the right of the title, choose Edit. Note
If you don't see the Edit option, it is likely that you are not signed in as the root user for your account or as someone who has the minimum permissions specified above.
-
Change the values in any of the available fields.
Important
For business AWS accounts, it's a best practice to enter a company phone number and email address rather than one belonging to an individual.
-
After you have made all of your changes, choose Update.
Update the alternate
contacts for any AWS account in your organization
To add or edit the alternate contact details for any AWS account in your organization, perform the steps in the following procedure.
Requirements
To update alternate contacts with the AWS Organizations console, you need to do some preliminary settings:
-
Your organization must enable all features to manage settings on your member accounts. This allows admin control over the member accounts. This is set by default when you create your organization. If your organization is set to consolidated billing only, and you want to enable all features, see Enabling all features in your organization.
-
You need to enable trusted access for AWS Account Management service. To set this up, see Enabling trusted access for AWS Account Management.
Note
The AWS Organizations managed policies AWSOrganizationsReadOnlyAccess or
AWSOrganizationsFullAccess are updated to provide permission to
access the AWS Account Management APIs so you can access account data from the AWS Organizations
console. To view the updated managed policies, see Updates to Organizations AWS managed policies.
To add or edit the alternate contacts for any AWS account in your organization
-
Sign in to the AWS Organizations console
with the organization's management account credentials. -
From AWS accounts, select the account that you want to update.
-
Choose Contact info, and under Alternate contacts, locate the type of contact: Billing contact, Security contact, or Operations contact.
-
To add a new contact, select Add, or to update an existing contact select Edit.
-
Change the values in any of the available fields.
Important
For business AWS accounts, it's a best practice to enter a company phone number and email address rather than one belonging to an individual.
-
After you have made all of your changes, choose Update.
Note
If you try to delete the same contact more than once, the first succeeds silently.
All later attempts generate a ResourceNotFound exception.
account:AlternateContactTypes
context key
You can use the context key account:AlternateContactTypes to specify
which of the three billing types is allowed (or denied) by the IAM policy. For
example, the following example IAM permission policy uses this condition key to allow
the attached principals to retrieve, but not modify, only the BILLING
alternate contact for a specific account in an organization.
Because account:AlternateContactTypes is a multi-valued string type, you
must use the ForAnyValue or ForAllValues multi-value string
operators.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "account:GetAlternateContact",
"Resource": [
"arn:aws:account::123456789012:account/o-aa111bb222/111111111111"
],
"Condition": {
"ForAnyValue:StringEquals": {
"account:AlternateContactTypes": [
"BILLING"
]
}
}
}
]
}