Update the primary and alternate contact information - AWS Account Management
Primary account contactAlternate account contacts

Update the primary and alternate contact information

You can store contact information about the primary account contact for your AWS account.

You can also add or edit contact information for the following alternate account contacts:

  • Billing – The alternate billing contact will receive billing-related notifications, such as invoice availability notifications.

  • Operations – The alternate operations contact will receive operations-related notifications.

  • Security – The alternate security contact will receive security-related notifications, including notifications from the AWS Abuse Team.

Accessing or updating the primary account contact

To edit your AWS account's primary contact details, perform the steps in the following procedure.

AWS Management Console

To edit your AWS account's primary contact details

Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • aws-portal:ViewAccount (to see the account details page)

  • aws-portal:ModifyAccount

  1. Sign in to the AWS Management Console as an IAM user or role that has the minimum permissions.

  2. Choose your account name on the top right of the window, and then choose My Account.

  3. Scroll down to the section Contact information, and next to it choose Edit.

  4. Change the values in any of the available fields.

    Important

    For professional AWS accounts, it's a best practice to enter a company phone number and email address rather than one belonging to an individual. Configuring the account's Using the AWS account root user with an individual's email address or phone number can make your account difficult to recover if that individual leaves the company.

  5. After you have made all of your changes, choose Update.

AWS CLI & SDKs

You can't currently modify the primary contact information using the AWS CLI or an API operation from one of the AWS SDKs. You can modify the primary contact information only by using the AWS Management Console.

Accessing or updating the alternate contacts

You can update alternate contacts for accounts within your organization from the AWS Organizations console, or programmatically with AWS CLI or AWS SDKs. You can use the organization’s management account to view and edit account settings for any account in your organization. The primary account holder will continue to receive all email communications to the root account’s email.

You can add or edit alternate contacts differently, depending on whether or not the accounts are standalone, or part of an organization:

  • Standalone AWS accounts – For member accounts not associated with an organization, you can update your own alternate contacts using the AWS Management Console, or via AWS CLI & SDKs. To learn how to do this, see Update standalone AWS account alternate contacts.

  • AWS accounts within an organization – The management account user can update any account in the organization from the AWS Organizations console, or programmatically via the AWS CLI & SDKs. To learn how to do this, see Update AWS account alternate contacts in your organization.

Understanding API modes of operation

The API operations that work with an AWS account's alternate contacts always work in one of two modes of operation:

  • Standalone context – this mode is used when a user or role in an account accesses or changes an alternate contact in the same account. The standalone context mode is automatically used when you don't include the AccountId parameter when you call one of the Account Management AWS CLI or AWS SDK operations.

  • Organizations context – this mode is used when a user or role in one account in an organization accesses or changes an alternate contact in a different member account in the same organization. The organizations context mode is automatically used when you doinclude the AccountId parameter when you call one of the Account Management AWS CLI or AWS SDK operation. You can call the operations in this mode from only the management account of the organization, or the delegated admin account for Account Management.

The AWS CLI and AWS SDK operations can work in either standalone or organizations context.

  • If you don't include the AccountId parameter, then the operation runs in the standalone context and automatically applies the request to the account you used to make the request. This is true whether or not the account is a member of an organization.

  • If you do include the AccountId parameter, then the operation runs in the organizations context, and the operation works on the specified Organizations account.

    • If the account calling the operation is the management account or the delegated admin account for the Account Management service, then you can specify any member account of that organization in the AccountId parameter to update the specified account.

    • The only account in an organization that can call one of the alternate contact operations and specify its own account number in the AccountId parameter is the account specified as the delegated admin account for the Account Management service. Any other account, including the management account, receives an AccessDenied exception.

  • If you run an operation in standalone mode, then you must be permitted to run the operation with an IAM policy that includes a Resource element of either "*" to allow all resources, or an ARN that uses the syntax for a standalone account.

  • If you run an operation in organizations mode, then you must be permitted to run the operation with an IAM policy that includes a Resource element of either "*" to allow all resources, or an ARN that uses the syntax for a member account in an organization.

Granting permissions to update alternate contacts

As with most AWS operations, you grant permissions to add, update, or delete alternate contacts for AWS accounts by using IAM permission policies. When you attach an IAM permission policy to an IAM principal (either a user or role), you specify which actions that principal can perform on which resources, and under what conditions.

The following are some Account Management specific considerations for creating a permissions policy.

Amazon Resource Name format for AWS accounts

  • The Amazon Resource Name (ARN) for an AWS account that you can include in the resource element of a policy statement is constructed differently based on whether the account you want to reference is a standalone account or an account that is in an organization. See the previous section on Understanding API modes of operation.

    • An account ARN for a standalone account:

      arn:aws:account::{AccountId}:account

      You must use this format when you run an alternate contacts operation in standalone mode by not including the AccountID parameter.

    • An account ARN for a member account in an organization:

      arn:aws:account::{ManagementAccountId}:account/o-{OrganizationId}/{AccountId}

      You must use this format when you run an alternate contacts operation in organizations mode by including the AccountID parameter.

Context keys for IAM policies

The Account Management service also provides several Account Management service-specific condition keys that provide fine-grained control over the permissions you grant.

account:AlternateContactTypes

The context key account:AlternateContactTypes lets you specify which of the three billing types is allowed (or denied) by the IAM policy.

For example, the following example IAM permission policy uses this condition key to allow the attached principals to retrieve, but not modify, only the BILLING alternate contact for a specific account in an organization.

Because account:AlternateContactTypes is a multi-valued string type, you must use the ForAnyValue or ForAllValues multi-value string operators. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "account:GetAlternateContact",
            "Resource": [
                "arn:aws:account::123456789012:account/o-aa111bb222/111111111111"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "account:AlternateContactTypes": [
                        "BILLING"
                    ]
                }
            }
        }
    ]
}
account:AccountResourceOrgPaths

The context key account:AccountResourceOrgPaths lets you specify a path through your organization's hierarchy to a specific organizational unit (OU). Only member accounts that are contained by that OU match the condition. The following example snippet restricts the policy to apply to only accounts that are in either of two specified OUs.

Because account:AccountResourceOrgPaths is a multi-valued string type, you must use the ForAnyValue or ForAllValues multi-value string operators. Also, note that the prefix on the condition key is account, even though you're referencing paths to OUs in an organization.

"Condition": {
    "ForAnyValue:StringLike": {
        "account:AccountResourceOrgPaths": [
            "o-aa111bb222/r-a1b2/ou-a1b2-f6g7h111/*", 
            "o-aa111bb222/r-a1b2/ou-a1b2-f6g7h222/*"
        ]
    }
}
account:AccountResourceOrgTags

The context key account:AccountResourceOrgTags lets you reference the tags that can be attached to an account in an organization. A tag is a key/value string pair that you can use to categorize and label the resources in your account. For more information about tagging, see Tag Editor in the AWS Resource Groups User Guide. For information about using tags as part of an attribute-based access control strategy, see What is ABAC for AWS in the IAM User Guide. The following example snippet restricts the policy to apply to only accounts in an organization that have the tag with the key project and a value of either blue or red.

Because account:AccountResourceOrgTags is a multi-valued string type, you must use the ForAnyValue or ForAllValues multi-value string operators. Also, note that the prefix on the condition key is account, even though you're referencing the tags on an organization's member account.

"Condition": {
    "ForAnyValue:StringLike": {
        "account:AccountResourceOrgTags/project": [
            "blue", 
            "red"
        ]
    }
}
Note

You can attach tags to only an account in an organization. You can't attach tags to a standalone AWS account.

Update standalone AWS account alternate contacts

To edit your AWS account's alternate contact details, perform the steps in the following procedure.

The AWS Management Console procedure below always works only in the standalone context. You can use the AWS Management Console to access or change only the alternate contacts in the account you used to call the operation.

AWS Management Console

To edit your standalone AWS account's alternate contact details

Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • aws-portal:ViewAccount (to see the account details page)

You must also have one of the following permission options:

The following permission lets a user perform any or all of the alternate contact commands:

  • aws-portal:ModifyAccount

  1. Sign in to the AWS Management Console as an IAM user or role that has the minimum permissions.

  2. Choose your account name on the top right of the window, and then choose My account.

  3. On the Account Settings page, scroll down to Alternate Contacts, and to the right of the title, choose Edit.

  4. Change the values in any of the available fields.

    Important

    For professional AWS accounts, it's a best practice to enter a company phone number and email address rather than one belonging to an individual.

  5. After you have made all of your changes, choose Update.

AWS CLI & SDKs

You can retrieve, update, or delete the alternate contact information can be by using the following AWS CLI commands or their AWS SDK equivalent operations:

Notes
Minimum permissions

For each operation, you must have the permission that maps to that operation:

  • account:GetAlternateContact

  • account:PutAlternateContact

  • account:DeleteAlternateContact

If you use these individual permissions, you can grant some users the ability to only read the contact information, and grant other the ability to both read and write.

The aws-portal permissions apply to only the AWS Management Console, and can't be used to grant permissions for the AWS CLI or AWS SDK operations.

The following example retrieves the current Billing alternate contact for the caller's account.

$ aws account get-alternate-contact \
    --alternate-contact-type=BILLING
{
    "AlternateContact": {
        "AlternateContactType": "BILLING",
        "EmailAddress": "saanvi.sarkar@amazon.com",
        "Name": "Saanvi Sarkar",
        "PhoneNumber": "+1(206)555-0123",
        "Title": "CFO"
    }
}

The following example sets a new Operations alternate contact for the caller's account.

$ aws account put-alternate-contact \
    --alternate-contact-type=OPERATIONS \
    --email-address=mateo_jackson@amazon.com \
    --name="Mateo Jackson" \
    --phone-number="+1(206)555-1234" \
    --title="Operations Manager"

This command produces no output if it's successful.

Note

If you perform multiple PutAlternateContact operations on the same AWS account and the same contact type, the first adds the new contact, and all successive calls to the same AWS account and contact type update the existing contact.

The following example deletes the Security alternate contact for the caller's account.

$ aws account delete-alternate-contact \
    --alternate-contact-type=SECURITY

This command produces no output if it's successful.

Note

If you try to delete the same contact more than once, the first succeeds silently. All later attempts generate a ResourceNotFound exception.

Update AWS account alternate contacts in your organization

To edit your AWS account's alternate contact details, perform the steps in the following procedure.

Requirements

To update alternate contacts with the AWS Organizations console, you need to do some preliminary settings:

  • Your organization must enable all features to manage settings on your member accounts. This allows admin control over the member accounts. This is set by default when you create your organization. If your organization is set to consolidated billing only, and you want to enable all features,” see Enabling all features in your organization.

  • You need to enable trusted access for AWS Account Management service. To set this up, see Enabling trusted access for AWS Account Management.

Note

The AWS Organizations managed policies AWSOrganizationsReadOnlyAccess or AWSOrganizationsFullAccess are updated to provide permission to access the AWS Account Management APIs so you can access account data from the AWS Organizations console. To view the updated managed policies, see Updates to Organizations AWS managed policies.

AWS Management Console

To edit your AWS account's alternate contact details in an organization

  1. Sign in to the AWS Organizations console with the organization's management account credentials.

  2. From AWS accounts, select the account that you want to update.

  3. Choose Contact info, and under Alternate contacts, locate the type of contact: Billing contact, Security contact, or Operations contact.

  4. To add a new contact, select Add, or to update an existing contact select Edit.

  5. Change the values in any of the available fields.

    Important

    For professional AWS accounts, it's a best practice to enter a company phone number and email address rather than one belonging to an individual.

  6. After you have made all of your changes, choose Update.

AWS CLI & SDKs

You can retrieve, update, or delete the alternate contact information can be by using the following AWS CLI commands or their AWS SDK equivalent operations:

Notes

  • To perform these operations from the management account or a delegated admin account in an organization against member accounts, you must enable trusted access for the Account service.

  • You can't access an account in a different organization from the one you're using to call the operation.

Minimum permissions

For each operation, you must have the permission that maps to that operation:

  • account:GetAlternateContact

  • account:PutAlternateContact

  • account:DeleteAlternateContact

If you use these individual permissions, you can grant some users the ability to only read the contact information, and grant other the ability to both read and write.

The aws-portal permissions apply to only the AWS Management Console, and can't be used to grant permissions for the AWS CLI or AWS SDK operations.

The following example retrieves the current Billing alternate contact for the caller's account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account get-alternate-contact \
    --alternate-contact-type=BILLING \
    --account-id 123456789012
{
    "AlternateContact": {
        "AlternateContactType": "BILLING",
        "EmailAddress": "saanvi.sarkar@amazon.com",
        "Name": "Saanvi Sarkar",
        "PhoneNumber": "+1(206)555-0123",
        "Title": "CFO"
    }
}

The following example sets the Operations alternate contact for the specified member account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account put-alternate-contact \
    --account-id 123456789012 \
    --alternate-contact-type=OPERATIONS \
    --email-address=mateo_jackson@amazon.com \
    --name="Mateo Jackson" \
    --phone-number="+1(206)555-1234" \
    --title="Operations Manager"

This command produces no output if it's successful.

Note

If you perform multiple PutAlternateContact operations on the same AWS account and the same contact type, the first adds the new contact, and all successive calls to the same AWS account and contact type update the existing contact.

The following example deletes the Security alternate contact for the specified member account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account delete-alternate-contact \
    --account-id 123456789012 \
    --alternate-contact-type=SECURITY

This command produces no output if it's successful.
Note

If you try to delete the same contact more than once, the first succeeds silently. All later attempts generate a ResourceNotFound exception.