Adding or updating the primary and alternate contact information - AWS Account Management

Adding or updating the primary and alternate contact information

You can store contact information about the primary account contact for your AWS account.

You can also add contact information for the following alternate account contacts:

  • Billing

  • Operations

  • Security

Accessing or updating the primary account contact

To edit your AWS account's primary contact details, perform the steps in the following procedure.

AWS Management Console

To edit your AWS account's primary contact details

Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • aws-portal:ViewAccount (to see the account details page)

  • aws-portal:ModifyAccount

  1. Sign in to the AWS Management Console as an IAM user or role that has the minimum permissions.

  2. Choose your account name on the top right of the window, and then choose My Account.

  3. Scroll down to the section Contact information, and next to it choose Edit.

    Note

    You might be prompted to approve your access to this information. AWS sends a request to the email address associated with the account and to the primary contact phone number. Choose the link in the request to open it in your browser, and approve the access.

  4. Change the values in any of the available fields.

    Important

    For professional AWS accounts, it's a best practice to enter a company phone number and email address rather than one belonging to an individual. Configuring the account's Using the AWS account root user with an individual's email address or phone number can make your account difficult to recover if that individual leaves the company.

  5. After you have made all of your changes, choose Update.

AWS CLI & SDKs

You can't currently modify the primary contact information using the AWS CLI or an API operation from one of the AWS SDKs. You can modify the primary contact information only by using the AWS Management Console.

Accessing or updating the alternate contacts

You can add and delete alternate contacts for an AWS account and update a contact's details.

Modes of operation

The API operation that work with an AWS account's alternate contacts always work in one of two modes of operation:

  • Standalone context – this mode is used when a user or role in an account accesses or changes an alternate contact in the same account. The standalone context mode is automatically used when you don't include the AccountId parameter when you call one of the Account Management AWS CLI or AWS SDK operations.

  • Organizations context – this mode is used when a user or role in one account in an organization accesses or changes an alternate contact in a different member account in the same organization. The organizations context mode is automatically used when you doinclude the AccountId parameter when you call one of the Account Management AWS CLI or AWS SDK operation. You can call the operations in this mode from only the management account of the organization, or the delegated admin account for Account Management.

The AWS Management Console procedure below always works only in the standalone context. You can use the AWS Management Console to access or change only the alternate contacts in the account you used call the operation.

The AWS CLI and AWS SDK operations can work in either context.

  • If you don't include the AccountId parameter, then the operation runs in the standalone context and automatically applies the request to the account you used to make the request. This is true whether or not the account is a member of an organization.

  • If you do include the AccountId parameter, then the operation runs in the organizations context, and the operation works on the specified Organizations account.

    • If the account calling the operation is the management account or the delegated admin account for the Account Management service, then you can specify any member account of that organization in the AccountId parameter to update the specified account.

    • The only account in an organization that can call one of the alternate contact operations and specify its own account number in the AccountId parameter is the account specified as the delegated admin account for the Account Management service. Any other account, including the management account, receives an AccessDenied exception.

  • If you run an operation in standalone mode, then you must be permitted to run the operation with an IAM policy that includes a Resource element of either "*" to allow all resources, or an ARN that uses the syntax for a standalone account.

  • If you run an operation in organizations mode, then you must be permitted to run the operation with an IAM policy that includes a Resource element of either "*" to allow all resources, or an ARN that uses the syntax for a member account in an organization.

Granting permissions to update alternate contacts

As with most AWS operations, you grant permissions to add, update, or delete alternate contacts for AWS accounts by using IAM permission policies. When you attach an IAM permission policy to an IAM principal (either a user or role), you specify which actions that principal can perform on which resources, and under what conditions.

The following are some Account Management specific considerations for creating a permissions policy.

Amazon Resource Name format for AWS accounts

  • The Amazon Resource Name (ARN) for an AWS account that you can include in the resource element of a policy statement is constructed differently based on whether the account you want to reference is a standalone account or an account that is in an organization. See the previous section on Modes of operation.

    • An account ARN for a standalone account:

      arn:aws:account::{AccountId}:account

      You must use this format when you run an alternate contacts operation in standalone mode by not including the AccountID parameter.

    • An account ARN for a member account in an organization:

      arn:aws:account::{ManagementAccountId}:account/o-{OrganizationId}/{AccountId}

      You must use this format when you run an alternate contacts operation in organizations mode by including the AccountID parameter.

Context keys for IAM policies

The Account Management service also provides several Account Management service-specific condition keys that provide fine-grained control over the permissions you grant.

account:AlternateContactTypes

The context key account:AlternateContactTypes lets you specify which of the three billing types is allowed (or denied) by the IAM policy.

For example, the following example IAM permission policy uses this condition key to allow the attached principals to retrieve, but not modify, only the BILLING alternate contact for a specific account in an organization.

Because account:AlternateContactTypes is a multi-valued string type, you must use the ForAnyValue or ForAllValues multi-value string operators.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "account:GetAlternateContact", "Resource": [ "arn:aws:account::123456789012:account/o-aa111bb222/111111111111" ], "Condition": { "ForAnyValue:StringEquals": { "account:AlternateContactTypes": [ "BILLING" ] } } } ] }
account:AccountResourceOrgPaths

The context key account:AccountResourceOrgPaths lets you specify a path through your organization's hierarchy to a specific organizational unit (OU). Only member accounts that are contained by that OU match the condition. The following example snippet restricts the policy to apply to only accounts that are in either of two specified OUs.

Because account:AccountResourceOrgPaths is a multi-valued string type, you must use the ForAnyValue or ForAllValues multi-value string operators. Also, note that the prefix on the condition key is account, even though you're referencing paths to OUs in an organization.

"Condition": { "ForAnyValue:StringLike": { "account:AccountResourceOrgPaths": [ "o-aa111bb222/r-a1b2/ou-a1b2-f6g7h111/*", "o-aa111bb222/r-a1b2/ou-a1b2-f6g7h222/*" ] } }
account:AccountResourceOrgTags

The context key account:AccountResourceOrgTags lets you reference the tags that can be attached to an account in an organization. A tag is a key/value string pair that you can use to categorize and label the resources in your account. For more information about tagging, see Tag Editor in the AWS Resource Groups User Guide. For information about using tags as part of an attribute-based access control strategy, see What is ABAC for AWS in the IAM User Guide. The following example snippet restricts the policy to apply to only accounts in an organization that have the tag with the key project and a value of either blue or red.

Because account:AccountResourceOrgTags is a multi-valued string type, you must use the ForAnyValue or ForAllValues multi-value string operators. Also, note that the prefix on the condition key is account, even though you're referencing the tags on an organization's member account.

"Condition": { "ForAnyValue:StringLike": { "account:AccountResourceOrgTags/project": [ "blue", "red" ] } }
Note

You can attach tags to only an account in an organization. You can't attach tags to a standalone AWS account.

Accessing and updating an account's alternate contact details

To edit your AWS account's alternate contact details, perform the steps in the following procedure.

AWS Management Console

To edit your AWS account's alternate contact details

Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • aws-portal:ViewAccount (to see the account details page)

You must also have one of the following permission options:

The following permission lets a user perform any or all of the alternate contact commands:

  • aws-portal:ModifyAccount

  1. Sign in to the AWS Management Console as an IAM user or role that has the minimum permissions.

  2. Choose your account name on the top right of the window, and then choose My account.

  3. On the Account Settings page, scroll down to Alternate Contacts, and to the right of the title, choose Edit.

    Note

    You might be prompted to approve your access to this information. AWS sends a request to the email address associated with the account and to the primary contact phone number. Choose the link in the request to open it in your browser, and approve the access.

  4. Change the values in any of the available fields.

    Important

    For professional AWS accounts, it's a best practice to enter a company phone number and email address rather than one belonging to an individual.

  5. After you have made all of your changes, choose Update.

AWS CLI & SDKs

You can retrieve, update, or delete the alternate contact information can be by using the following AWS CLI commands or their AWS SDK equivalent operations:

Notes
  • To perform these operations from the management account or a delegated admin account in an organization against member accounts, you must enable trusted access for the Account service.

  • You can't access an account in a different organization from the one you're using to call the operation.

Minimum permissions

For each operation, you must have the permission that maps to that operation:

  • account:GetAlternateContact

  • account:PutAlternateContact

  • account:DeleteAlternateContact

If you use these individual permissions, you can grant some users the ability to only read the contact information, and grant other the ability to both read and write.

The aws-portal permissions apply to only the AWS Management Console, and can't be used to grant permissions for the AWS CLI or AWS SDK operations.

The following example retrieves the current Billing alternate contact for the caller's account.

$ aws account get-alternate-contact \ --alternate-contact-type=BILLING { "AlternateContact": { "AlternateContactType": "BILLING", "EmailAddress": "saanvi.sarkar@amazon.com", "Name": "Saanvi Sarkar", "PhoneNumber": "+1(206)555-0123", "Title": "CFO" } }

The following example also retrieves the current Billing alternate contact, but this time for the specified member account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account get-alternate-contact \ --alternate-contact-type=BILLING \ --account-id 123456789012 { "AlternateContact": { "AlternateContactType": "BILLING", "EmailAddress": "saanvi.sarkar@amazon.com", "Name": "Saanvi Sarkar", "PhoneNumber": "+1(206)555-0123", "Title": "CFO" } }

The following example sets a new Operations alternate contact for the caller's account.

$ aws account put-alternate-contact \ --alternate-contact-type=OPERATIONS \ --email-address=mateo_jackson@amazon.com \ --name="Mateo Jackson" \ --phone-number="+1(206)555-1234" \ --title="Operations Manager"

This command produces no output if it's successful.

The following example also sets the Operations alternate contact, but this time for the specified member account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account put-alternate-contact \ --account-id 123456789012 \ --alternate-contact-type=OPERATIONS \ --email-address=mateo_jackson@amazon.com \ --name="Mateo Jackson" \ --phone-number="+1(206)555-1234" \ --title="Operations Manager"

This command produces no output if it's successful.

Note

If you perform multiple PutAlternateContact operations on the same AWS account and the same contact type, the first adds the new contact, and all successive calls to the same AWS account and contact type update the existing contact.

The following example deletes the Security alternate contact for the caller's account.

$ aws account delete-alternate-contact \ --alternate-contact-type=SECURITY

This command produces no output if it's successful.

Note

If you try to delete the same contact more than once, the first succeeds silently. All later attempts generate a ResourceNotFound exception.

The following example also deletes the Security alternate contact, but this time for the specified member account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account delete-alternate-contact \ --account-id 123456789012 \ --alternate-contact-type=SECURITY

This command produces no output if it's successful.