Update the primary and alternate contact information
You can store contact information about the primary account contact for your AWS account.
You can also add or edit contact information for the following alternate account contacts:
-
Billing – The alternate billing contact will receive billing-related notifications, such as invoice availability notifications.
-
Operations – The alternate operations contact will receive operations-related notifications.
-
Security – The alternate security contact will receive security-related notifications, including notifications from the AWS Abuse Team.
Accessing or updating the primary account contact
To edit your AWS account's primary contact details, perform the steps in the following procedure.
Accessing or updating the alternate contacts
You can update alternate contacts for accounts within your organization from the AWS Organizations console, or programmatically with AWS CLI or AWS SDKs. You can use the organization’s management account to view and edit account settings for any account in your organization. The primary account holder will continue to receive all email communications to the root account’s email.
You can add or edit alternate contacts differently, depending on whether or not the accounts are standalone, or part of an organization:
-
Standalone AWS accounts – For member accounts not associated with an organization, you can update your own alternate contacts using the AWS Management Console, or via AWS CLI & SDKs. To learn how to do this, see Update standalone AWS account alternate contacts.
-
AWS accounts within an organization – The management account user can update any account in the organization from the AWS Organizations console, or programmatically via the AWS CLI & SDKs. To learn how to do this, see Update AWS account alternate contacts in your organization.
Understanding API modes of operation
The API operations that work with an AWS account's alternate contacts always work in one of two modes of operation:
-
Standalone context – this mode is used when a user or role in an account accesses or changes an alternate contact in the same account. The standalone context mode is automatically used when you don't include the
AccountId
parameter when you call one of the Account Management AWS CLI or AWS SDK operations. -
Organizations context – this mode is used when a user or role in one account in an organization accesses or changes an alternate contact in a different member account in the same organization. The organizations context mode is automatically used when you doinclude the
AccountId
parameter when you call one of the Account Management AWS CLI or AWS SDK operation. You can call the operations in this mode from only the management account of the organization, or the delegated admin account for Account Management.
The AWS CLI and AWS SDK operations can work in either standalone or organizations context.
-
If you don't include the
AccountId
parameter, then the operation runs in the standalone context and automatically applies the request to the account you used to make the request. This is true whether or not the account is a member of an organization. -
If you do include the
AccountId
parameter, then the operation runs in the organizations context, and the operation works on the specified Organizations account.-
If the account calling the operation is the management account or the delegated admin account for the Account Management service, then you can specify any member account of that organization in the
AccountId
parameter to update the specified account. -
The only account in an organization that can call one of the alternate contact operations and specify its own account number in the
AccountId
parameter is the account specified as the delegated admin account for the Account Management service. Any other account, including the management account, receives anAccessDenied
exception.
-
-
If you run an operation in standalone mode, then you must be permitted to run the operation with an IAM policy that includes a
Resource
element of either"*"
to allow all resources, or an ARN that uses the syntax for a standalone account. -
If you run an operation in organizations mode, then you must be permitted to run the operation with an IAM policy that includes a
Resource
element of either"*"
to allow all resources, or an ARN that uses the syntax for a member account in an organization.
Granting permissions to update alternate contacts
As with most AWS operations, you grant permissions to add, update, or delete alternate contacts for AWS accounts by using IAM permission policies. When you attach an IAM permission policy to an IAM principal (either a user or role), you specify which actions that principal can perform on which resources, and under what conditions.
The following are some Account Management specific considerations for creating a permissions policy.
Amazon Resource Name format for AWS accounts
-
The Amazon Resource Name (ARN) for an AWS account that you can include in the
resource
element of a policy statement is constructed differently based on whether the account you want to reference is a standalone account or an account that is in an organization. See the previous section on Understanding API modes of operation.-
An account ARN for a standalone account:
arn:aws:account::
{AccountId}
:accountYou must use this format when you run an alternate contacts operation in standalone mode by not including the
AccountID
parameter. -
An account ARN for a member account in an organization:
arn:aws:account::
{ManagementAccountId}
:account/o-{OrganizationId}
/{AccountId}
You must use this format when you run an alternate contacts operation in organizations mode by including the
AccountID
parameter.
-
Context keys for IAM policies
The Account Management service also provides several Account Management service-specific condition keys that provide fine-grained control over the permissions you grant.
account:AlternateContactTypes
The context key account:AlternateContactTypes
lets you specify
which of the three billing types is allowed (or denied) by the IAM
policy.
For example, the following example IAM permission policy uses this condition
key to allow the attached principals to retrieve, but not modify, only the
BILLING
alternate contact for a specific account in an
organization.
Because account:AlternateContactTypes
is a multi-valued string
type, you must use the ForAnyValue
or ForAllValues
multi-value
string operators.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "account:GetAlternateContact", "Resource": [ "arn:aws:account::123456789012:account/o-aa111bb222/111111111111" ], "Condition": { "ForAnyValue:StringEquals": { "account:AlternateContactTypes": [ "BILLING" ] } } } ] }
account:AccountResourceOrgPaths
The context key account:AccountResourceOrgPaths
lets you specify
a path through your organization's hierarchy to a specific organizational unit
(OU). Only member accounts that are contained by that OU match the condition.
The following example snippet restricts the policy to apply to only accounts
that are in either of two specified OUs.
Because account:AccountResourceOrgPaths
is a multi-valued string
type, you must use the ForAnyValue
or ForAllValues
multi-value
string operators. Also, note that the prefix on the condition key is
account
, even though you're referencing paths to OUs in an
organization.
"Condition": { "ForAnyValue:StringLike": { "account:AccountResourceOrgPaths": [ "
o-aa111bb222
/r-a1b2
/ou-a1b2-f6g7h111
/*", "o-aa111bb222
/r-a1b2
/ou-a1b2-f6g7h222
/*" ] } }
account:AccountResourceOrgTags
The context key account:AccountResourceOrgTags
lets you reference
the tags that can be attached to an account in an organization. A tag is a
key/value string pair that you can use to categorize and label the resources in
your account. For more information about tagging, see Tag
Editor in the AWS Resource Groups User Guide.
For information about using tags as part of an attribute-based access control
strategy, see What
is ABAC for AWS in the IAM User Guide. The following example snippet restricts the
policy to apply to only accounts in an organization that have the tag with the
key project
and a value of either blue
or
red
.
Because account:AccountResourceOrgTags
is a multi-valued string
type, you must use the ForAnyValue
or ForAllValues
multi-value
string operators. Also, note that the prefix on the condition key is
account
, even though you're referencing the tags on an
organization's member account.
"Condition": { "ForAnyValue:StringLike": { "account:AccountResourceOrgTags/project": [ "blue", "red" ] } }
You can attach tags to only an account in an organization. You can't attach tags to a standalone AWS account.
Update standalone AWS account alternate contacts
To edit your AWS account's alternate contact details, perform the steps in the following procedure.
The AWS Management Console procedure below always works only in the standalone context. You can use the AWS Management Console to access or change only the alternate contacts in the account you used to call the operation.
Update AWS account alternate contacts in your organization
To edit your AWS account's alternate contact details, perform the steps in the following procedure.
Requirements
To update alternate contacts with the AWS Organizations console, you need to do some preliminary settings:
-
Your organization must enable all features to manage settings on your member accounts. This allows admin control over the member accounts. This is set by default when you create your organization. If your organization is set to consolidated billing only, and you want to enable all features,” see Enabling all features in your organization.
-
You need to enable trusted access for AWS Account Management service. To set this up, see Enabling trusted access for AWS Account Management.
The AWS Organizations managed policies AWSOrganizationsReadOnlyAccess
or
AWSOrganizationsFullAccess
are updated to provide permission to
access the AWS Account Management APIs so you can access account data from the AWS Organizations
console. To view the updated managed policies, see Updates to Organizations AWS managed policies.
If you try to delete the same contact more than once, the first succeeds silently.
All later attempts generate a ResourceNotFound
exception.