Updating the root user email address for a member account - AWS Organizations
How to centrally update the root user email address for a member account

Updating the root user email address for a member account

For increased security and administrative resilience, IAM principals in the management account (that have the necessary IAM permissions) can centrally update a root user email address (also referred to as the primary email address) for any of their member accounts without having to sign into each account individually. This gives administrators in the management account (or in a delegated administrator account) more control over their member accounts. It also ensures that root user email addresses from any member accounts across your AWS Organizations can be kept up to date, even when you may have lost access to the original root user email address or administrative credentials.

When the root user email address is changed centrally by a management account administrator, both the password and MFA configuration will remain the same as they were before the change. Note that MFA can be bypassed by a user with control of an account’s root user email address and primary contact phone number.

To update the root user email address of a member account in your organization, your organization must have previously enabled all features mode. AWS Organizations in consolidated billing mode or accounts that are not part of an organization, cannot update their root user email address centrally. Users that want to change the root user email address for accounts that are unsupported by the API should continue to use the Billing Console to manage their root user email address.

How to centrally update the root user email address for a member account

Use the following procedure to update the root user email address.

AWS Management Console
Notes

  • To perform this procedure from the management account or a delegated admin account in an organization against member accounts, you must enable trusted access for the Account Management service.

  • You can't use this procedure to access an account in a different organization from the one you're using to call the operation.

To update the root user email address for a member account using the AWS Organizations console

  1. Sign in to the AWS Organizations console as the root user of the management account (or equivalent IAM permissions) in your organization.

  2. On the AWS accounts page, choose the member account for which you want to update the root user email address.

  3. In the Account details section, choose the Actions button, and then choose Update email address.

  4. Under Email, enter the new email address for the root user, and then choose Save. This sends a one-time password (OTP) to the new email address.

    Note

    If you need to close this page in the Organizations console while you wait for the code, you can return and finish the OTP process within 24 hours from when the code was sent. To do this, while on the Account details page, choose the Actions button, and then choose Complete email update.

  5. Under Verification code, enter the code that was sent to the new email address in the previous step, and then choose Confirm. This commits the update to the root user email address for the account.

AWS CLI & AWS SDKs

You can retrieve, or update the root user email address (also referred to as the primary email address) by using the following AWS CLI commands or their AWS SDK equivalent operations:

Notes

  • To perform these operations from the management account or a delegated admin account in an organization against member accounts, you must enable trusted access for the Account Management service.

  • You can't access an account in a different organization from the one you're using to call the operation.

Minimum permissions

For each operation, you must have the permission that maps to that operation:

  • account:GetPrimaryEmail

  • account:StartPrimaryEmailUpdate

  • account:AcceptPrimaryEmailUpdate

If you use these individual permissions, you can grant some users the ability to only read the root user email address information, and grant others the ability to both read and write.

To complete the root user email update process, you must use the primary email APIs together in the order they are shown in the examples below.

Example GetPrimaryEmail

The following example retrieves the root user email address from the specified member account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account get-primary-email --account-id 123456789012
Example StartPrimaryEmailUpdate

The following example starts the root user email address update process, identifies the new email address, and sends a one-time password (OTP) to the new email address for the specified member account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account start-primary-email-update --account-id 123456789012 --primary-email john@examplecorp.com
Example AcceptPrimaryEmailUpdate

The following example accepts the OTP code and sets the new email address to the specified member account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account accept-primary-email-update --account-id 123456789012 --otp 12345678 --primary-email john@examplecorp.com