Maintain Current AWS Account Contact Details

Overview

This check verifies that your AWS account has up-to-date contact information for the primary contact and all three alternate contact types: Security, Billing, and Operations. AWS uses these contacts to communicate important account-related information, security alerts, and billing notifications.

Risk

If your account contact details are outdated or missing:

• Delayed incident response: You may miss critical security notifications from AWS, slowing your ability to respond to threats.
• Account recovery difficulties: Outdated contact information can complicate account recovery if access is lost.
• Service interruptions: AWS may throttle services during abuse mitigation if they cannot reach you.
• Missed billing alerts: You might not receive important billing notifications, leading to unexpected charges.

Remediation Steps

Prerequisites

You need access to the AWS Console with permissions to view and edit account settings. Specifically, you need:

• account:GetContactInformation and account:PutContactInformation for primary contact
• account:GetAlternateContact and account:PutAlternateContact for alternate contacts

AWS Console Method

Update Primary Contact Information

1. Sign in to the AWS Management Console.
2. Click your account name in the top-right corner, then select Account.
3. Scroll down to the Contact information section.
4. Click Edit next to "Contact information".
5. Update the following fields with current information:
   • Full name
   • Company name (if applicable)
   • Address
   • Phone number (must be able to receive SMS)
   • Website URL (optional)
6. Click Update to save your changes.

Update Alternate Contacts

1. On the same Account page, scroll down to Alternate contacts.

2. Click Edit next to "Alternate contacts".

3. Fill in details for all three contact types:

   Contact Type	Purpose
   Billing	Receives billing-related notifications and invoices
   Operations	Receives operational issues and maintenance notifications
   Security	Receives security alerts and vulnerability notifications

4. For each contact, provide:

   • Name
   • Title
   • Email address
   • Phone number

5. Click Update to save your changes.

Best Practice: Use team email distribution lists (e.g., security-team@example.com) instead of individual email addresses. This ensures notifications reach the right people even when team members change.

AWS CLI (optional)

Update Primary Contact

aws account put-contact-information \
    --region us-east-1 \
    --contact-information '{
        "FullName": "<Your Name>",
        "CompanyName": "<Your Company>",
        "AddressLine1": "<Street Address>",
        "City": "<City>",
        "StateOrRegion": "<State>",
        "PostalCode": "<ZIP Code>",
        "CountryCode": "US",
        "PhoneNumber": "+1<PhoneNumber>",
        "WebsiteUrl": "https://www.example.com"
    }'

Update Alternate Contacts

Security Contact:

aws account put-alternate-contact \
    --region us-east-1 \
    --alternate-contact-type SECURITY \
    --name "<Security Contact Name>" \
    --title "Security Lead" \
    --email-address "security-team@example.com" \
    --phone-number "+12025550100"

Billing Contact:

aws account put-alternate-contact \
    --region us-east-1 \
    --alternate-contact-type BILLING \
    --name "<Billing Contact Name>" \
    --title "Finance Manager" \
    --email-address "billing@example.com" \
    --phone-number "+12025550101"

Operations Contact:

aws account put-alternate-contact \
    --region us-east-1 \
    --alternate-contact-type OPERATIONS \
    --name "<Operations Contact Name>" \
    --title "Operations Manager" \
    --email-address "ops-team@example.com" \
    --phone-number "+12025550102"

Verify Current Contact Information

# View primary contact
aws account get-contact-information --region us-east-1

# View alternate contacts
aws account get-alternate-contact --region us-east-1 --alternate-contact-type SECURITY
aws account get-alternate-contact --region us-east-1 --alternate-contact-type BILLING
aws account get-alternate-contact --region us-east-1 --alternate-contact-type OPERATIONS

Terraform (optional)

Primary Contact Resource

resource "aws_account_primary_contact" "main" {
  full_name          = "Your Name"
  company_name       = "Your Company"
  address_line_1     = "123 Any Street"
  city               = "Seattle"
  state_or_region    = "WA"
  postal_code        = "98101"
  country_code       = "US"
  phone_number       = "+12025550100"
  website_url        = "https://www.example.com"
}

Alternate Contact Resources

resource "aws_account_alternate_contact" "security" {
  alternate_contact_type = "SECURITY"
  name                   = "Security Team"
  title                  = "Security Lead"
  email_address          = "security-team@example.com"
  phone_number           = "+12025550100"
}

resource "aws_account_alternate_contact" "billing" {
  alternate_contact_type = "BILLING"
  name                   = "Finance Team"
  title                  = "Finance Manager"
  email_address          = "billing@example.com"
  phone_number           = "+12025550101"
}

resource "aws_account_alternate_contact" "operations" {
  alternate_contact_type = "OPERATIONS"
  name                   = "Operations Team"
  title                  = "Operations Manager"
  email_address          = "ops-team@example.com"
  phone_number           = "+12025550102"
}

For AWS Organizations (Member Accounts)

To manage contacts for member accounts from the management account:

resource "aws_account_alternate_contact" "member_security" {
  account_id             = "123456789012"  # Member account ID
  alternate_contact_type = "SECURITY"
  name                   = "Security Team"
  title                  = "Security Lead"
  email_address          = "security-team@example.com"
  phone_number           = "+12025550100"
}

CloudFormation (optional)

AWS CloudFormation does not currently have native resources for managing account contact information. Use one of the following alternatives:

1. AWS CLI in a custom resource or script
2. Terraform with the AWS provider
3. AWS SDK in a Lambda-backed custom resource

Example Lambda-backed custom resource approach:

AWSTemplateFormatVersion: '2010-09-09'
Description: Custom resource to manage account contacts

Resources:
  ContactManagerRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: AccountContactManagement
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - account:PutAlternateContact
                  - account:GetAlternateContact
                  - account:PutContactInformation
                  - account:GetContactInformation
                Resource: '*'

  # Note: You would need to implement a Lambda function that uses
  # the AWS SDK to call put-alternate-contact and put-contact-information

Verification

After updating your contact information:

1. Return to the Account page in the AWS Console.
2. Verify that Contact information shows your current details.
3. Verify that Alternate contacts shows valid entries for Security, Billing, and Operations.
4. Send a test email to each alternate contact address to confirm they are monitored.

CLI Verification

# Verify primary contact
aws account get-contact-information --region us-east-1

# Verify all alternate contacts exist
aws account get-alternate-contact --region us-east-1 --alternate-contact-type SECURITY
aws account get-alternate-contact --region us-east-1 --alternate-contact-type BILLING
aws account get-alternate-contact --region us-east-1 --alternate-contact-type OPERATIONS

Re-run the Prowler check to confirm remediation:

prowler aws --checks account_maintain_current_contact_details

Additional Resources

• Update the alternate contacts for your AWS account
• Update the primary contact for your AWS account
• AWS Security Incident Response Guide - Update contact information
• Terraform aws_account_alternate_contact Resource
• Terraform aws_account_primary_contact Resource

Notes

• Phone number format: Primary contact phone numbers must be able to receive SMS and should not include hyphens or spaces (e.g., +12025550100). Alternate contact phone numbers can include formatting characters like +, -, (, ), and spaces.
• Email distribution lists: AWS strongly recommends using team distribution lists rather than individual email addresses to avoid single points of failure.
• AWS Organizations: If your account is part of an AWS Organization, the management account can centrally manage contact information for all member accounts. This requires enabling trusted access for the Account Management service.
• Regular reviews: Schedule periodic reviews (quarterly recommended) to ensure contact information remains current, especially after organizational changes.
• Protect contact information: Treat contact details as sensitive data since they can be used in account recovery processes.