Maintain Different Contact Details for Security, Billing, and Operations

Overview

This check verifies that your AWS account has three distinct alternate contacts configured: Billing, Operations, and Security. Each contact must have unique details (name, email, and phone number) that differ from the other contacts and from your root account contact.

Alternate contacts allow AWS to reach the right people for specific issues. For example, AWS sends security alerts to the Security contact and billing notifications to the Billing contact.

Risk

If your AWS account lacks separate alternate contacts, or if contacts share the same details:

• Delayed incident response: AWS security alerts may not reach your security team promptly
• Missed billing issues: Billing anomalies or payment problems may go unnoticed
• Operational blind spots: Infrastructure issues reported by AWS may not reach the right people
• Single point of failure: If one person handles all contacts and becomes unavailable, critical communications are missed

Remediation Steps

Prerequisites

You need access to the AWS Console with permissions to manage account settings. Specifically, you need the account:PutAlternateContact permission.

Required IAM permissions (for administrators)

To manage alternate contacts, the IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "account:GetAlternateContact",
        "account:PutAlternateContact",
        "account:DeleteAlternateContact"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Sign in to the AWS Management Console

2. Click your account name in the top-right corner, then select Account

3. Scroll down to the Alternate contacts section

4. Click Edit next to "Alternate contacts"

5. Fill in the details for each contact type:

   Billing contact

   • Name: Enter a unique name or team name (e.g., "Finance Team")
   • Title: Job title (e.g., "Finance Manager")
   • Email: A unique email address (preferably a distribution list)
   • Phone: A unique phone number

   Operations contact

   • Name: Enter a different name or team name (e.g., "Operations Team")
   • Title: Job title (e.g., "Operations Manager")
   • Email: A different email address
   • Phone: A different phone number

   Security contact

   • Name: Enter a different name or team name (e.g., "Security Team")
   • Title: Job title (e.g., "Security Manager")
   • Email: A different email address
   • Phone: A different phone number

6. Click Update to save your changes

Important: Use email distribution lists rather than individual email addresses. This ensures notifications continue even if team members change.

AWS CLI (optional)

You can set alternate contacts using the AWS CLI. Run these three commands, replacing the placeholder values with your actual contact information.

Set Billing contact:

aws account put-alternate-contact \
  --region us-east-1 \
  --alternate-contact-type BILLING \
  --name "Billing Team" \
  --title "Finance Manager" \
  --email-address "billing@example.com" \
  --phone-number "+1234567890"

Set Operations contact:

aws account put-alternate-contact \
  --region us-east-1 \
  --alternate-contact-type OPERATIONS \
  --name "Operations Team" \
  --title "Operations Manager" \
  --email-address "operations@example.com" \
  --phone-number "+1234567891"

Set Security contact:

aws account put-alternate-contact \
  --region us-east-1 \
  --alternate-contact-type SECURITY \
  --name "Security Team" \
  --title "Security Manager" \
  --email-address "security@example.com" \
  --phone-number "+1234567892"

Verify your contacts:

aws account get-alternate-contact --region us-east-1 --alternate-contact-type BILLING
aws account get-alternate-contact --region us-east-1 --alternate-contact-type OPERATIONS
aws account get-alternate-contact --region us-east-1 --alternate-contact-type SECURITY

CloudFormation (optional)

AWS CloudFormation does not natively support the aws_account_alternate_contact resource type. For infrastructure-as-code management of alternate contacts, use Terraform (see below) or create a custom CloudFormation resource backed by a Lambda function.

Alternatively, you can use a CloudFormation custom resource with the AWS SDK to call the Account Management API.

Terraform (optional)

Create a Terraform configuration to manage all three alternate contacts:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_account_alternate_contact" "billing" {
  alternate_contact_type = "BILLING"
  name                   = "Billing Team"
  title                  = "Finance Manager"
  email_address          = "billing@example.com"
  phone_number           = "+1234567890"
}

resource "aws_account_alternate_contact" "operations" {
  alternate_contact_type = "OPERATIONS"
  name                   = "Operations Team"
  title                  = "Operations Manager"
  email_address          = "operations@example.com"
  phone_number           = "+1234567891"
}

resource "aws_account_alternate_contact" "security" {
  alternate_contact_type = "SECURITY"
  name                   = "Security Team"
  title                  = "Security Manager"
  email_address          = "security@example.com"
  phone_number           = "+1234567892"
}

Deploy the configuration:

terraform init
terraform plan
terraform apply

For AWS Organizations: If managing contacts for member accounts from a management account, add the account_id argument:

resource "aws_account_alternate_contact" "member_security" {
  account_id             = "123456789012"
  alternate_contact_type = "SECURITY"
  name                   = "Security Team"
  title                  = "Security Manager"
  email_address          = "security@example.com"
  phone_number           = "+1234567892"
}

Verification

After making changes, verify all three contacts are configured correctly:

1. In the AWS Console, navigate to Account settings
2. Scroll to the Alternate contacts section
3. Confirm that Billing, Operations, and Security contacts all show different information

Re-run the Prowler check to confirm remediation:

prowler aws --check account_maintain_different_contact_details_to_security_billing_and_operations

Verify using AWS CLI

Run these commands to retrieve and display all alternate contacts:

echo "=== Billing Contact ===" && \
aws account get-alternate-contact --region us-east-1 --alternate-contact-type BILLING

echo "=== Operations Contact ===" && \
aws account get-alternate-contact --region us-east-1 --alternate-contact-type OPERATIONS

echo "=== Security Contact ===" && \
aws account get-alternate-contact --region us-east-1 --alternate-contact-type SECURITY

Verify that:

• All three contacts return successfully (no ResourceNotFoundException)
• Each contact has a unique email address
• Each contact has a unique phone number
• Names and titles are appropriate for each role

Additional Resources

• AWS Documentation: Update alternate contacts
• AWS Security Incident Response Guide: Update contact information
• Terraform: aws_account_alternate_contact resource

Notes

• Use distribution lists: AWS recommends using email distribution lists (e.g., security-team@company.com) rather than individual email addresses. This ensures continuity when team members change.

• Phone number format: Phone numbers can only contain numbers, whitespaces, and these characters: + - ( ). Include the country code.

• Email address limits: Email addresses can be up to 254 characters and may include these special characters in the local portion: + = . # | ! & - _

• AWS Organizations: If your account is part of AWS Organizations, the management account can centrally manage alternate contacts for all member accounts. This requires enabling trusted access for AWS Account Management.

• No service disruption: Adding or updating alternate contacts has no impact on running services or workloads.