Register Security Alternate Contact
Overview
This check verifies that your AWS account has a Security alternate contact registered. AWS uses this contact to send important security notifications, advisories, and alerts directly to your security team.
Risk
Without a registered security contact:
- Missed security alerts: Critical AWS security advisories may not reach the right people
- Delayed incident response: Your team may not learn about compromises or vulnerabilities in time
- Undetected threats: Unauthorized access, data exfiltration, or resource abuse (like cryptomining) could go unnoticed longer
AWS sends security-related communications to this contact, so keeping it current is essential for protecting your account.
Remediation Steps
Prerequisites
You need permission to update account settings. Specifically, you need the account:PutAlternateContact permission.
IAM permissions details
The following IAM permissions are required:
account:GetAlternateContact- to view current contact detailsaccount:PutAlternateContact- to add or update a contactaccount:DeleteAlternateContact- to remove a contact
Example IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"account:GetAlternateContact",
"account:PutAlternateContact",
"account:DeleteAlternateContact"
],
"Resource": "*"
}
]
}
AWS Console Method
- Sign in to the AWS Management Console
- Click your account name in the top-right corner, then select Account
- Scroll down to the Alternate contacts section
- Click Edit next to the section title
- In the Security section, fill in:
- Name: Your security team or contact person (e.g., "Security Operations Team")
- Title: Role or department (e.g., "Security Operations")
- Email: A monitored email address (e.g.,
security@yourcompany.com) - Phone: A team phone number (e.g.,
+1-202-555-1234)
- Click Update to save
Tip: Use a team email distribution list and shared phone number rather than an individual's contact info. This ensures continuity when team members change.
AWS CLI (optional)
Use the put-alternate-contact command to register or update your security contact:
aws account put-alternate-contact \
--alternate-contact-type SECURITY \
--name "Security Operations Team" \
--title "Security Operations" \
--email-address "security@yourcompany.com" \
--phone-number "+12025551234" \
--region us-east-1
Replace the placeholder values with your actual contact information.
Phone number format: Use only numbers, spaces, and these characters: + - ( )
Email requirements: Up to 254 characters. Special characters allowed: + = . # | ! & - _
To verify the contact was set:
aws account get-alternate-contact \
--alternate-contact-type SECURITY \
--region us-east-1
Expected output:
{
"AlternateContact": {
"AlternateContactType": "SECURITY",
"EmailAddress": "security@yourcompany.com",
"Name": "Security Operations Team",
"PhoneNumber": "+12025551234",
"Title": "Security Operations"
}
}
CloudFormation (optional)
Note: AWS CloudFormation does not currently have a native resource type for alternate contacts. Use one of these alternatives:
- AWS CLI or SDK during stack deployment via a custom resource
- Terraform (see the Terraform section below)
- AWS Organizations with service control policies to enforce contact requirements
Terraform (optional)
Use the aws_account_alternate_contact resource to manage your security contact:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_account_alternate_contact" "security" {
alternate_contact_type = "SECURITY"
name = "Security Operations Team"
title = "Security Operations"
email_address = "security@yourcompany.com"
phone_number = "+12025551234"
}
For AWS Organizations member accounts, specify the account ID:
resource "aws_account_alternate_contact" "security" {
account_id = "123456789012"
alternate_contact_type = "SECURITY"
name = "Security Operations Team"
title = "Security Operations"
email_address = "security@yourcompany.com"
phone_number = "+12025551234"
}
Apply the configuration:
terraform init
terraform plan
terraform apply
Verification
After updating your security contact, verify it's properly registered:
- Go to your Account settings page
- Scroll to Alternate contacts
- Confirm the Security section shows your updated contact information
Verify with AWS CLI
aws account get-alternate-contact \
--alternate-contact-type SECURITY \
--region us-east-1
You should see your security contact details in the response. If you get a ResourceNotFoundException, the contact is not registered.
Additional Resources
- Update alternate contacts for your AWS account - AWS documentation
- PutAlternateContact API Reference - API documentation
- Terraform aws_account_alternate_contact - Terraform provider documentation
Notes
- Use team contacts: Prefer email distribution lists and team phone numbers over individual contacts. This prevents gaps when employees leave or change roles.
- Keep contacts current: Review and update your alternate contacts after organizational changes, personnel changes, or at least annually.
- Test delivery: After setting up the contact, consider verifying that emails reach the intended recipients by checking your spam filters.
- AWS Organizations: If your account is part of an AWS Organization, the management account or delegated admin can centrally manage alternate contacts for all member accounts. This requires enabling trusted access for AWS Account Management.
- All three contact types: Consider also registering Billing and Operations contacts for complete coverage of AWS communications.