Update the alternate contacts for your Amazon Web Services account - Amazon Account Management
Phone number and email address requirementsUpdate the alternate contacts for a standalone Amazon Web Services accountUpdate the alternate contacts for any Amazon Web Services account in your organizationaccount:AlternateContactTypes context key
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Update the alternate contacts for your Amazon Web Services account

Alternate contacts allows Amazon to contact up to three alternate contacts associated with the account. An alternate contact doesn't have to be a specific person. You could instead add an email distribution list if you have a team that manages billing, operations and security related issues. These are in addition to the email address associated with the root user of the account. The primary account contact will continue to receive all email communications sent to the root account’s email.

You can specify only one of each of the following contact types associated with an account.

  • Billing contact

  • Operations contact

  • Security contact

You can add or edit alternate contacts differently, depending on whether or not the accounts are standalone, or part of an organization:

Phone number and email address requirements

Before you proceed with updating your account's alternate contacts information, we recommend that you first review the following requirements when entering phone numbers and email addresses.

  • Phone numbers can only contain numbers, whitespaces and the following characters:"+-()".

  • Email addresses can be up to 254 characters long and can include the following special characters in the local portion of the email address in addition to the standard alphanumeric ones: "+=.#|!&-_".

Update the alternate contacts for a standalone Amazon Web Services account

To add or edit the alternate contacts for a standalone Amazon Web Services account, perform the steps in the following procedure. The Amazon Web Services Management Console procedure below always works only in the standalone context. You can use the Amazon Web Services Management Console to access or change only the alternate contacts in the account you used to call the operation.

Amazon Web Services Management Console
To add or edit the alternate contacts for a standalone Amazon Web Services account
Minimum permissions

To perform the following steps, you must have at least the following IAM permissions:

  • account:GetAlternateContact (to see the alternate contact details)

  • account:PutAlternateContact (to set or update an alternate contact)

  • account:DeleteAlternateContact (to delete an alternate contact)

  1. Sign in to the Amazon Web Services Management Console as an IAM user or role that has the minimum permissions.

  2. Choose your account name on the top right of the window, and then choose Account.

  3. On the Account page, scroll down to Alternate contacts, and to the right of the title, choose Edit.

    Note

    If you don't see the Edit option, it is likely that you are not signed in as the root user for your account or as someone who has the minimum permissions specified above.

  4. Change the values in any of the available fields.

    Important

    For business Amazon Web Services accounts, it's a best practice to enter a company phone number and email address rather than one belonging to an individual.

  5. After you have made all of your changes, choose Update.

Amazon CLI & SDKs

You can retrieve, update, or delete the alternate contact information by using the following Amazon CLI commands or their Amazon SDK equivalent operations:

Notes
Minimum permissions

For each operation, you must have the permission that maps to that operation:

  • GetAlternateContact (to see the alternate contact details)

  • PutAlternateContact (to set or update an alternate contact)

  • DeleteAlternateContact (to delete an alternate contact)

If you use these individual permissions, you can grant some users the ability to only read the contact information, and grant others the ability to both read and write.

The following example retrieves the current Billing alternate contact for the caller's account.

$ aws account get-alternate-contact \
    --alternate-contact-type=BILLING
{
    "AlternateContact": {
        "AlternateContactType": "BILLING",
        "EmailAddress": "saanvi.sarkar@amazon.com",
        "Name": "Saanvi Sarkar",
        "PhoneNumber": "+1(206)555-0123",
        "Title": "CFO"
    }
}

The following example sets a new Operations alternate contact for the caller's account.

$ aws account put-alternate-contact \
    --alternate-contact-type=OPERATIONS \
    --email-address=mateo_jackson@amazon.com \
    --name="Mateo Jackson" \
    --phone-number="+1(206)555-1234" \
    --title="Operations Manager"

This command produces no output if it's successful.

Note

If you perform multiple PutAlternateContact operations on the same Amazon Web Services account and the same contact type, the first adds the new contact, and all successive calls to the same Amazon Web Services account and contact type update the existing contact.

The following example deletes the Security alternate contact for the caller's account.

$ aws account delete-alternate-contact \
    --alternate-contact-type=SECURITY

This command produces no output if it's successful.

Note

If you try to delete the same contact more than once, the first succeeds silently. All later attempts generate a ResourceNotFound exception.

Update the alternate contacts for any Amazon Web Services account in your organization

To add or edit the alternate contact details for any Amazon Web Services account in your organization, perform the steps in the following procedure.

Requirements

To update alternate contacts with the Amazon Organizations console, you need to do some preliminary settings:

  • Your organization must enable all features to manage settings on your member accounts. This allows admin control over the member accounts. This is set by default when you create your organization. If your organization is set to consolidated billing only, and you want to enable all features, see Enabling all features in your organization.

  • You need to enable trusted access for Amazon Account Management service. To set this up, see Enabling trusted access for Amazon Account Management.

Note

The Amazon Organizations managed policies AWSOrganizationsReadOnlyAccess or AWSOrganizationsFullAccess are updated to provide permission to access the Amazon Account Management APIs so you can access account data from the Amazon Organizations console. To view the updated managed policies, see Updates to Organizations Amazon managed policies.

Amazon Web Services Management Console
To add or edit the alternate contacts for any Amazon Web Services account in your organization

  1. Sign in to the Amazon Organizations console with the organization's management account credentials.

  2. From Amazon Web Services accounts, select the account that you want to update.

  3. Choose Contact info, and under Alternate contacts, locate the type of contact: Billing contact, Security contact, or Operations contact.

  4. To add a new contact, select Add, or to update an existing contact select Edit.

  5. Change the values in any of the available fields.

    Important

    For business Amazon Web Services accounts, it's a best practice to enter a company phone number and email address rather than one belonging to an individual.

  6. After you have made all of your changes, choose Update.

Amazon CLI & SDKs

You can retrieve, update, or delete the alternate contact information by using the following Amazon CLI commands or their Amazon SDK equivalent operations:

Notes

  • To perform these operations from the management account or a delegated admin account in an organization against member accounts, you must enable trusted access for the Account service.

  • You can't access an account in a different organization from the one you're using to call the operation.

Minimum permissions

For each operation, you must have the permission that maps to that operation:

  • GetAlternateContact (to see the alternate contact details)

  • PutAlternateContact (to set or update an alternate contact)

  • DeleteAlternateContact (to delete an alternate contact)

If you use these individual permissions, you can grant some users the ability to only read the contact information, and grant others the ability to both read and write.

The following example retrieves the current Billing alternate contact for the caller's account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account get-alternate-contact \
    --alternate-contact-type=BILLING \
    --account-id 123456789012
{
    "AlternateContact": {
        "AlternateContactType": "BILLING",
        "EmailAddress": "saanvi.sarkar@amazon.com",
        "Name": "Saanvi Sarkar",
        "PhoneNumber": "+1(206)555-0123",
        "Title": "CFO"
    }
}

The following example sets the Operations alternate contact for the specified member account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account put-alternate-contact \
    --account-id 123456789012 \
    --alternate-contact-type=OPERATIONS \
    --email-address=mateo_jackson@amazon.com \
    --name="Mateo Jackson" \
    --phone-number="+1(206)555-1234" \
    --title="Operations Manager"

This command produces no output if it's successful.

Note

If you perform multiple PutAlternateContact operations on the same Amazon Web Services account and the same contact type, the first adds the new contact, and all successive calls to the same Amazon Web Services account and contact type update the existing contact.

The following example deletes the Security alternate contact for the specified member account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account delete-alternate-contact \
    --account-id 123456789012 \
    --alternate-contact-type=SECURITY

This command produces no output if it's successful.
Note

If you try to delete the same contact more than once, the first succeeds silently. All later attempts generate a ResourceNotFound exception.

account:AlternateContactTypes context key

You can use the context key account:AlternateContactTypes to specify which of the three billing types is allowed (or denied) by the IAM policy. For example, the following example IAM permission policy uses this condition key to allow the attached principals to retrieve, but not modify, only the BILLING alternate contact for a specific account in an organization.

Because account:AlternateContactTypes is a multi-valued string type, you must use the ForAnyValue or ForAllValues multi-value string operators. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "account:GetAlternateContact",
            "Resource": [
                "arn:aws-cn:account::123456789012:account/o-aa111bb222/111111111111"
            ],
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "account:AlternateContactTypes": [
                        "BILLING"
                    ]
                }
            }
        }
    ]
}