Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Alternate contacts allows Amazon to contact up to three alternate contacts associated with
the account. An alternate contact doesn't have to be a specific person. You could instead
add an email distribution list if you have a team that manages billing, operations and
security related issues. These are in addition to the email address associated with the
root user of the account. The primary account contact will continue to receive all
email communications sent to the root account’s email.
You can specify only one of each of the following contact types associated with an
account.
-
Billing contact
-
Operations contact
-
Security contact
You can add or edit alternate contacts differently, depending
on whether or not the accounts are standalone, or part of an organization:
-
Standalone Amazon Web Services accounts – For
Amazon Web Services accounts not associated with an organization, you can update your own
alternate contacts using the Amazon Management Console, or via Amazon CLI & SDKs.
To learn how to do this, see Update standalone
Amazon Web Services account alternate contacts.
-
Amazon Web Services accounts within an organization –
For member accounts that are part of an Amazon organization, a user in the management
account or delegated admin account can centrally update any member account in the
organization from the Amazon Organizations console, or programmatically via the Amazon CLI &
SDKs. To learn how to do this, see Update Amazon Web Services account
alternate contacts in your organization.
Before you proceed with updating your account's alternate contacts information, we
recommend that you first review the following requirements when entering phone numbers
and email addresses.
-
Phone numbers can only contain numbers, whitespaces and the following
characters:"+-()
".
-
Email addresses can be up to 254 characters long and can include the following
special characters in the local portion of the email address in addition to the
standard alphanumeric ones: "+=.#|!&-_
".
To add or edit the alternate contacts for a standalone Amazon Web Services account, perform the
steps in the following procedure. The Amazon Web Services Management Console procedure below always works
only in the standalone context. You can use the Amazon Web Services Management Console to
access or change only the alternate contacts in the account you used to call the
operation.
- Amazon Web Services Management Console
-
To add or edit the alternate contacts for a standalone
Amazon Web Services account
To perform the following steps, you must have at least the following IAM permissions:
Sign in to
the Amazon Web Services Management Console as an IAM user or role that has the minimum
permissions.
-
Choose your account name on the top right of the window, and
then choose Account.
-
On the Account page, scroll down to
Alternate contacts, and to the right of
the title, choose Edit.
If you don't see the Edit option, it
is likely that you are not signed in as the root user for your
account or as someone who has the minimum permissions
specified above.
-
Change the values in any of the available fields.
For business Amazon Web Services accounts, it's a best practice to enter
a company phone number and email address rather than one
belonging to an individual.
-
After you have made all of your changes, choose
Update.
- Amazon CLI & SDKs
-
You can retrieve, update, or delete the alternate contact
information by using the following Amazon CLI commands or their Amazon
SDK equivalent operations:
For each operation, you must have the permission that maps to that
operation:
If you use these individual permissions, you can grant some users
the ability to only read the contact information, and grant others
the ability to both read and write.
The following example retrieves the current Billing alternate
contact for the caller's account.
$
aws account get-alternate-contact \
--alternate-contact-type=BILLING
{
"AlternateContact": {
"AlternateContactType": "BILLING",
"EmailAddress": "saanvi.sarkar@amazon.com",
"Name": "Saanvi Sarkar",
"PhoneNumber": "+1(206)555-0123",
"Title": "CFO"
}
}
The following example sets a new Operations alternate contact for
the caller's account.
$
aws account put-alternate-contact \
--alternate-contact-type=OPERATIONS \
--email-address=mateo_jackson@amazon.com \
--name="Mateo Jackson" \
--phone-number="+1(206)555-1234" \
--title="Operations Manager"
This command produces no output if it's successful.
If you perform multiple PutAlternateContact
operations on the same Amazon Web Services account and the same contact type,
the first adds the new contact, and all successive calls to the
same Amazon Web Services account and contact type update the existing
contact.
The following example deletes the Security alternate contact for
the caller's account.
$
aws account delete-alternate-contact \
--alternate-contact-type=SECURITY
This command produces no output if it's successful.
If you try to delete the same contact more than once, the
first succeeds silently. All later attempts generate a
ResourceNotFound
exception.
To add or edit the alternate contact details for any Amazon Web Services account in your
organization, perform the steps in the following procedure.
To update alternate contacts with the Amazon Organizations console, you need to do some
preliminary settings:
-
Your organization must enable all features to manage settings on your
member accounts. This allows admin control over the member accounts. This is
set by default when you create your organization. If your organization is
set to consolidated billing only, and you want to enable all features, see
Enabling all features in your organization.
-
You need to enable trusted access for Amazon Account Management service. To set this up,
see Enabling
trusted access for Amazon Account Management.
The Amazon Organizations managed policies AWSOrganizationsReadOnlyAccess
or
AWSOrganizationsFullAccess
are updated to provide permission to
access the Amazon Account Management APIs so you can access account data from the Amazon Organizations
console. To view the updated managed policies, see Updates to Organizations Amazon managed policies.
- Amazon Web Services Management Console
-
To add or edit the alternate contacts for any Amazon Web Services account in
your organization
-
Sign in to the Amazon Organizations console with the organization's management
account credentials.
-
From Amazon Web Services accounts, select
the account that you want to update.
-
Choose Contact info, and
under Alternate contacts,
locate the type of contact: Billing
contact, Security
contact, or Operations
contact.
-
To add a new contact, select Add, or to update an existing contact select
Edit.
-
Change the values in any of the available fields.
For business Amazon Web Services accounts, it's a best practice to enter
a company phone number and email address rather than one
belonging to an individual.
-
After you have made all of your changes, choose
Update.
- Amazon CLI & SDKs
-
You can retrieve, update, or delete the alternate contact
information by using the following Amazon CLI commands or their Amazon SDK
equivalent operations:
-
To perform these operations from the management account or
a delegated admin account in an organization against member
accounts, you must enable trusted access for the Account
service.
-
You can't access an account in a different organization
from the one you're using to call the operation.
For each operation, you must have the permission that maps to that
operation:
If you use these individual permissions, you can grant some users
the ability to only read the contact information, and grant others
the ability to both read and write.
The following example retrieves the current Billing alternate
contact for the caller's account in an organization. The credentials
used must be from either the organization's management account, or
from the Account Management's delegated admin account.
$
aws account get-alternate-contact \
--alternate-contact-type=BILLING \
--account-id 123456789012
{
"AlternateContact": {
"AlternateContactType": "BILLING",
"EmailAddress": "saanvi.sarkar@amazon.com",
"Name": "Saanvi Sarkar",
"PhoneNumber": "+1(206)555-0123",
"Title": "CFO"
}
}
The following example sets the Operations alternate contact for
the specified member account in an organization. The credentials
used must be from either the organization's management account, or
from the Account Management's delegated admin account.
$
aws account put-alternate-contact \
--account-id 123456789012 \
--alternate-contact-type=OPERATIONS \
--email-address=mateo_jackson@amazon.com \
--name="Mateo Jackson" \
--phone-number="+1(206)555-1234" \
--title="Operations Manager"
This command produces no output if it's successful.
If you perform multiple PutAlternateContact
operations on the same Amazon Web Services account and the same contact type,
the first adds the new contact, and all successive calls to the
same Amazon Web Services account and contact type update the existing
contact.
The following example deletes the Security alternate contact for
the specified member account in an organization. The credentials
used must be from either the organization's management account, or
from the Account Management's delegated admin account.
$
aws account delete-alternate-contact \
--account-id 123456789012 \
--alternate-contact-type=SECURITY
This command produces no output if it's successful.
If you try to delete the same contact more than once, the first succeeds silently.
All later attempts generate a ResourceNotFound
exception.
account:AlternateContactTypes
context key
You can use the context key account:AlternateContactTypes
to specify
which of the three billing types is allowed (or denied) by the IAM policy. For
example, the following example IAM permission policy uses this condition key to allow
the attached principals to retrieve, but not modify, only the BILLING
alternate contact for a specific account in an organization.
Because account:AlternateContactTypes
is a multi-valued string type, you
must use the ForAnyValue
or ForAllValues
multi-value string
operators.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "account:GetAlternateContact",
"Resource": [
"arn:aws-cn:account::123456789012:account/o-aa111bb222/111111111111"
],
"Condition": {
"ForAnyValue:StringEquals": {
"account:AlternateContactTypes": [
"BILLING"
]
}
}
}
]
}