Update the root user email address - Amazon Account Management
Update the root user email for a standalone Amazon Web Services accountUpdate the root user email for any Amazon Web Services account in your organization
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Update the root user email address

There are various business reasons why you might need to update the root user email address of your Amazon Web Services account. For example, security and administrative resilience. This topic walks you through the process of updating your root user email address for both standalone and member accounts.

Note

Changes to an Amazon Web Services account can take up to four hours to propagate everywhere.

You can update the root user email differently, depending on whether or not the accounts are standalone, or part of an organization:

Update the root user email for a standalone Amazon Web Services account

To edit the root user email address for a standalone Amazon Web Services account, perform the steps in the following procedure.

Amazon Web Services Management Console
Note

You must sign in as the Amazon Web Services account root user, which requires no additional IAM permissions. You can't perform these steps as an IAM user or role.

  1. Use your Amazon Web Services account's email address and password to sign in to the Amazon Web Services Management Console as your Amazon Web Services account root user.

  2. In the upper right corner of the console, choose your account name or number and then choose Account.

  3. On the Account page, next to Account settings, choose Edit.

    Note

    If you don't see the Edit option, it is likely that you are not signed in as the root user for your account. You can't modify account settings while signed in as an IAM user or role.

  4. On the Account Details page, next to Email address choose Edit.

  5. On the Edit Account Email page, fill out the fields for New email address, Confirm new email address, and confirm your current Password. Then, choose Save and continue. A verification code is sent to your new email address from no-reply@verify.signin.aws.

  6. On the Edit Account Email page, under Verification code, enter the code you received from your email, and then choose Confirm updates.

    Note

    It can take up to 5 minutes for the verification code to arrive. If you don’t see the email in your inbox, check your spam and junk folders.

Amazon CLI & SDKs

This task isn't supported in the Amazon CLI or by an API operation from one of the Amazon SDKs. You can perform this task only by using the Amazon Web Services Management Console.

Update the root user email for any Amazon Web Services account in your organization

To edit the root user email address for any member account in your organization using the Amazon Organizations console, perform the steps in the following procedure.

Note

Before you update the root user email address for a member account, we recommend that you understand the impact of this operation. For more information, see Updating the root user email address for a member account with Amazon Organizations in the Amazon Organizations User Guide.

You can also update the root user email address for a member account directly from the Account page in the Amazon Web Services Management Console after signing in as the root user. For step-by-step instructions, follow the steps provided in Update the root user email for a standalone Amazon Web Services account.

Amazon Management Console
Notes

  • To perform this procedure from the management account or a delegated admin account in an organization against member accounts, you must enable trusted access for the Account Management service.

  • You can't use this procedure to access an account in a different organization from the one you're using to call the operation.

To update the Amazon Web Services email address for a member account using the Amazon Organizations console

  1. Sign in as a user or role that has the required minimum permissions of portal:ModifyAccount in the management account that you want to close.

  2. On the Amazon Web Services accounts page, choose the member account for which you want to update the Amazon Web Services email address.

  3. In the Account details section, choose the Actions button, and then choose Update email address.

  4. Under Email, enter the new email address for the member account, and then choose Save. This sends a one-time password (OTP) to the new email address.

    Note

    If you need to close this page in the Organizations console while you wait for the code, you can return and finish the OTP process within 24 hours from when the code was sent. To do this, while on the Account details page, choose the Actions button, and then choose Complete email update.

  5. Under Verification code, enter the code that was sent to the new email address in the previous step, and then choose Confirm. This commits the update to the Amazon Web Services email address for the account.

Amazon CLI & SDKs

You can retrieve, or update the Amazon Web Services email address by using the following Amazon CLI commands or their Amazon SDK equivalent operations:

Notes

  • To perform these operations from the management account or a delegated admin account in an organization against member accounts, you must enable trusted access for the Account Management service.

  • You can't access an account in a different organization from the one you're using to call the operation.

Minimum permissions

For each operation, you must have the permission that maps to that operation:

  • account:GetPrimaryEmail

  • account:StartPrimaryEmailUpdate

  • account:AcceptPrimaryEmailUpdate

If you use these individual permissions, you can grant some users the ability to only read the Amazon Web Services email address information, and grant others the ability to both read and write.

To complete the Amazon Web Services email update process, you must use the primary email APIs together in the order they are shown in the examples below.

Example GetPrimaryEmail

The following example retrieves the Amazon Web Services email address from the specified member account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account get-primary-email --account-id 123456789012
Example StartPrimaryEmailUpdate

The following example starts the Amazon Web Services email address update process, identifies the new email address, and sends a one-time password (OTP) to the new email address for the specified member account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account start-primary-email-update --account-id 123456789012 --primary-email john@examplecorp.com
Example AcceptPrimaryEmailUpdate

The following example accepts the OTP code and sets the new email address to the specified member account in an organization. The credentials used must be from either the organization's management account, or from the Account Management's delegated admin account.

$ aws account accept-primary-email-update --account-id 123456789012 --otp 12345678 --primary-email john@examplecorp.com