# Security Hub CSPM controls for Amazon Web Services accounts
These Security Hub CSPM controls evaluate Amazon Web Services accounts.
These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support).
## [Account.1] Security contact information should be provided for an Amazon Web Services account
**Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.2, NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2)
**Category:** Identify > Resource Configuration
**Severity:** Medium
**Resource type:** `AWS::::Account`
**Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/security-account-information-provided.html](https://docs.amazonaws.cn/config/latest/developerguide/security-account-information-provided.html)
**Schedule type:** Periodic
**Parameters:** None
This control checks if an Amazon Web Services (Amazon) account has security contact information. The control fails if security contact information is not provided for the account.
Alternate security contacts allow Amazon to contact another person about issues with your account in case you're unavailable. Notifications can be from Amazon Web Services Support, or other Amazon Web Services service teams about security-related topics associated with your Amazon Web Services account usage.
### Remediation
To add an alternate contact as a security contact to your Amazon Web Services account, see [Update the alternate contacts for your Amazon Web Services account](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-update-contact-alternate.html) in the *Amazon Account Management Reference Guide*.
## [Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization
**Category:** Protect > Secure access management > Access control
**Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2
**Severity:** High
**Resource type:** `AWS::::Account`
**Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/account-part-of-organizations.html](https://docs.amazonaws.cn/config/latest/developerguide/account-part-of-organizations.html)
**Schedule type:** Periodic
**Parameters:** None
This control checks if an Amazon Web Services account is part of an organization managed through Amazon Organizations. The control fails if the account is not part of an organization.
Organizations helps you centrally manage your environment as you scale your workloads on Amazon. You can use multiple Amazon Web Services accounts to isolate workloads that have specific security requirements, or to comply with frameworks such as HIPAA or PCI. By creating an organization, you can administer multiple accounts as a single unit and centrally manage their access to Amazon Web Services services, resources, and Regions.
### Remediation
To create a new organization and automatically add Amazon Web Services accounts to it, see [Creating an organization](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_org_create.html) in the *Amazon Organizations User Guide*. To add accounts to an existing organization, see [Inviting an Amazon Web Services account to join your organization](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_accounts_invites.html) in the *Amazon Organizations User Guide*.