Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureEnabling Auto Checks by Reconfiguring the Azure IntegrationEnabling Auto Checks by Reconfiguring the GCP IntegrationEnabling Auto Checks by Reconfiguring the AWS Integration
AWS Auto Checks Detailed Explanations
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Register a valid security contact in the AWS account settings

Framework Reference: A.5.24 (Contact with authorities) Integration: AWS – Account Settings

Why this matters

AWS uses the security contact information in your account settings to notify your organization about security incidents, vulnerabilities, or misuse alerts. If no contact is provided—or if it's outdated—your security team may miss urgent messages from AWS. This can delay incident response or even lead to automated throttling of services.

What this check does

This check verifies whether your AWS account has a security contact registered in the Alternate Contacts section of the account settings. It checks that the required fields (email, phone number, and name) are filled out.

If the security contact is not configured, the check will fail.

How to fix it

From the AWS Console

Sign in to the AWS Console

Click your account name in the top-right corner and select My Account

Scroll down to the Alternate Contacts section

Click Edit next to the Security Contact

Provide the following:

Name (person or team)

Email address (ideally a monitored alias, e.g., security@yourdomain.com)

Phone number (optional, but recommended)

Click Update to save changes

From the AWS CLI

aws account put-alternate-contact \  --alternate-contact-type SECURITY \  --email-address security@yourdomain.com \  --name "Security Team" \  --phone-number "+491234567890" 

We recommend using distribution lists or shared mailboxes so alerts don’t rely on one individual being available.

Exceptions

There are no accepted exceptions to this requirement. Every AWS account should have a valid security contact, regardless of whether it’s used for production or testing.

Best Practices

Use email aliases like security@yourdomain.com

Review contact data quarterly

Routinely test that your security alias forwards to the right people

Further Resources

Managing AWS Account Alternate Contacts

Was this article helpful?

Powered by Product Fruits