Register a valid security contact in the AWS account settings

Framework Reference: A.5.24 (Contact with authorities) Integration: AWS – Account Settings

Why this matters

AWS uses the security contact information in your account settings to notify your organization about security incidents, vulnerabilities, or misuse alerts. If no contact is provided—or if it's outdated—your security team may miss urgent messages from AWS. This can delay incident response or even lead to automated throttling of services.


What this check does

This check verifies whether your AWS account has a security contact registered in the Alternate Contacts section of the account settings. It checks that the required fields (email, phone number, and name) are filled out.

If the security contact is not configured, the check will fail.


How to fix it

From the AWS Console

Sign in to the AWS Console

Click your account name in the top-right corner and select My Account

Scroll down to the Alternate Contacts section

Click Edit next to the Security Contact

Provide the following:

Name (person or team)

Email address (ideally a monitored alias, e.g., security@yourdomain.com)

Phone number (optional, but recommended)

Click Update to save changes

From the AWS CLI

aws account put-alternate-contact \  --alternate-contact-type SECURITY \  --email-address security@yourdomain.com \  --name "Security Team" \  --phone-number "+491234567890" 

We recommend using distribution lists or shared mailboxes so alerts don’t rely on one individual being available.


Exceptions

There are no accepted exceptions to this requirement. Every AWS account should have a valid security contact, regardless of whether it’s used for production or testing.


Best Practices

Use email aliases like security@yourdomain.com

Review contact data quarterly

Routinely test that your security alias forwards to the right people


Further Resources

Managing AWS Account Alternate Contacts

Was this article helpful?