AWS Cloud Operations Blog

Programmatically managing alternate contacts on member accounts with AWS Organizations

Today, we are making it easier for you to manage the alternate contacts (billing, operations, and security) on your member accounts in AWS Organizations. You can now programmatically manage your account alternate contact information in addition to the existing experience in the AWS console.

This launch ensures that the right individuals receive important AWS notifications and can respond. For example, you can now easily set the same security alternate contact on all of your accounts so your Cloud Center of Excellence (CCoE) team can receive important security notifications about your AWS accounts. Managing alternate contacts become even more important as your organization scales to hundreds or thousands of accounts, saving you time and reducing operational burden.

You can programmatically set the same alternate contacts across all of your accounts including new accounts that you create or add to your organization. Additionally, you can use a delegated administrator account to manage alternate contacts for your organization from a member account. Programmatically managing alternate contacts is just our first step, and you can expect to see support for additional account settings in future releases.

In this blog post, we’ll show you how to set up and update the alternate contacts on all accounts in your organization.

Prerequisites

To get started, you’ll first need to make sure that the AWS Identity and Access Management (IAM) user or role you want to manage alternate contacts with has the following permissions:

  • account: GetAlternateContact – allows the user to view the current alternate contact
  • account: PutAlternateContact – allows the user to set a new alternate contact
  • account: DeleteAlternateContact – allows the user to delete an alternate contact

You can easily grant the requisite permissions to manage alternate contacts by attaching the AWSAccountManagementFullAccess managed policy to your IAM user or role.

Next, you’ll need to enable the AWS Account Management service for your organization so you can centrally manage alternate contacts. You can do this by using this CLI command from the management account:

aws organizations enable-aws-service-access --service-principal account.amazonaws.com

Finally, you can register a delegated administrator so users don’t need access to the management account to manage alternate contacts. You can do this by using this CLI command:

aws organizations register-delegated-administrator --account-id <YOUR-CHOSEN-ACCOUNT-ID> --service-principal account.amazonaws.com

For more information about managing alternate contacts in your organization, see Using AWS Account Management in your organization.

Automating your alternate contacts

This example shows how you can set the same security alternate contact on all of your organization accounts so your CCoE team can receive security notifications across all accounts in your organization. We’re going to use AWS CloudShell, a browser-based shell that is automatically authenticated with your AWS console credentials and accessible via the upper navigation bar of the AWS console. We’re also going to be operating out of a delegated administrator account that we’ve already set up. Before proceeding with the CLI actions, you will need to ensure that the CLI version that the AWS CloudShell is running is 2.2.34 or later. To update your CloudShell CLI to the latest version , see this documentation.

loop-through-accounts.sh – This script gathers a list of all accounts in your organization and then executes the put-security-contact.sh script.

cat << EOF > loop-through-accounts.sh
#! /bin/bash
    managementaccount=\`aws organizations describe-organization --query Organization.MasterAccountId --output text\`

    for account in \$(aws organizations list-accounts --query 'Accounts[].Id' --output text); do

            if [ "\$managementaccount" -eq "\$account" ]
                     then
                         echo 'Skipping management account.'
                         continue
            fi
            ./put-security-contact.sh -a \$account
            sleep 0.2
    done
EOF
chmod 755 loop-through-accounts.sh

Note: You’ll notice that the management account is explicitly excluded from the account list. This is because alternate contacts for the management account can only be modified using the standalone context, not the organization context. Additionally, if you expect more than 1,000 entries to be returned from the list-accounts call, you will have to add pagination support to this script to retrieve all accounts in your organization.

put-security-contact.sh – This script sets the security alternate contact onto the member account in your organization.

cat << EOF > put-security-contact.sh
#! /bin/bash
while getopts a: flag
do
    case "\${flag}" in
        a) account_id=\${OPTARG};;
    esac
done

echo 'Put security contact for account '\$account_id'...'
aws account put-alternate-contact \
  --account-id \$account_id \
  --alternate-contact-type=SECURITY \
  --email-address=security-contact@example.com \
  --phone-number="+1(555)555-5555" \
  --title="Security Contact" \
  --name="Mary Major"
echo 'Done putting security contact for account '\$account_id'.'

EOF
chmod 755 put-security-contact.sh

Note: When you use this script to update alternate contacts on your organization, make sure to replace the contact details with your actual contact information.

First, we are going to load the two scripts into the CLI. We can do this by copying the loop-through-accounts.sh script into the CLI and hitting the “Enter” key. Then, we’ll do the same thing with the put-security-contact.sh script.

Snapshot showing the loading of the CLI scripts into the AWS Cloudshell

Finally, we’ll go ahead and execute the script to update the security alternate contact on your organization with the following:

./loop-through-accounts.sh

AWS Cloudshell snapshot of scrips listing all acounts in the organization and updating alternate contacts

From the CLI output, it first pulls the list of accounts in your organization and then iterates through and applies the specified security alternate contact to each account. We can verify that the security alternate contact has been applied by getting the security alternate contact for one of the accounts in your organization:

aws account get-alternate-contact --account-id XXXXXXXXXXXX --alternate-contact-type=SECURITY

CloudShell snapshot verifying if the alternate contact has been updated

Summary

Today, we are taking the first step and enabling you to programmatically manage the alternate contacts on accounts in your AWS organization. This makes it easier for the right individuals to get important notifications about all of your AWS accounts, saving time and operational burden. We walked through an example that easily updates the security alternate contact for all accounts in your organization. For more information and to get started, see Using AWS Account Management in your organization.

If you have comments about this post, submit them in the “Comments” section below. If you have questions about or issues implementing this solution, start a new thread on the Account Management forum.

About the authors

Raymond Ma

Raymond is a Principal Product Manager on the AWS Identity team where he manages AWS Organizations and Accounts. Outside of work, he enjoys taking care of his dog, Merlin, climbing, and volunteering with King County Search and Rescue.

Baisakhi Nishibanya

Baisakhi is a Product Manager on the AWS Identity team where she works on AWS Organizations. She is a social person and enjoys exploring new places with friends

Nitin Kulkarni

Nitin is a Solutions Architect on the AWS Identity Solutions team. He helps customers build secure and scalable solutions on the AWS platform. He also enjoys hiking, baseball and linguistics.