Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Account Alternate Contacts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not tolerated)
Rule ID: IAM-031

Ensure your AWS account is configured to use alternate contact details for security communications in case you are not available. By providing an alternate contact, the security notifications (e.g. abuse reports notifications) will be sent only to the email address specified as substitute contact. Cloud Conformity strongly recommends using an internal email distribution list instead of providing just one one personal/work email address in order to avoid single point of failure.

This rule can help you with the following compliance standards:

  • CISAWSF
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Once specified, the alternate contacts will enable Amazon to contact another designated person about the security issues found within your account, even if you are unavailable.

Note: Amazon does not currently provide an API for working with the account alternate contacts, therefore you need to verify and configure the feature manually using the AWS Management Console and acknowledge this action within “Security Alternate Contacts” rule settings available on Cloud Conformity console.


Audit

To determine if the alternate contact information is already set to receive security notifications, perform the following:

Note: Verifying the security alternate contact details using AWS Command Line Interface (CLI)/AWS API is not currently supported, the feature details needs to be checked manually through AWS Management Console.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to your AWS account settings page at https://console.aws.amazon.com/billing/home?#/account/.

03 In the Alternate Contacts section, under Security category, verify the contact details available. If there are no alternate contact details provided and the Contact status is set to None, the feature is not currently enabled, therefore the security notifications will not be sent to another person or third-party support service if you are unavailable.

Remediation / Resolution

To improve your AWS account security by providing alternate contact information for security notifications, perform the following:

Note: Defining security alternate contacts using AWS Command Line Interface (CLI)/AWS API is not currently supported, the required contact details need to be set manually through AWS Management Console.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to your AWS account settings page at https://console.aws.amazon.com/billing/home?#/account/.

03 Scroll down to Alternate Contacts section and click the Edit link:

Scroll down to Alternate Contacts section and click the Edit link

to display the alternate contacts form.

04 In the Security category, provide the following information:

  1. In the Full Name box enter the name of the person or third-party service that will receive all the security notifications sent for your AWS account.
  2. In the Title box enter the title of the person or third-party service specified above (e.g., AWS Account Security Administrator).
  3. In the Email Address box enter the email address where the security notifications will be sent.
  4. In the Phone Number box enter the contact number of the person or third-party service that will manage the security notifications for you.

05 Click the Update button to save the changes.

References

Publication date May 24, 2016