AWS account has security alternate contact registered
account_security_contact_information_is_registered
Account settings contain a Security alternate contact in Alternate Contacts (name, EmailAddress, PhoneNumber) for targeted AWS security notifications.
Risk
Missing or outdated security contact can delay or prevent AWS advisories from reaching responders, increasing risk to:
- Confidentiality: data exfiltration from undetected compromise
- Integrity: unauthorized changes persist longer
- Availability: resource abuse (e.g., cryptomining) and outages
Run this check with Prowler CLI
prowler aws --checks account_security_contact_information_is_registered
Recommendation
Define and maintain a Security alternate contact:
- Use a monitored alias (e.g.,
security@domain) and team phone - Apply to every account (prefer Org-wide automation)
- Review after org/personnel changes and test delivery
- Document ownership and escalation paths Align with incident response and least privilege principles.
Remediation
CLI
aws account put-alternate-contact --alternate-contact-type SECURITY --email-address <EMAIL_ADDRESS> --name <CONTACT_NAME> --phone-number <PHONE_NUMBER>
Terraform
Other
- Sign in to the AWS Management Console as the root user or an admin with account:PutAlternateContact
- Click your account name (top-right) and select My Account (or Account)
- Scroll to Alternate Contacts and click Edit in the Security section
- Enter Security Email, Name, and Phone Number
- Click Update (or Save changes)
Source Code
Resource Type
Other
References
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/account_alternate_contact
- https://support.icompaas.com/support/solutions/articles/62000234161-1-2-ensure-security-contact-information-is-registered-manual-
- https://www.plerion.com/cloud-knowledge-base/ensure-security-contact-information-is-registered
- https://repost.aws/articles/ARDFbpt-bvQ8iuErnqVVcCXQ/managing-aws-organization-alternate-contacts-via-csv