AWS Cloud Operations Blog
Programmatically managing alternate contacts on member accounts with AWS Organizations
Today, we are making it easier for you to manage the alternate contacts (billing, operations, and security) on your member accounts in AWS Organizations. You can now programmatically manage your account alternate contact information in addition to the existing experience in the AWS console.
This launch ensures that the right individuals receive important AWS notifications and can respond. For example, you can now easily set the same security alternate contact on all of your accounts so your Cloud Center of Excellence (CCoE) team can receive important security notifications about your AWS accounts. Managing alternate contacts become even more important as your organization scales to hundreds or thousands of accounts, saving you time and reducing operational burden.
You can programmatically set the same alternate contacts across all of your accounts including new accounts that you create or add to your organization. Additionally, you can use a delegated administrator account to manage alternate contacts for your organization from a member account. Programmatically managing alternate contacts is just our first step, and you can expect to see support for additional account settings in future releases.
In this blog post, we’ll show you how to set up and update the alternate contacts on all accounts in your organization.
Prerequisites
To get started, you’ll first need to make sure that the AWS Identity and Access Management (IAM) user or role you want to manage alternate contacts with has the following permissions:
- account: GetAlternateContact – allows the user to view the current alternate contact
- account: PutAlternateContact – allows the user to set a new alternate contact
- account: DeleteAlternateContact – allows the user to delete an alternate contact
You can easily grant the requisite permissions to manage alternate contacts by attaching the AWSAccountManagementFullAccess managed policy to your IAM user or role.
Next, you’ll need to enable the AWS Account Management service for your organization so you can centrally manage alternate contacts. You can do this by using this CLI command from the management account:
aws organizations enable-aws-service-access --service-principal account.amazonaws.com
Finally, you can register a delegated administrator so users don’t need access to the management account to manage alternate contacts. You can do this by using this CLI command:
aws organizations register-delegated-administrator --account-id <YOUR-CHOSEN-ACCOUNT-ID> --service-principal account.amazonaws.com
For more information about managing alternate contacts in your organization, see Using AWS Account Management in your organization.
Automating your alternate contacts
This example shows how you can set the same security alternate contact on all of your organization accounts so your CCoE team can receive security notifications across all accounts in your organization. We’re going to use AWS CloudShell, a browser-based shell that is automatically authenticated with your AWS console credentials and accessible via the upper navigation bar of the AWS console. We’re also going to be operating out of a delegated administrator account that we’ve already set up. Before proceeding with the CLI actions, you will need to ensure that the CLI version that the AWS CloudShell is running is 2.2.34 or later. To update your CloudShell CLI to the latest version , see this documentation.
loop-through-accounts.sh – This script gathers a list of all accounts in your organization and then executes the put-security-contact.sh script.
cat << EOF > loop-through-accounts.sh
#! /bin/bash
managementaccount=\`aws organizations describe-organization --query Organization.MasterAccountId --output text\`
for account in \$(aws organizations list-accounts --query 'Accounts[].Id' --output text); do
if [ "\$managementaccount" -eq "\$account" ]
then
echo 'Skipping management account.'
continue
fi
./put-security-contact.sh -a \$account
sleep 0.2
done
EOF
chmod 755 loop-through-accounts.sh
Note: You’ll notice that the management account is explicitly excluded from the account list. This is because alternate contacts for the management account can only be modified using the standalone context, not the organization context. Additionally, if you expect more than 1,000 entries to be returned from the list-accounts call, you will have to add pagination support to this script to retrieve all accounts in your organization.
put-security-contact.sh – This script sets the security alternate contact onto the member account in your organization.
cat << EOF > put-security-contact.sh
#! /bin/bash
while getopts a: flag
do
case "\${flag}" in
a) account_id=\${OPTARG};;
esac
done
echo 'Put security contact for account '\$account_id'...'
aws account put-alternate-contact \
--account-id \$account_id \
--alternate-contact-type=SECURITY \
--email-address=security-contact@example.com \
--phone-number="+1(555)555-5555" \
--title="Security Contact" \
--name="Mary Major"
echo 'Done putting security contact for account '\$account_id'.'
EOF
chmod 755 put-security-contact.sh
Note: When you use this script to update alternate contacts on your organization, make sure to replace the contact details with your actual contact information.
First, we are going to load the two scripts into the CLI. We can do this by copying the loop-through-accounts.sh script into the CLI and hitting the “Enter” key. Then, we’ll do the same thing with the put-security-contact.sh script.
Finally, we’ll go ahead and execute the script to update the security alternate contact on your organization with the following:
./loop-through-accounts.sh
From the CLI output, it first pulls the list of accounts in your organization and then iterates through and applies the specified security alternate contact to each account. We can verify that the security alternate contact has been applied by getting the security alternate contact for one of the accounts in your organization:
aws account get-alternate-contact --account-id XXXXXXXXXXXX --alternate-contact-type=SECURITY
Summary
Today, we are taking the first step and enabling you to programmatically manage the alternate contacts on accounts in your AWS organization. This makes it easier for the right individuals to get important notifications about all of your AWS accounts, saving time and operational burden. We walked through an example that easily updates the security alternate contact for all accounts in your organization. For more information and to get started, see Using AWS Account Management in your organization.
If you have comments about this post, submit them in the “Comments” section below. If you have questions about or issues implementing this solution, start a new thread on the Account Management forum.