Noise

Search
Skip to content
  • Home
  • About

Update the alternate security contact across your AWS accounts for timely security notifications

2021-10-07 Steven Bedeker

Post Syndicated from Steven Bedeker original https://aws.amazon.com/blogs/security/update-the-alternate-security-contact-across-your-aws-accounts-for-timely-security-notifications/

Amazon Web Services (AWS) will send you important security notifications from time to time related to your account. From a security perspective, the ability for AWS Security to reach you in a timely manner is important whether you have one AWS account or thousands. These notifications could include alerts from AWS Security for potentially fraudulent activity on your AWS account or other messages from AWS Support and service teams regarding security-related topics associated with AWS account usage. This is why we added the alternate security contact—an additional contact field within AWS accounts that you can use to ensure that the right people are notified at the right time.

Make sure you get these notifications in a timely manner by confirming that the contact details on your accounts—especially the security contacts—are accurate and routed to an email account that is regularly monitored. If you have multiple accounts, several teams might need to be notified in the event of a security issue. This could be the account owner, platform teams, and security teams who need to work together to investigate the issue. Contacting only the primary account holder email isn’t always sufficient, particularly in time-sensitive situations. Larger organizations with decentralized development teams—but with a centralized security or governance function—may need to notify a non-technical primary account holder, who might be a business owner with little insight into the workloads within the account. Using a centralized security contact email address for multiple accounts that points to a shared inbox or a distribution list is typically the best practice. Providing additional contact details so that AWS can alert multiple contacts gives centralized teams a better view of decentralized environments, while also reducing the risk of a bottleneck in communications from AWS.

Note: Although AWS Organizations enables many aspects of account management to be done centrally, notifications typically are performed on a per-account basis. To update your account details across multiple accounts, try the new API for programmatically managing alternate contacts on member accounts with AWS Organizations.

Consider the challenges faced by a central security team for a large, diversified corporation; or for a large government agency with a wide range of sub-agencies, contractors, or resellers running workloads on their behalf. The primary account holder might be several steps removed from the central security team. In these cases, and particularly with contractors or resellers, these groups might not be part of the same AWS Organizations account. Having a single security contact email address in all the relevant AWS accounts gives the central security team a way to be notified of issues in these accounts.

To create better security communications with our customers, AWS has modified our internal systems and practices to send security-related email notifications to both the primary account holder as well as the alternate security contact (if provided). In some cases, what you have entered in the alternate security contact full name field will also be included in this email outreach. You can use the full name field to provide useful context regarding the account to help expedite investigation and remediation by a central security team. As a best practice, don’t include sensitive information in the full name field.

Conclusion

Make sure that the primary and alternate account contact details are set up for the workload owners and any additional teams that need to see security notifications. Pay special attention to accurate information for the security contact because AWS will use that email address for security-related outbound notifications. Centralize those security notifications where appropriate by using a common shared inbox or distribution list across multiple AWS accounts. Account management information can be found at Managing an AWS account. You can use the newly launched account management API for programmatically monitoring and updating as appropriate the alternate contacts on individual accounts or on member accounts with AWS Organizations.

If you have feedback about this post, submit comments in the Comments section below.

Author

Steven Bedeker

Steven is a Security Technical Program Manager at AWS. Prior to AWS, he focused on distributed compute/virtualization and security capabilities with a Fortune 50 enterprise for 20+ years.

Account managementAlternate contactsAlternate security contactannouncementsFoundational (100)Full name fieldSecurity BlogSecurity, Identity & Compliance

Post navigation

Previous PostUsing Okta as an identity provider with Amazon MWAANext PostIn a win for the Internet, federal court rejects copyright infringement claim against Cloudflare

The collective thoughts of the interwebz

Contributors

  • Rapid7 Cybersecurity Blog
  • The Cloudflare Blog
  • Armed and Dangerous
  • arp242.net
  • AWS Architecture Blog
  • AWS Big Data Blog
  • AWS Compute Blog
  • AWS DevOps & Developer Productivity Blog
  • AWS Messaging Blog
  • AWS News Blog
  • AWS Security Blog
  • Backblaze Blog | Cloud Storage & Cloud Backup
  • BeardedTinker
  • Birata.Info
  • Bivol!
  • Bozho's tech blog
  • Bradley M. Kuhn's Blog ( bkuhn )
  • Crosstalk Solutions
  • Curious Droid
  • Darknet – Hacking Tools, Hacker News & Cyber Security
  • Delian’s Tech blog
  • Devil’s Advocate Security
  • digiblur DIY
  • Errata Security
  • Explosm.net
  • fuzzy notepad
  • Geographics
  • Grab Tech
  • Grigor Gatchev – A Weblog
  • Home Assistant
  • IBM 360 Model 20 Rescue and Restoration
  • Joel on Software
  • KENDOV.COM
  • LastWeekTonight
  • laur.ie's blog
  • lcamtuf’s old blog
  • Let's Encrypt
  • LGR
  • LWN.net
  • Matt Granger
  • Matthew Garrett
  • Monty says
  • Nebosystems Ltd
  • Netflix TechBlog – Medium
  • NTPsec Project Blog
  • Oglaf! — Comics. Often dirty.
  • Pid Eins
  • Prometheus Blog
  • Raspberry Pi Foundation blog: news, announcements, stories, ideas
  • Schneier on Security
  • ServeTheHome
  • Show Notes
  • Sprites mods
  • Talks at Google
  • Techmoan
  • Technology Connextras
  • The Atlantic
  • The Codeless Code
  • The History Guy: History Deserves to Be Remembered
  • The Hook Up
  • The latest from GitHub’s engineering team – The GitHub Blog
  • turnoff.us
  • xkcd.com
  • Yahoo Engineering
  • yovko in a nutshell
  • Zabbix Blog
  • БЛОГодаря
  • Блогът на Делян Делчев
  • Блогът на Юруков
  • Дневникът на Георги
  • Дни
  • Како Сийке, не съм от тях!
  • Кътчето на Селин
  • Неосъзнато
  • татко Крокодил
  • Тоест

Tags

Advanced (300) AI Amazon EC2 Amazon QuickSight Amazon Redshift Amazon Simple Storage Service (S3) Analytics announcements Architecture artificial intelligence AWS AWS Glue AWS Lambda AWS re:Invent B2Cloud Best practices Cloud Storage comics Customer Solutions cybersecurity devops Engineering Featured Foundational (100) generative AI intel Intermediate (200) launch networking news Product News Projects research security Security, Identity & Compliance Security Blog serverless squid storage Technical How-to Uncategorized България Водещи Политика общество
Proudly powered by Ants
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}