DEV Community

Add alternate contacts to AWS Organization member accounts programmatically

To manage the alternate contacts (billing, operations, and security) on your member accounts in AWS Organizations can be daunting sometimes especially when there are quite a large number of member account in the AWS Organization. To input it one after the other can be tasking, so i will be showing how to set the same alternate contacts across all of your accounts programmatically across Organization.

#### Why Alternate Account?

Mostly we want to right people to receive AWS notification regarding billing, operations and security on all of your accounts so that your Cloud Center of Excellence (CCoE) team can receive important notifications about your AWS accounts and take due actions.
Managing alternate contacts become even more important as your organization scales to hundreds or thousands of accounts, saving you time and reducing operational burden.
We’re going to use AWS CloudShell, a browser-based shell that is automatically authenticated with your AWS console credentials and accessible via the upper navigation bar of the AWS console.

First need to make sure that the AWS Identity and Access Management (IAM) user or role you want to manage alternate contacts with has the following permissions:

  • account: GetAlternateContact – allows the user to view the current alternate contact
  • account: PutAlternateContact – allows the user to set a new alternate contact
  • account: DeleteAlternateContact – allows the user to delete an alternate contact

Better so grant the requisite permissions to manage alternate contacts by attaching the AWSAccountManagementFullAccess managed policy to your IAM user or role.

Next, you’ll need to enable the AWS Account Management service for your organization so you can centrally manage alternate contacts. You can do this by using this CLI command from the management account:

aws organizations enable-aws-service-access --service-principal
Enter fullscreen mode Exit fullscreen mode

Finally, you can register a delegated administrator so users don’t need access to the management account to manage alternate contacts.

aws organizations register-delegated-administrator --account-id <YOUR-CHOSEN-ACCOUNT-ID> --service-principal
Enter fullscreen mode Exit fullscreen mode

#### Automating the Alternate contacts – This script gathers a list of all accounts in your organization and then executes the script. Paste the script in your CloudShell

cat << EOF >
#! /bin/bash
    managementaccount=\`aws organizations describe-organization --query Organization.MasterAccountId --output text\`

    for account in \$(aws organizations list-accounts --query 'Accounts[].Id' --output text); do

            if [ "\$managementaccount" -eq "\$account" ]
                         echo 'Skipping management account.'
            ./ -a \$account
            sleep 0.2
chmod 755
Enter fullscreen mode Exit fullscreen mode

Note: The management account is explicitly excluded from the account list. This is because alternate contacts for the management account can only be modified using the standalone context, not the organization context. – This script sets the security alternate contact to the member account in the AWS Organization. Paste the script in your CloudShell

cat << EOF >
#! /bin/bash
while getopts a: flag
    case "\${flag}" in
        a) account_id=\${OPTARG};;

echo 'Put security contact for account '\$account_id'...'
aws account put-alternate-contact \
  --account-id \$account_id \
  --alternate-contact-type=SECURITY \ \
  --phone-number="+1(111)222-3333" \
  --title="Security Contact" \
  --name="My Name"
echo 'Done putting security contact for account '\$account_id'.'

chmod 755
Enter fullscreen mode Exit fullscreen mode

FYI: make sure to replace the contact details with your actual contact information.

Top comments (0)