Account.1: No security contact is set for AWS to reach you

What does AWS Security Hub Account.1 check?

Account.1 reads the account's alternate-contact configuration and fails whenever no Security contact is registered. AWS lets you set alternate contacts for Operations, Billing, and Security alongside the root email; this control cares specifically about the Security one.

Why does Account.1 matter?

When AWS Trust & Safety detects compromised credentials — for example an access key leaked on GitHub and scraped by their secret-scanner — they email the registered Security contact. With none on file, that notification effectively goes nowhere, adding hours or days of response latency to a live compromise. SOC 2, ISO 27001, PCI DSS, and HIPAA also expect a documented, reachable incident-response contact.

How do I fix Account.1?

1. Set a Security alternate contact on the account, using a monitored distribution list rather than one person's inbox.
2. Provide a phone number alongside the email address.
3. Apply this across every account, ideally automated through AWS Organizations.
4. Review the contact periodically so it doesn't go stale as the team changes.

# Single-account fix — run as the account's own credentials.
aws account put-alternate-contact \
  --alternate-contact-type SECURITY \
  --name "Security Operations" \
  --title "Security Team" \
  --email-address [email protected] \
  --phone-number "+1-555-0142-7700"

# Organisation-wide fix — run from the management account, loop across member IDs.
for account_id in $(aws organizations list-accounts --query 'Accounts[?Status==`ACTIVE`].Id' --output text); do
  aws account put-alternate-contact \
    --account-id "$account_id" \
    --alternate-contact-type SECURITY \
    --name "Security Operations" \
    --title "Security Team" \
    --email-address [email protected] \
    --phone-number "+1-555-0142-7700"
done

# Verify after rollout.
aws account get-alternate-contact --alternate-contact-type SECURITY