Compliance

Set AWS account security contact information

Security Hub Account.1 — when AWS Trust & Safety needs to reach you about a compromise, they need a real address on file. Set it once per account.

9 min·10 sections·AWS

Last reviewed 27 May 2026

Remediates AWS Security Hub: Account.1

Account security contact: the basics

What does Security Hub Account.1 actually check?

Every AWS account has a primary root email address, set when the account was created. AWS also lets you register up to three alternate contacts for distinct purposes: Operations (for outage and maintenance notices), Billing (for invoice and payment issues), and Security (for compromise notifications, abuse reports, and incident response). These are configured per-account via the Account API.

Security Hub control Account.1 ("Security contact information should be provided for an AWS account") fails whenever an account has no alternate Security contact registered. The control is straightforward: it reads the account's alternate-contact metadata and passes only if the SECURITY type is populated with a name, title, email, and phone number.

The misconfiguration is almost always benign neglect rather than malice — the account was created in a hurry, the root email points at one person's inbox, and nobody ever circled back to fill in the alternate contacts. Account.1 fires because that single-inbox setup is fragile in exactly the moments you need it most.

In this lesson you'll learn what AWS actually does with the Security contact, why the root-email-only setup quietly fails during real incidents, and how to register a security contact that survives staff turnover and weekends. You'll see the real CLI calls to read, set, and verify the contact across both a single account and an AWS Organization.

Fun fact

60 seconds, $0, fixes one of the most-flagged controls

Account.1 is consistently in the top ten most-failed Security Hub findings across the AWS estate — not because it's hard, but because it's invisible. The remediation is one API call per account, costs nothing, and survives forever. AWS's own Trust & Safety team has published incident write-ups where the difference between a 4-hour and a 4-day breach response was whether the Security contact was reachable on a Saturday. The whole fix takes less time than reading this paragraph.

Setting the security contact in action

Marco runs the platform team at a fintech. A Security Hub scan flags Account.1 across 14 of their 23 member accounts in the organisation. Severity: MEDIUM. He pulls up the management account first to see what's currently registered.

He's not just going to put his own email in — the whole point is that whoever is paged at 3am should reach the same inbox as whoever happens to be on duty during business hours. The company already runs a security@ distribution list backed by their PagerDuty rotation; that's the address that goes in.

He starts by checking what's currently set on the management account.

First, read the current Security alternate contact. A null result is exactly what triggers the Account.1 finding.

$ aws account get-alternate-contact --alternate-contact-type SECURITY

An error occurred (ResourceNotFoundException) when calling the GetAlternateContact operation:

No contact of type SECURITY is registered for this account.

# Empty contact slot — this is exactly what Account.1 flags.

The management account has no Security contact registered.

Now register a contact pointing at the security distribution list and the on-call rotation pager number.

$ aws account put-alternate-contact --alternate-contact-type SECURITY --name "Security Operations" --title "Security Team" --email-address [email protected] --phone-number "+1-555-0142-7700"

# Command returned successfully — no output on success.

$ aws account get-alternate-contact --alternate-contact-type SECURITY

{

"AlternateContact": {

"AlternateContactType": "SECURITY",

"EmailAddress": "[email protected]",

"Name": "Security Operations",

"PhoneNumber": "+1-555-0142-7700",

"Title": "Security Team"

}

# Distribution list + pager rotation — survives staff turnover and weekends.

Contact registered. Account.1 will pass on the next Security Hub evaluation.

Alternate contacts under the hooddeep dive

Alternate contacts live on the account itself, not in IAM, not in Organizations, not in any of the data-plane services. They're managed via the AWS Account Management API (the account namespace introduced in 2022), which exposes PutAlternateContact, GetAlternateContact, and DeleteAlternateContact. There are exactly three slots — OPERATIONS, BILLING, SECURITY — and each is independent. Setting Security has no effect on the other two.

AWS uses the Security contact for a specific, narrow set of communications: notifications when their internal monitoring spots credentials leaked on public GitHub repos, abuse reports filed by third parties against your resources, AWS Inspector and GuardDuty escalations that Trust & Safety chooses to action manually, takedown notices, and direct outreach when their Fraud team detects compromised account behaviour. The address is also used by the AWS Security team during coordinated vulnerability disclosure on services you're using.

Security Hub control Account.1 evaluates every 24 hours by default. The check is binary — populated or not — so a placeholder address technically passes the control while still failing the spirit of it. AWS Config also exposes the same data via the account-contact-details-configured rule for organisations that prefer Config to Security Hub for compliance reporting.

# How AWS evaluates the Account.1 check — a populated Security slot is the only pass condition.
aws account get-alternate-contact \
  --alternate-contact-type SECURITY \
  --query 'AlternateContact.{Email:EmailAddress,Phone:PhoneNumber,Name:Name}'

# Returns a populated object on PASS, or ResourceNotFoundException on FAIL.

What is the impact of running with no Security contact?

The most direct impact is incident response latency. When AWS Trust & Safety detects compromised credentials — for example, an access key leaked on GitHub being scraped by their continuous secret-scanner — they email the Security contact within minutes. With no Security contact set, the notification falls back to the root email. Root email lives in your IT admin's inbox, often unmonitored on evenings and weekends, and has no documented SLA. By the time someone sees it on Monday morning, an attacker has had 60+ hours of unsupervised access.

The second-order impact is regulatory. SOC 2, ISO 27001, PCI DSS, and HIPAA all expect a documented incident-response process with a clearly identified point of contact reachable 24/7. "AWS sent the notification to nobody in particular" is not a defensible answer in front of an auditor — and the Security Hub finding sitting open is the audit evidence that the control was missing.

The third-order impact is the breach itself. AWS's leaked-credential scanner finds keys faster than most organisations' own monitoring; the Security contact is your one direct line into that signal. Customers who've shipped a credential and recovered cleanly typically did so because AWS reached them within minutes; the ones who made the news were usually unreachable.

The fix costs zero dollars. There's no service charge, no usage cost, no per-account fee. The only "cost" is the engineering minute it takes to register the contact — measured against the engineering hours and potential breach cost of leaving it empty, the ROI is roughly infinite.

How do you set a security contact that actually works?

Setting the contact is a four-step loop: inventory existing contacts, set a durable address, propagate across the organisation, and verify the finding clears. Skipping any of them leaves accounts behind.

1. Inventory which accounts are missing the Security contact

Loop across every account in the organisation and call account get-alternate-contact --alternate-contact-type SECURITY. Anything that returns ResourceNotFoundException is failing Account.1 right now. Capture the account IDs into a list — this is your fix-it backlog. Do not skip dormant or sandbox accounts; AWS sends Trust & Safety notifications to them just as much as production accounts.

2. Use a distribution list and a rotation pager, never a person

The Security contact must outlive any individual. Register a group address — [email protected], aws-security@, or similar — backed by a real on-call rotation in PagerDuty/Opsgenie/your incident tool. The phone number should be the rotation pager, not a personal mobile. The single biggest failure mode of this control is "we set it to Marco when he was here in 2022 and he left in 2024" — a distribution list never resigns.

3. Propagate across the organisation from the management account

AWS Organizations lets the management account write alternate contacts on behalf of member accounts via --account-id <member-id>. Run a script: for every account ID in the org, call aws account put-alternate-contact --account-id <id> --alternate-contact-type SECURITY ... with the same payload. This is a one-time bulk fix; new accounts created by Control Tower or Account Factory can have the same call wired into their provisioning pipeline so the contact is registered automatically.

4. Verify the Security Hub finding clears

Security Hub re-evaluates Account.1 within 24 hours. After applying the contact, refresh the finding via aws securityhub get-findings --filters '{"GeneratorId":[{"Value":"security-control/Account.1","Comparison":"EQUALS"}]}'. Status should flip from FAILED to PASSED. If it doesn't, double-check that the contact populated all four fields — Security Hub is strict about complete data.

# Single-account fix — run as the account's own credentials.
aws account put-alternate-contact \
  --alternate-contact-type SECURITY \
  --name "Security Operations" \
  --title "Security Team" \
  --email-address [email protected] \
  --phone-number "+1-555-0142-7700"

# Organisation-wide fix — run from the management account, loop across member IDs.
for account_id in $(aws organizations list-accounts --query 'Accounts[?Status==`ACTIVE`].Id' --output text); do
  aws account put-alternate-contact \
    --account-id "$account_id" \
    --alternate-contact-type SECURITY \
    --name "Security Operations" \
    --title "Security Team" \
    --email-address [email protected] \
    --phone-number "+1-555-0142-7700"
done

# Verify after rollout.
aws account get-alternate-contact --alternate-contact-type SECURITY

Quick quiz

Question 1 of 5

Security Hub fires Account.1 on 14 of your member accounts. What's the most durable fix?

Keep learning

Dig deeper into account-level hygiene and Security Hub's account controls.

You've completed Set AWS account security contact information. You now know what AWS uses the Security contact for, why a distribution list and a pager rotation are the only durable answer, and how to roll the fix across an entire AWS Organization in a single loop. The next time Account.1 fires — or, more importantly, the next time AWS Trust & Safety needs to reach you about a compromise — your four-step loop has already done the work.

Back to the library

Account.1 security contact: what it means for audit exposure and zero-dollar compliance

A one-time registration that closes a recurring audit gap at no cost

Every AWS account has a root email address set at creation. AWS also supports three alternate contact slots — Operations, Billing, and Security — that route specific notifications to the right team. Security Hub control Account.1 fails whenever the Security slot is empty. The cost to fix it is literally zero: one API call per account, no recurring charge.

From a finance and FinOps standpoint, this control is notable because it is one of the few compliance findings where the cost-benefit math requires no analysis at all. There is no spend to approve, no trade-off to model. What there is, however, is audit exposure: SOC 2, ISO 27001, and PCI DSS all expect a documented, reachable incident-response contact. An open Account.1 finding is audit evidence that the control was absent — and the downstream cost of a delayed breach response because nobody saw AWS's notification lands in the security-incident budget, not the cloud budget.

The finance angle on Account.1 is governance, not cost. It belongs on the compliance checklist precisely because it costs nothing and has no excuse for being open. Accounts still failing it at quarter-end are an organisational process gap, not a resource-constraint problem.

This lesson is for the finance or FinOps partner who wants to understand why Account.1 keeps appearing on the compliance report and what it would take to permanently close it. You'll get the cost picture (zero dollars), the audit exposure it creates when open, and the one governance habit — a distribution list with a quarterly review — that keeps it from recurring. No CLI commands required.

Fun fact

60 seconds, $0, fixes one of the most-flagged controls

How a finance partner frames the Account.1 remediation backlog

Dana is the FinOps lead reviewing the quarterly compliance dashboard. Account.1 is FAILED across 14 member accounts. Her first question isn't technical — it's: why have these 14 been open for multiple quarters if the fix costs nothing and takes a minute per account?

She traces it back quickly: the accounts were created through a self-service vending pipeline that never wired in the security contact step. There's no budget blocker, no architectural decision, just a missing step in a provisioning script. Dana flags it as a process gap in the FinOps review: zero-cost compliance controls that remain open are an audit risk with no offsetting rationale.

Her ask to the platform team is two things: run the org-wide remediation script this sprint, and add the contact-registration step to the account-vending pipeline so new accounts arrive pre-compliant. She notes in the finance pack that Account.1 will be green next quarter, at no additional spend. The value isn't in the dollar saving — it's in closing an audit gap that has no business being open.

Why Account.1 belongs on the risk register despite costing nothing to fix

Account.1 is unusual among compliance findings because the cost to remediate is zero and the cost to ignore is potentially very large. The direct impact of a missing security contact is incident response latency: AWS notifies you in minutes when they detect a leaked credential; without a reachable contact, that notification disappears into an unmonitored inbox and the clock runs unchecked. The downstream cost of a multi-day undetected breach shows up as incident response hours, legal review, customer notification, and potential regulatory fine — none of which appear on the cloud bill until it's too late.

From a risk-register perspective, this is a pure probability-times-impact finding. The probability of AWS needing to reach you about a credential or abuse event is not negligible — credential leaks are common, and AWS's scanner finds them fast. The impact of a delayed response scales with how long the attacker has before anyone knows. A reachable Security contact compresses that window from days to minutes at zero marginal cost.

The finance contribution here is to track Account.1 open findings as an audit liability, not just a security metric. SOC 2 and ISO 27001 auditors will ask for evidence of a documented incident-response contact. An open finding at audit time is a control failure with no cost justification — unlike a finding that involves a genuine spend trade-off, this one has no defence. Zero-cost controls that remain open are process failures, and process failures have their own cost in audit remediation time and findings.

The four things finance can do to permanently close Account.1

The remediation is a one-time engineering action, but the ownership question — who ensures it stays clean — is a governance one that finance can anchor.

1. Classify Account.1 as a zero-cost mandatory control

In the compliance backlog, Account.1 has no cost trade-off. Mark it as a mandatory-remediation finding that doesn't qualify for deferral or risk-acceptance on cost grounds. Any open Account.1 at quarter-end is a process failure, not a resource-constraint decision, and should be reported as such.

2. Require a distribution list, not a personal address, as the standard

The finance governance point is that a personal email in this slot is nearly as fragile as an empty one — staff turn over, people go on leave, inboxes go unmonitored. The approved standard should be a group address backed by an on-call rotation. This is an HR and process decision that finance can help standardise in the vendor-management and IT-procurement policies.

3. Wire it into account provisioning costs and chargeback

If teams are charged back for account provisioning, compliance hygiene at launch — including security contact registration — can be a provisioning gate. An account that vends without a security contact is an incomplete provisioning job. Linking account vending sign-off to the contact check makes compliance a delivery requirement, not an afterthought.

4. Track open findings as audit liability at review

Put the count of accounts failing Account.1 on the quarterly compliance dashboard alongside the audit-exposure note: SOC 2 and ISO 27001 auditors treat this as a documented control requirement. Every account still open at audit time is a finding with no cost justification — and the remediation cost is a single API call, so the justification for leaving it open doesn't exist.

Quick quiz

Question 1 of 5

Account.1 is open across 22 accounts at quarter-end. Engineering says the fix is a one-time script that takes an afternoon. As the finance partner, how do you categorise this in the compliance review?

Keep learning

Dig deeper into account-level hygiene and Security Hub's account controls.

You've finished the finance view of Account.1. The key numbers to carry forward: the remediation cost is zero dollars, the audit exposure of leaving it open is real across SOC 2 and ISO 27001, and the risk-register framing is that a missing security contact compresses an hours-long response window into a multi-day one at no offsetting saving. Zero-cost controls that stay open are process failures — and now you know how to say that clearly in a compliance review.

Back to the library

Account.1: making sure AWS can reach you when it matters

A contact registration that determines whether you learn about a breach in minutes or days

AWS actively monitors the internet for leaked credentials tied to your accounts. When they find one, they email the Security contact immediately. If that slot is empty, the notification falls back to the root account email — typically an IT admin inbox that goes unmonitored on evenings and weekends. By the time someone reads it, an attacker may have had days of unsupervised access. Security Hub Account.1 exists to ensure that channel is always open.

This is a governance and accountability control. The fix is a single API call and costs nothing. What it represents is whether the organisation has done the minimal work to stay reachable during an incident. A company that fails Account.1 across dozens of accounts hasn't made a cost trade-off — it has simply not gotten around to it, which is the wrong answer in a post-incident review.

The executive posture here is straightforward: every account should have a security contact that reaches a monitored group inbox backed by an on-call rotation, not an individual's personal address. That's a process decision, not a technical one, and it should be set once and verified quarterly.

A brief read for the executive who wants to understand what Account.1 protects and why it's still open across so many accounts. You'll learn what AWS actually does with the Security contact, why a personal email in that slot is as risky as an empty one, and what the healthy end state looks like: a group inbox, an on-call pager, and a verified fix across every account in the organisation. No technical depth needed.

Fun fact

60 seconds, $0, fixes one of the most-flagged controls

What it looks like when the org treats this as a process, not a one-time fix

At one company the CISO, Amara, discovered during a tabletop exercise that AWS had tried to reach them six weeks earlier about a suspected credential leak. The notification had gone to a deactivated root email. Nobody had seen it. The account had been sitting quietly compromised for weeks.

The finding wasn't a failure of technology — it was a failure of governance. No one owned the security contact registration as a step in the account-creation process. After the exercise, Amara made two changes: all accounts got the contact registered from the management account in a single afternoon, and account vending was updated to include registration as a required step before an account was handed to a team.

The executive takeaway is that Account.1 is a process maturity indicator. A company with it consistently open isn't making a difficult trade-off — it hasn't built the habit of treating account hygiene as a first-class provisioning requirement. The fix is a policy decision, not an engineering project.

The single most cost-effective item on the security dashboard

This control has an unusual profile: the remediation costs nothing and the risk of ignoring it is material. When AWS detects a credential leak or account compromise, they contact the Security alternate address immediately. With no contact set, that notification reaches no one who can act on it. The difference in breach impact between a four-hour response and a four-day response is often the difference between a non-event and a customer-facing incident.

The leadership question is not whether to fix it — there is no cost argument against it. The question is why it's open, and whether the provisioning process for new accounts has been updated so it never opens again. A consistently clean Account.1 posture is evidence of process maturity: the organisation treats account hygiene as a first-class step in account creation, not an afterthought.

The leadership posture on Account.1

This isn't a resource-allocation decision. It's a question of whether the organisation has operationalised the basics. Three moves close it permanently.

1. Make the security contact a provisioning requirement

Account.1 stays open because it was never a required step when accounts were created. The executive fix is a policy decision: no account is considered provisioned — and therefore not eligible for production workloads — until the security contact is registered. That converts a reactive remediation into a preventive gate.

2. Mandate a group inbox, not a person

A personal email in the security contact slot defeats its own purpose. The policy should specify a monitored group address with a named on-call rotation. This is an accountability decision: who owns the security notification channel for the organisation, and is that ownership documented and durable across staff changes?

3. Review the count at the leadership cadence, not the engineering cadence

Accounts still failing Account.1 aren't a technical problem requiring engineering attention — they're a governance indicator that the provisioning process is incomplete. The one leadership question is: 'Is this count trending to zero, and has the vending pipeline been updated to prevent new gaps?' That's a yes or no answer, not a dashboard deep-dive.

Quick quiz

Question 1 of 5

Your organisation has 40 AWS accounts. Account.1 is consistently green — every account has a security contact pointing at the security@ distribution list tied to the on-call rotation, and new accounts get it registered automatically during vending. What does this tell you?

Keep learning

Dig deeper into account-level hygiene and Security Hub's account controls.

That's the lesson. Account.1 is the simplest governance indicator on the security dashboard: it costs nothing, it takes an afternoon to fix organisation-wide, and a company that leaves it open for multiple quarters hasn't made a cost trade-off — it has a provisioning process gap. The healthy state is a group inbox, a rotation pager, and a vending pipeline that registers the contact before the account ships. That's a policy decision, and it's yours to make.

Back to the library

Set AWS account security contact information

Account security contact: the basics

60 seconds, $0, fixes one of the most-flagged controls

Setting the security contact in action

Alternate contacts under the hooddeep dive

What is the impact of running with no Security contact?

How do you set a security contact that actually works?

1. Inventory which accounts are missing the Security contact

2. Use a distribution list and a rotation pager, never a person

3. Propagate across the organisation from the management account

4. Verify the Security Hub finding clears

Quick quiz

Keep learning

Account.1 security contact: what it means for audit exposure and zero-dollar compliance

60 seconds, $0, fixes one of the most-flagged controls

How a finance partner frames the Account.1 remediation backlog

Why Account.1 belongs on the risk register despite costing nothing to fix

The four things finance can do to permanently close Account.1

1. Classify Account.1 as a zero-cost mandatory control

2. Require a distribution list, not a personal address, as the standard

3. Wire it into account provisioning costs and chargeback

4. Track open findings as audit liability at review

Quick quiz

Keep learning

Account.1: making sure AWS can reach you when it matters

60 seconds, $0, fixes one of the most-flagged controls

What it looks like when the org treats this as a process, not a one-time fix

The single most cost-effective item on the security dashboard

The leadership posture on Account.1

1. Make the security contact a provisioning requirement

2. Mandate a group inbox, not a person

3. Review the count at the leadership cadence, not the engineering cadence

Quick quiz

Keep learning

Related compliance lessons