MEDIUM Account · CIS 1.2

Security contact registered

Check ID: aws-account-001

AWS-ACCOUNT-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if a security alternate contact is registered for the AWS account. AWS uses this contact to notify you about security-related issues.

Why it matters

Without a registered security contact, critical AWS notifications about compromised credentials, exposed resources, or active abuse go to the account root email which may be an unmonitored shared inbox or a former employee's address. AWS Trust & Safety sends proactive alerts when they detect your resources being used for cryptocurrency mining, DDoS attacks, or hosting malware. If these alerts go unanswered for 24-48 hours, AWS may suspend your account entirely, causing an outage worse than the original security issue. During the 2023 wave of AWS access key leaks via public GitHub repos, accounts with valid security contacts received early warnings and contained incidents before data loss.

Common causes

The security contact field is buried in Account Settings and is not part of the default account creation wizard. Organizations that create accounts via AWS Organizations never see the alternate contact prompt because the API call is separate from CreateAccount. Teams assume the root email address is sufficient for all notifications but forget that it may route to an individual who has since left the company.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws account put-alternate-contact --alternate-contact-type SECURITY --name "Security Team" --title Security --email-address security@example.com --phone-number "+1-555-0100"

Remediation: Terraform

resource "aws_account_alternate_contact" "security" {
  alternate_contact_type = "SECURITY"
  name                   = "Security Team"
  title                  = "Security"
  email_address          = "security@example.com"
  phone_number           = "+1-555-0100"
}

Compliance mapping

This check maps to CIS 1.2 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →
← All checks