Profile Applicability:

Level 1

Description:

AWS allows customers to register security-specific contact information in their AWS account settings. It is recommended that this information be specified to ensure AWS can directly communicate with the security team in case of security advisories, breaches, or incidents.

Rationale:

Security advisories and notifications sent by AWS should reach the appropriate team in your organization without delays. Registering a security contact ensures that:

  • AWS can contact the right personnel during a security event.

  • AWS security alerts are not missed by general IT or billing teams.

  • Multiple security personnel can monitor the emails and take immediate action.

Impact:

  • Failure to register a security contact may result in delayed responses to AWS security incidents.

  • Missed AWS security advisories could expose the organization to risks due to unaddressed vulnerabilities.

  • Compliance issues if security contacts are not periodically reviewed and updated.

Default Value:

By default, AWS does not require security contact information to be specified. If left blank, AWS security advisories may be sent to the default account owner contact instead of the security team.

Pre-Requisites:

  1. AWS Account Access:

    • IAM user with Billing permissions (aws-portal:*Billing).

    • IAM user with account management permissions (account:GetAlternateContact, account:PutAlternateContact).

  2. Security Team Contact Details:

    • Email: Preferably a security group email (e.g., [email protected]).

    • Phone: Use a PABX hunt group or security team call-forwarding system.

  3. Organization Approval:

    • Confirm who will be the designated security contact.

Remediation:

Test Plan:

Using AWS Console

  1. Click on your account name at the top-right corner of the AWS Console.

                       

  1. From the dropdown menu, click My Account.

                           

  1. Scroll down to the Alternate Contacts section.                

  2. Verify that Security Contact information is specified

Using AWS CLI

  • Run the following command to check the registered security contact:
     aws account get-alternate-contact --alternate-contact-type SECURITY
  • Ensure that the command output contains valid security contact details.

Implementation Steps:

Using Console:

  1. Click on your account name at the top-right corner of the AWS Console.

               

  1. From the dropdown menu, click My Account.

                         

  1. Scroll down to the Alternate Contacts section.    

  2. Locate the Security Contact section.

                   

  1. Click Edit and enter the following details:

    • Security Contact Name

    • Security Email Address (Use a security alias, e.g., [email protected]).

    • Security Phone Number (Ensure multiple security personnel can answer calls).

                   

  1. Click Save Changes.

                         

Using AWS CLI

Run the following command to register security contact information:

aws account put-alternate-contact --alternate-contact-type SECURITY \
--email-address "[email protected]" \
--name "Security Team" \
--phone-number "+1-800-555-1234"
  • Replace the email, name, and phone number with the actual security contact details.

Backout Plan:

If incorrect security contact details are saved:

  1. Return to My Account in the AWS Console.

  2. Navigate to Alternate Contacts and re-enter the correct details.

  3. Save changes and revalidate the contact details.

References:


CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

17.2

Establish and maintain contact information for reporting security incidents. Verify contacts annually.

CIS v8

17.6

Define mechanisms for communicating during incident response. Regularly review and update these mechanisms.

CIS v7

19.2

Assign job titles and duties for incident response, ensuring incident tracking and resolution.