Profile Applicability

  • Level 1

Description:

Ensure that the security contact information is registered and up to date in your AWS account settings. The security contact is a designated email address where AWS can send important security notifications and alerts related to your account, such as suspicious activity or potential misconfigurations.


Rationale:

Registering a valid and monitored security contact email ensures that your organization is promptly informed about security incidents, configuration risks, compliance concerns, and other critical alerts issued by AWS. Without an active and correct security contact, these communications may be missed, delaying the response to potential threats.


Impact:

Not providing or updating the security contact information can result in:

  • Missed or delayed notification of security breaches or misconfigurations

  • Regulatory non-compliance due to a lack of timely awareness of incidents

  • Increased risk of data loss or unauthorized access


Default Value:

By default, AWS does not require a security contact to be configured. If left unconfigured, AWS will use the root account email for all correspondence, which may not be monitored effectively.

Pre-Requisites:

  • Root account access or administrative permissions

  • Email address for the designated security contact (should not be a public domain email like Gmail or Yahoo)

  • Access to AWS Management Console

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console using the root account

  2. Navigate to Account Settings

  3. In the Alternate Contacts section, check if the Security Contact is listed and has a valid email address

  4. Confirm that the email address is monitored and appropriate for receiving security alerts

Implementation Plan:

Using AWS Console:

  1. Log in to the AWS Console with the root user

  2. Go to the top-right corner, click your account name → Click Account

  3. Scroll to Alternate Contacts

  4. Click Edit next to the Security Contact section

  5. Enter the email address and other optional contact details (e.g., phone)

  6. Click Update or Save changes

Backout Plan:

There is no risk to configuring this setting. If the wrong information is entered:

  1. Return to the Account Settings page

  2. Re-edit the Security Contact details

  3. Save the corrected information

References:

CIS Controls Mapping:

CIS Control Version
Control ID
Control Description
CIS v8
10.5
Configure Trusted Communications Channels
CIS v7
16.13
Conduct Periodic Review of Information System Accounts