To manage the alternate contacts (billing, operations, and security) on your member accounts in AWS Organizations can be daunting sometimes especially when there are quite a large number of member account in the AWS Organization. To input it one after the other can be tasking, so i will be showing how to set the same alternate contacts across all of your accounts programmatically across Organization.
#### Why Alternate Account?
Mostly we want to right people to receive AWS notification regarding billing, operations and security on all of your accounts so that your Cloud Center of Excellence (CCoE) team can receive important notifications about your AWS accounts and take due actions.
Managing alternate contacts become even more important as your organization scales to hundreds or thousands of accounts, saving you time and reducing operational burden.
We’re going to use AWS CloudShell, a browser-based shell that is automatically authenticated with your AWS console credentials and accessible via the upper navigation bar of the AWS console.
Note:
First need to make sure that the AWS Identity and Access Management (IAM) user or role you want to manage alternate contacts with has the following permissions:
- account: GetAlternateContact – allows the user to view the current alternate contact
- account: PutAlternateContact – allows the user to set a new alternate contact
- account: DeleteAlternateContact – allows the user to delete an alternate contact
Better so grant the requisite permissions to manage alternate contacts by attaching the AWSAccountManagementFullAccess managed policy to your IAM user or role.
Next, you’ll need to enable the AWS Account Management service for your organization so you can centrally manage alternate contacts. You can do this by using this CLI command from the management account:
aws organizations enable-aws-service-access --service-principal account.amazonaws.com
Finally, you can register a delegated administrator so users don’t need access to the management account to manage alternate contacts.
aws organizations register-delegated-administrator --account-id <YOUR-CHOSEN-ACCOUNT-ID> --service-principal account.amazonaws.com
#### Automating the Alternate contacts
loop-accounts.sh – This script gathers a list of all accounts in your organization and then executes the security-contact.sh script. Paste the script in your CloudShell
cat << EOF > loop-accounts.sh
#! /bin/bash
managementaccount=\`aws organizations describe-organization --query Organization.MasterAccountId --output text\`
for account in \$(aws organizations list-accounts --query 'Accounts[].Id' --output text); do
if [ "\$managementaccount" -eq "\$account" ]
then
echo 'Skipping management account.'
continue
fi
./security-contact.sh -a \$account
sleep 0.2
done
EOF
chmod 755 loop-accounts.sh
Note: The management account is explicitly excluded from the account list. This is because alternate contacts for the management account can only be modified using the standalone context, not the organization context.
security-contact.sh – This script sets the security alternate contact to the member account in the AWS Organization. Paste the script in your CloudShell
cat << EOF > security-contact.sh
#! /bin/bash
while getopts a: flag
do
case "\${flag}" in
a) account_id=\${OPTARG};;
esac
done
echo 'Put security contact for account '\$account_id'...'
aws account put-alternate-contact \
--account-id \$account_id \
--alternate-contact-type=SECURITY \
[email protected] \
--phone-number="+1(111)222-3333" \
--title="Security Contact" \
--name="My Name"
echo 'Done putting security contact for account '\$account_id'.'
EOF
chmod 755 security-contact.sh
FYI: make sure to replace the contact details with your actual contact information.