Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The Account Alternate Contacts solution sets alternate contacts for all existing and future AWS Organization accounts.
Key solution features:
- Sets different alternate contacts for:
Billing: The alternate billing contact will receive billing-related notifications, such as invoice availability notifications.Operations: The alternate operations contact will receive operations-related notifications.Security: The alternate security contact will receive security-related notifications, including notifications from the AWS Abuse Team.
- Assumes a role in the management and member accounts to set the alternate contacts.
- Sets alternate contacts for all existing accounts including the
management accountand future accounts. - Ability to delete alternate contacts via a parameter and CloudFormation update event.
- All resources are deployed via AWS CloudFormation as a
StackSetandStack Instancewithin themanagement accountor a CloudFormationStackwithin a specific account. - The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation
StackSet. - For parameter details, review the AWS CloudFormation templates.
- The
Lambda IAM Roleis used by the Lambda function to identify existing and future accounts that need Account Alternate Contacts configured. - The
Configuration IAM Roleis assumed by the Lambda function to set alternate contacts for the management account and the member accounts. - The
Event Rule IAM Roleis assumed by EventBridge to forward Global events to theHome Regiondefault Event Bus.
- The
AWS Control Tower Lifecycle Event Ruletriggers theAWS Lambda Functionwhen a new AWS Account is provisioned through AWS Control Tower. - The
Organization Compliance Scheduled Event Ruletriggers theAWS Lambda Functionto capture AWS Account status updates (e.g. suspended to active).- A parameter is provided to set the schedule frequency.
- See the Instructions to Manually Run the Lambda Function for triggering the
AWS Lambda Functionbefore the next scheduled run time.
- The
AWS Organizations Event Ruletriggers theAWS Lambda Functionwhen updates are made to accounts within the organization.- When AWS Accounts are added to the AWS Organization outside of the AWS Control Tower Account Factory. (e.g. account created via AWS Organizations console, account invited from another AWS Organization).
- When tags are added or updated on AWS Accounts.
- If the
Home Regionis different from theGlobal Region (e.g. us-east-1), then global event rules are created within theGlobal Regionto forward events to theHome Regiondefault Event Bus. - The
AWS Organizations Event Ruleforwards AWS Organization account update events.
- SQS dead letter queue used for retaining any failed Lambda events.
- The Lambda function includes logic to set Account Alternate Contacts.
- All the
AWS Lambda Functionlogs are sent to a CloudWatch Log Group</aws/lambda/<LambdaFunctionName>to help with debugging and traceability of the actions performed. - By default the
AWS Lambda Functionwill create the CloudWatch Log Group and logs are encrypted with a CloudWatch Logs service managed encryption key. - Parameters are provided for changing the default log group retention and encryption KMS key.
- SNS Topic used to notify subscribers when messages hit the Dead Letter Queue (DLQ).
- SNS Topic used to fanout the Lambda function for setting the Account Alternate Contact
- Account Alternate Contacts (Billing, Operations, Security) are configured for all accounts.
- Account Alternate Contacts can be updated as necessary via CloudFormation parameters.
- Deleting the CloudFormation stack, will not remove the existing Account Alternate Contacts. (see Solution Delete Instructions for details on deleting alternate contacts)
- Note: If a value is provided to the
Exclude Alternate Contact Account Tagsoptional CloudFormation parameter, AWS accounts matching those tags will be excluded from account alternate contacts being applied.
- See 1.2 IAM Role
- Account Alternate Contacts (Billing, Operations, Security) are configured for all accounts.
- Account Alternate Contacts can be updated as necessary via CloudFormation parameters.
- Deleting the CloudFormation stack, will not remove the existing Account Alternate Contacts. (see Solution Delete Instructions for details on deleting alternate contacts)
- Note: If a value is provided to the
Exclude Alternate Contact Account Tagsoptional CloudFormation parameter, AWS accounts matching those tags will be excluded from account alternate contacts being applied.
- Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
- Verify that the SRA Prerequisites Solution has been deployed.
Choose a Deployment Method:
In the management account (home region), launch the sra-account-alternate-contacts-main-ssm.yaml template. This uses an approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/account/account_alternate_contacts/templates/sra-account-alternate-contacts-main-ssm.yaml --stack-name sra-account-alternate-contacts-main-ssm --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pBillingContactAction=add pBillingName=<BILLING_NAME> pBillingTitle=<BILLING_TITLE> pBillingEmail=<BILLING_EMAIL> pBillingPhone=<BILLING_PHONE> pOperationsContactAction=add pOperationsName=<OPERATIONS_NAME> pOperationsTitle=<OPERATIONS_TITLE> pOperationsEmail=<OPERATIONS_EMAIL> pOperationsPhone=<OPERATIONS_PHONE> pSecurityContactAction=add pSecurityName=<SECURITY_NAME> pSecurityTitle=<SECURITY_TITLE> pSecurityEmail=<SECURITY_EMAIL> pSecurityPhone=<SECURITY_PHONE> pSRAAlarmEmail=<SRA_ALARM_EMAIL> pExcludeAlternateContactAccountTags='<EXCLUDE_ALTERNATE_CONTACT_ACCOUNT_TAGS>'- Log into the
management accountand navigate to the Account page- Verify that the Alternate Contacts are set correctly.
- Log into a member account and verify the Alternate Contacts are set correctly.
Note: Deleting the solution will not delete the existing Account Alternate Contacts. If needed, update the CloudFormation stack to provide new alternate contacts.
- (Optional) In the
management account (home region), to delete the alternate contacts, change theBilling Alternate Contact Action,Operations Alternate Contact Action, andSecurity Alternate Contact Actionparameters todeleteand update the AWS CloudFormation Stack (sra-account-alternate-contacts-main-ssmorsra-account-alternate-contacts-main). - In the
management account (home region), delete the AWS CloudFormation Stack (sra-account-alternate-contacts-main-ssmorsra-account-alternate-contacts-main). - In the
management account (home region), delete the AWS CloudWatch Log Group (e.g. /aws/lambda/<solution_name>) for the Lambda function deployed.
- In the
management account (home region). - Navigate to the AWS Lambda Functions page.
- Select the
checkboxnext to the Lambda Function and selectTestfrom theActionsmenu. - Scroll down to view the
Test event. - Click the
Testbutton to trigger the Lambda Function with the default values. - Verify that the updates were successful within the expected account(s).