Updating the root user email
address for a member account with AWS Organizations
For increased security and administrative resilience, IAM principals in the management
account (that have the necessary IAM permissions) can centrally update a root user email
address (also referred to as the primary email address) for any of their member accounts
without having to sign into each account individually. This gives administrators in the
management account (or in a delegated administrator account) more control over their member
accounts. It also ensures that root user email addresses from any member accounts across
your AWS Organizations can be kept up to date, even when you may have lost access to the original
root user email address or administrative credentials.
When the root user email address is changed centrally by a management account
administrator, both the password and MFA configuration will remain the same as they were
before the change. Note that MFA can be bypassed by a user with control of an account’s root user email address and primary contact phone number.
To update the root user email address of a member account in your organization, your
organization must have previously enabled all
features mode. AWS Organizations in consolidated billing mode or accounts that are not
part of an organization, cannot update their root user email address centrally. Users that
want to change the root user email address for accounts that are unsupported by the API should
continue to use the Billing Console to manage their root user email address.
Update the root user
email address for a member account
Use the following procedure to update the root user email address.
- AWS Management Console
-
-
To perform this procedure from the management account or a
delegated admin account in an organization against member
accounts, you must enable trusted access for the Account Management
service.
-
You can't use this procedure to access an account in a different organization from
the one you're using to call the operation.
To update the root user email address for a member account using the
AWS Organizations console
-
Sign in to the AWS Organizations console as the root user of the management
account (or equivalent IAM permissions) in your organization.
-
On the AWS accounts page, choose the member
account for which you want to update the root user email
address.
-
In the Account details section, choose the
Actions button, and then choose
Update email address.
-
Under Email, enter the new email address for
the root user, and then choose Save. This sends
a one-time password (OTP) to the new email address.
If you need to close this page in the Organizations console
while you wait for the code, you can return and finish the OTP
process within 24 hours from when the code was sent. To do this,
while on the Account details page, choose
the Actions button, and then choose
Complete email update.
-
Under Verification code, enter the code that
was sent to the new email address in the previous step, and then
choose Confirm. This commits the update to the
root user for the account.
- AWS CLI & AWS SDKs
-
You can retrieve, or update the root user email address (also
referred to as the primary email address) by using the following AWS CLI
commands or their AWS SDK equivalent operations:
-
To perform these operations from the management account or a
delegated admin account in an organization against member
accounts, you must enable trusted access for the Account Management
service.
-
You can't access an account in a different organization from
the one you're using to call the operation.
For each operation, you must have the permission that maps to that
operation:
If you use these individual permissions, you can grant some users the
ability to only read the root user email address information, and grant
others the ability to both read and write.
To complete the root user email update process, you must use the primary
email APIs together in the order they are shown in the examples
below.
Example GetPrimaryEmail
The following example retrieves the root user email address from the
specified member account in an organization. The credentials used must
be from either the organization's management account, or from the
Account Management's delegated admin account.
$ aws account get-primary-email --account-id 123456789012
Example StartPrimaryEmailUpdate
The following example starts the root user email address update
process, identifies the new email address, and sends a one-time password
(OTP) to the new email address for the specified member account in an
organization. The credentials used must be from either the
organization's management account, or from the Account Management's
delegated admin account.
$ aws account start-primary-email-update --account-id 123456789012 --primary-email john@examplecorp.com
Example AcceptPrimaryEmailUpdate
The following example accepts the OTP code and sets the new email
address to the specified member account in an organization. The
credentials used must be from either the organization's management
account, or from the Account Management's delegated admin
account.
$ aws account accept-primary-email-update --account-id 123456789012 --otp 12345678 --primary-email john@examplecorp.com
