Ensure that the security contacts are up to date, and that the mail address is monitored regularly, so that we can communicate with you to alert you about abuse or potential security incidents in your infrastructure that AWS detected.
If AWS detects an access key unintended disclosure on the web (such as a public code repository) we will notify you using the Security contacts.
Ensure that you are configuring a secure mail server as the mail address can be used to restore the root password using the “Forgot my password” process.
Restrict access to the phone configured as with the mail and the phone MFA can be bypassed through the “Sign In Using Alternative Factors of Authentication”. Learn more on this subject here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html
The update of the security contacts can now be done through AWS Organizations ( Announcement ) and you can also Programmatically manage alternate contacts on member accounts with AWS Organizations .