Quickstart
This guide walks through connecting your first AWS Organization and running a control scan. The process takes about 15 minutes and requires only read-only IAM permissions.
Step 1: Connect your AWS Organization
Create a read-only IAM role in your AWS management account that Native Security will assume to read your organization's policy structure.
Create a file named ns-readonly-policy.json:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"organizations:ListPolicies",
"organizations:DescribePolicy",
"organizations:ListTargetsForPolicy",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListAccountsForParent",
"organizations:DescribeOrganization"
],
"Resource": "*"
}]
}
Create the IAM policy and role:
aws iam create-policy \
--policy-name NativeSecurityReadOnly \
--policy-document file://ns-readonly-policy.json
aws iam create-role \
--role-name NativeSecurityReader \
--assume-role-policy-document '{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Principal":{"AWS":"arn:aws:iam::NATIVE_SECURITY_ACCOUNT:root"},
"Action":"sts:AssumeRole"
}]
}'
aws iam attach-role-policy \
--role-name NativeSecurityReader \
--policy-arn arn:aws:iam::YOUR_ACCOUNT_ID:policy/NativeSecurityReadOnly
Step 2: (Optional) Connect Azure
Register an App in Azure Active Directory with Reader role at Management Group scope:
az ad app create --display-name "NativeSecurityReader"
az role assignment create \
--assignee APP_CLIENT_ID \
--role "Reader" \
--scope "/providers/Microsoft.Management/managementGroups/YOUR_ROOT_MG"
Step 3: (Optional) Connect GCP
Create a Service Account with Organization Policy Viewer role:
gcloud iam service-accounts create native-security-reader \
--display-name "Native Security Reader"
gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
--member="serviceAccount:[email protected]" \
--role="roles/orgpolicy.policyViewer"
Step 4: View the Control Map
After connecting, Native Security reads your org structure and builds the control map. The initial scan typically completes within 2 minutes for organizations with up to 100 accounts.
The control map shows:
- Every SCP, Policy, and Org Constraint in your organization
- Which accounts, OUs, or management groups each policy covers
- Coverage gaps — policies defined but not attached to all relevant targets
- Automatic mapping to NIST CSF and SOC 2 control families
Step 5: Configure Guardrail Gates
After reviewing your control map, configure which gaps become enforcement gates. Each control can be set to one of three levels:
- BLOCK — Deploys violating this control are halted with a FAIL result
- WARN — Deploys proceed but violations are logged and alerted
- AUDIT — Violations logged only, no alerts
Use Simulation mode before setting BLOCK level to see what would have been blocked in the last 30 days:
ns simulate --days 30 --account YOUR_ACCOUNT_ID --control SCP-DenyIMDSv1
Next Steps
Once your gates are configured, add the enforcement step to your CI/CD pipeline. See the Integrations guide for GitHub Actions, GitLab CI, and Terraform Cloud setup.