Quickstart

This guide walks through connecting your first AWS Organization and running a control scan. The process takes about 15 minutes and requires only read-only IAM permissions.

Step 1: Connect your AWS Organization

Create a read-only IAM role in your AWS management account that Native Security will assume to read your organization's policy structure.

Create a file named ns-readonly-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "organizations:ListPolicies",
      "organizations:DescribePolicy",
      "organizations:ListTargetsForPolicy",
      "organizations:ListRoots",
      "organizations:ListOrganizationalUnitsForParent",
      "organizations:ListAccountsForParent",
      "organizations:DescribeOrganization"
    ],
    "Resource": "*"
  }]
}

Create the IAM policy and role:

aws iam create-policy \
  --policy-name NativeSecurityReadOnly \
  --policy-document file://ns-readonly-policy.json

aws iam create-role \
  --role-name NativeSecurityReader \
  --assume-role-policy-document '{
    "Version":"2012-10-17",
    "Statement":[{
      "Effect":"Allow",
      "Principal":{"AWS":"arn:aws:iam::NATIVE_SECURITY_ACCOUNT:root"},
      "Action":"sts:AssumeRole"
    }]
  }'

aws iam attach-role-policy \
  --role-name NativeSecurityReader \
  --policy-arn arn:aws:iam::YOUR_ACCOUNT_ID:policy/NativeSecurityReadOnly

Step 2: (Optional) Connect Azure

Register an App in Azure Active Directory with Reader role at Management Group scope:

az ad app create --display-name "NativeSecurityReader"

az role assignment create \
  --assignee APP_CLIENT_ID \
  --role "Reader" \
  --scope "/providers/Microsoft.Management/managementGroups/YOUR_ROOT_MG"

Step 3: (Optional) Connect GCP

Create a Service Account with Organization Policy Viewer role:

gcloud iam service-accounts create native-security-reader \
  --display-name "Native Security Reader"

gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
  --member="serviceAccount:[email protected]" \
  --role="roles/orgpolicy.policyViewer"

Step 4: View the Control Map

After connecting, Native Security reads your org structure and builds the control map. The initial scan typically completes within 2 minutes for organizations with up to 100 accounts.

The control map shows:

  • Every SCP, Policy, and Org Constraint in your organization
  • Which accounts, OUs, or management groups each policy covers
  • Coverage gaps — policies defined but not attached to all relevant targets
  • Automatic mapping to NIST CSF and SOC 2 control families

Step 5: Configure Guardrail Gates

After reviewing your control map, configure which gaps become enforcement gates. Each control can be set to one of three levels:

  • BLOCK — Deploys violating this control are halted with a FAIL result
  • WARN — Deploys proceed but violations are logged and alerted
  • AUDIT — Violations logged only, no alerts

Use Simulation mode before setting BLOCK level to see what would have been blocked in the last 30 days:

ns simulate --days 30 --account YOUR_ACCOUNT_ID --control SCP-DenyIMDSv1

Next Steps

Once your gates are configured, add the enforcement step to your CI/CD pipeline. See the Integrations guide for GitHub Actions, GitLab CI, and Terraform Cloud setup.