Map your controls. Enforce them at deploy.
4 steps from connection to working guardrails. No infrastructure to deploy. No rules to write from scratch.
Connect your cloud account.
Native Security requires only read-only credentials to your cloud organization. No deployment, no agents, no elevated permissions. We publish exactly what we read — nothing else.
- AWS: IAM role with read-only Organizations API policy (4 permissions)
- Azure: App Registration with Reader role at Management Group scope
- GCP: Service Account with Organization Policy Viewer role
- No data plane access. No EC2/VM/GCE read. No storage bucket contents.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"organizations:ListPolicies",
"organizations:DescribePolicy",
"organizations:ListTargetsForPolicy",
"organizations:ListRoots"
],
"Resource": "*"
}]
}
Map every control you already own.
Within minutes of connecting, Native Security builds a complete control inventory. Every SCP, every Policy assignment, every Org Constraint — mapped to the accounts and resources they cover. Coverage gaps highlighted automatically.
- Policy graph: which controls cover which accounts and OUs
- Gap detection: policies defined but not attached, conditions missing
- NIST CSF and SOC 2 control family mapping built automatically
| Cloud | Policy | Status | Coverage |
|---|---|---|---|
| AWS | SCP-DenyPublicS3 | ATTACHED | 94 accts |
| AWS | SCP-DenyIMDSv1 | PARTIAL | 62 / 94 |
| Azure | Policy-DenyHTTP | ATTACHED | 3 groups |
| GCP | storage.uniform | UNATTACHED | 0 / 12 |
Configure which gaps to enforce.
Not every gap is worth a blocked deploy on day one. Native Security lets you promote each control gap to BLOCK, WARN, or AUDIT independently. Simulation mode replays the last 30 days against your proposed configuration — so you know the false-positive rate before you wire anything into production.
- Set enforcement level per control family: BLOCK / WARN / AUDIT
- Simulation mode: run against last 30 days of deploy history
- Preview expected false-positive rate before going live
- Override list for specific accounts or resource tags
$ ns simulate --days 30 --account 123456789
Replaying 847 deploy events...
Would have blocked: 14 deploys
Would have warned: 31 deploys
Clean deploys: 802 deploys
Top block reasons:
SCP-DenyIMDSv1 9 events
SCP-RequirePermBoundary 5 events
Estimated false-positive rate: 0.3%
Add one step. Every deploy checked.
The enforcement step is a single addition to your existing pipeline. It evaluates every proposed resource change against your org's policy graph before apply. Violations fail the build with an explanation. Clean deploys proceed without friction.
- Average evaluation time under 2 seconds for 100 resources
- Violation message includes the SCP condition that triggered it
- Works in parallel — does not add to deploy wall-clock time
name: Deploy
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Terraform plan
run: terraform plan -out=tfplan.json
- name: Native Security policy gate
uses: native-security/enforce-action@v1
with:
api-key: ${{ secrets.NS_API_KEY }}
plan-file: tfplan.json
- name: Terraform apply
run: terraform apply tfplan.json
Connect your first account. See the gaps.
The Explore tier connects one cloud account and builds a full control inventory — which policies are attached, which aren't, what coverage looks like. No credit card required.