How It Works

Map your controls. Enforce them at deploy.

4 steps from connection to working guardrails. No infrastructure to deploy. No rules to write from scratch.

Connect your cloud account.

Native Security requires only read-only credentials to your cloud organization. No deployment, no agents, no elevated permissions. We publish exactly what we read — nothing else.

  • AWS: IAM role with read-only Organizations API policy (4 permissions)
  • Azure: App Registration with Reader role at Management Group scope
  • GCP: Service Account with Organization Policy Viewer role
  • No data plane access. No EC2/VM/GCE read. No storage bucket contents.
AWS IAM role policy (read-only)
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "organizations:ListPolicies",
      "organizations:DescribePolicy",
      "organizations:ListTargetsForPolicy",
      "organizations:ListRoots"
    ],
    "Resource": "*"
  }]
}

Map every control you already own.

Within minutes of connecting, Native Security builds a complete control inventory. Every SCP, every Policy assignment, every Org Constraint — mapped to the accounts and resources they cover. Coverage gaps highlighted automatically.

  • Policy graph: which controls cover which accounts and OUs
  • Gap detection: policies defined but not attached, conditions missing
  • NIST CSF and SOC 2 control family mapping built automatically
control-inventory • scan complete 847 policies mapped
Cloud Policy Status Coverage
AWS SCP-DenyPublicS3 ATTACHED 94 accts
AWS SCP-DenyIMDSv1 PARTIAL 62 / 94
Azure Policy-DenyHTTP ATTACHED 3 groups
GCP storage.uniform UNATTACHED 0 / 12

Configure which gaps to enforce.

Not every gap is worth a blocked deploy on day one. Native Security lets you promote each control gap to BLOCK, WARN, or AUDIT independently. Simulation mode replays the last 30 days against your proposed configuration — so you know the false-positive rate before you wire anything into production.

  • Set enforcement level per control family: BLOCK / WARN / AUDIT
  • Simulation mode: run against last 30 days of deploy history
  • Preview expected false-positive rate before going live
  • Override list for specific accounts or resource tags
Simulation mode — last 30 days
$ ns simulate --days 30 --account 123456789

Replaying 847 deploy events...

Would have blocked:    14 deploys
Would have warned:      31 deploys
Clean deploys:         802 deploys

Top block reasons:
  SCP-DenyIMDSv1            9 events
  SCP-RequirePermBoundary    5 events

Estimated false-positive rate: 0.3%

Add one step. Every deploy checked.

The enforcement step is a single addition to your existing pipeline. It evaluates every proposed resource change against your org's policy graph before apply. Violations fail the build with an explanation. Clean deploys proceed without friction.

  • Average evaluation time under 2 seconds for 100 resources
  • Violation message includes the SCP condition that triggered it
  • Works in parallel — does not add to deploy wall-clock time
GitHub Actions — .github/workflows/deploy.yml
name: Deploy
on: [push]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Terraform plan
        run: terraform plan -out=tfplan.json
      - name: Native Security policy gate
        uses: native-security/enforce-action@v1
        with:
          api-key: ${{ secrets.NS_API_KEY }}
          plan-file: tfplan.json
      - name: Terraform apply
        run: terraform apply tfplan.json

Connect your first account. See the gaps.

The Explore tier connects one cloud account and builds a full control inventory — which policies are attached, which aren't, what coverage looks like. No credit card required.