Integrations

Connecting SecureSlate & AWS Organization

Connecting an AWS Organization to SecureSlate lets you monitor all accounts in your organization from one integration — including accounts you add later when you use StackSet automatic deployment. SecureSlate uses read-only IAM roles and does not modify your AWS resources.

After connecting, findings appear on the Checks tab of the Cloud overview page, filtered by AWS.

If you only need one AWS account, use the single-account connect guide instead.

AWS Account vs AWS Organization

Account Organization
Scope One AWS account All accounts in the org (with optional OU / exclude filters)
Setup One policy + role in that account Management account role + member roles (StackSet or manual)
Best for Small teams, one account Multi-account environments, AWS Control Tower

Prerequisites

Before you start:

  • SecureSlate permissions — access to create integrations (typically Admin).
  • AWS management account — permission to create IAM policies and roles, and to create CloudFormation StackSets with organization deployment (recommended).
  • CloudFormation StackSets trusted access — enabled in AWS Organizations (Organizations → Services → CloudFormation StackSets).
  • Time — plan about 15–20 minutes for the Console wizard (management account + StackSet).

Wizard overview

The Organization + Console flow has five sidebar steps (plus Account & method at the start):

Step What you do
Select products Choose AWS services to monitor (Control Tower is organization-only)
Management account Create IAM policy + role in the management account and link the Role ARN
Member accounts Define org scope, then deploy member roles (StackSet or manual IAM)
Select regions Choose which regions to scan
Check connection Save the integration and start the initial sync
Management account (Part 1)
  └── SecureSlateManagementAccountPermissions + secureslate-auditor role
      └── Role ARN pasted in SecureSlate + Test Connection

Member accounts (Part 2)
  └── StackSet (recommended) or manual IAM per account
      └── SecureSlateAdditionalPermissions + secureslate-auditor in each member

Connect an AWS Organization (Console)

Step 1: Start the AWS integration setup

  1. In SecureSlate, go to Integrations.
  2. Open the Available tab.
  3. Search for AWS.
  4. Click Connect on the AWS card.

 
Integrations → Available → AWS → Connect

 
AWS integration overview → Connect

Step 2: Choose Organization + Console

  1. Select Organization.
  2. Under Select your preferred method, choose Console.
  3. Click Next.

 
Select Organization + Console

Step 3: Select products to monitor

Toggle on the products you want SecureSlate to monitor. Your selection determines what permissions appear in the IAM policies SecureSlate generates.

  • Amazon Web Services — core cloud configuration monitoring (enabled by default)
  • AWS CodeCommit — repository and change-review checks (optional)
  • AWS IAM Identity Center — SSO / Identity Center monitoring (optional)
  • Amazon Inspector / Basic scanning — vulnerability import (optional)
  • AWS Control Tower — landing zone, guardrails, and enrollment checks from the management account only (connect guide)

Click Next when you are done.

 
Select products (Organization flow)

Optional: AWS Control Tower

If you use AWS Control Tower, enable the AWS Control Tower product on this step. SecureSlate adds read-only Control Tower APIs to the management account policy only — member StackSet templates stay unchanged.

See Connecting AWS Control Tower with SecureSlate for what checks run after sync.

 
Select products with AWS Control Tower enabled

Step 4: Management account — create the IAM policy

SecureSlate shows a banner: Organization flow — Part 1 of 2: Management account only. Complete these steps only in your AWS Organization management (root) account.

  1. In the SecureSlate wizard, copy the management account policy JSON.
  2. In the management account, go to IAMPoliciesCreate policy.

 
IAM → Policies → Create policy

  1. Open the JSON tab, delete any prefilled text, and paste the policy from SecureSlate.

 
Create policy → JSON tab

 
Paste policy JSON

  1. Click Next, name the policy SecureSlateManagementAccountPermissions, and click Create policy.

 
Review and create (policy name)

 
Organization flow - management account policy

Note: Member accounts use a different policy name — SecureSlateAdditionalPermissions — in a later step. Do not create the member policy in the management account unless you also scan that account as a member.

Step 5: Management account — create the IAM role

  1. In the management account, go to IAMRolesCreate role.

 
IAM → Roles → Create role

  1. Select Custom trust policy.

 
Select trusted entity → Custom trust policy

  1. Paste the trust policy from SecureSlate (includes your External ID).

 
Paste trust policy JSON

  1. Click Next and attach both policies:
    • AWS managed SecurityAudit
    • Customer-managed SecureSlateManagementAccountPermissions

 
Attach SecurityAudit policy

  1. Name the role secureslate-auditor and click Create role.

 
Organization flow - management account role creation

  1. In the management account, open IAMRolessecureslate-auditor.
  2. Copy the Role ARN from the role summary (starts with arn:aws:iam::).
  3. Paste it into SecureSlate. Use the IAM Role ARN, not an Organizations account ARN.
  4. Click Test Connection to verify SecureSlate can assume the role.
  5. Click Next.

 
Link Role ARN + Test connection

Step 7: Member accounts — define organization scope

SecureSlate shows: Organization flow — Part 2 of 2: Member accounts.

Optionally narrow which accounts to scan:

  • Root / OU IDs to include — e.g. r-ab12 for the whole org, or comma-separated OU IDs. Leave blank to scan every active account.
  • Account IDs to exclude — optional comma-separated list (sandbox, break-glass, etc.).
  • Member account role name — defaults to secureslate-auditor. Change only if you used a different name in member accounts.

Click Next to deploy member roles.

 
Member accounts - organization scope

Step 8: Member accounts — deploy roles (StackSet or manual)

Member accounts need the secureslate-auditor role with SecurityAudit and SecureSlateAdditionalPermissions. Choose one method:

From the management account:

  1. Enable trusted access for CloudFormation StackSets (Organizations → Services → CloudFormation StackSets).
  2. Copy the CloudFormation template from SecureSlate.
  3. Open CloudFormation → StackSets → Create StackSet (not Stacks → Create stack).
  4. Select Service-managed permissions and Upload a template file with the JSON from SecureSlate.
  5. Set StackSet name to secureslate-member-accounts.
  6. Under Deployment targets, choose Deploy to organization (or the OUs from Step 7).
  7. Under Automatic deployment, choose Activated so new accounts receive the role automatically.
  8. Select the regions you plan to monitor, then submit.
  9. Wait until stack instances reach SUCCEEDED (typically 2–5 minutes).

 
Member accounts - CloudFormation StackSet deploy

Control Tower permissions are not included in the member StackSet — they are management-account only.

Option B: Manual IAM (per member account)

If StackSet is blocked in your org (some Control Tower environments), sign in to each member account and repeat the single-account policy + role flow:

  1. Create customer-managed policy SecureSlateAdditionalPermissions from the member policy JSON in SecureSlate.

 
Organization flow - member account policy creation

  1. Create role secureslate-auditor with the trust policy from SecureSlate; attach SecurityAudit and SecureSlateAdditionalPermissions.

 
Organization flow - member account role creation

  1. Repeat for every member account in scope. Accounts that already have secureslate-auditor need no changes.

If you enabled AWS Control Tower, try StackSet first; use manual IAM if StackSet deployment fails.

Step 9: Select regions

Select which AWS regions SecureSlate should monitor. Remove regions you do not want scanned.

Click Next.

 
Select regions

Step 10: Complete connection

Finish the wizard to save the integration and start the initial sync.

 
Complete connection

Larger organizations can take one to two hours for the first full sync. Use Sync now on the integration page to refresh data anytime.

Verify the integration

  • Open Cloud overview and confirm the AWS organization connection appears.
  • Open Checks and filter to AWS to see results populate.
  • Open Inventory (User Access) to see accounts discovered across the org after the first sync completes.

Troubleshooting

Test Connection fails on the management Role ARN

  • Confirm the role is in the management account, not a member account.
  • Confirm SecurityAudit and SecureSlateManagementAccountPermissions are attached.
  • Confirm the trust policy External ID matches SecureSlate.
  • Re-copy the Role ARN from IAM → Roles → secureslate-auditor.

Member account not syncing

  • Confirm the StackSet instance for that account is SUCCEEDED, or that the account has secureslate-auditor with both policies (manual path).
  • Check whether the account is in your excluded list or outside selected OUs.

StackSet wizard has no “Deploy to organization”

  • You may have opened Stacks → Create stack instead of StackSets → Create StackSet. Use StackSets from the management account.

Control Tower checks show no data

Last updated: June 30, 2026

Jamie
Virtual Agent

Hi! I'm Jamie. Curious about your current compliance challenges and how automation might help your team?