SecureSlateSecureSlate
Log inGet started for free

Integrations

Connecting SecureSlate & AWS Organization

Connecting an AWS Organization to SecureSlate lets you continuously monitor all AWS accounts in your organization (including new accounts you add later). SecureSlate connects with read-only permissions and does not modify your AWS resources.

After connecting, findings appear on the Checks tab of the Cloud overview page, filtered by AWS.

AWS Account vs AWS Organization (what’s different?)

  • Scope
    • AWS account: connects one AWS account at a time.
    • AWS organization: connects all accounts in your AWS Organization and automatically picks up newly created accounts.
  • Setup effort
    • AWS account: create one policy + role in a single account, then link the Role ARN.
    • AWS organization: you typically repeat the policy + role creation for each member account (and may also need additional setup in the management account).
  • When to choose
    • Account: best for small environments or a single AWS account.
    • Organization: best when you want centralized visibility across multiple AWS accounts.

Prerequisites

Before you start, make sure you have:

  • SecureSlate permissions: access to create/manage integrations (typically Admin).
  • AWS permissions:
    • Ability to create customer-managed IAM policies and IAM roles in the AWS accounts you want to scan
    • Access to your AWS Organization management account, if additional org-level configuration is required

Connect an AWS Organization (Console)

SecureSlate currently supports connecting an AWS Organization via the AWS Console (manual setup).

Step 1: Start the AWS integration setup

  1. In SecureSlate, go to Integrations.
  2. Open the Available tab.
  3. Search for AWS.
  4. Click Connect on the AWS card.

 
Integrations → Available → AWS → Connect

 
AWS integration overview → Connect

Step 2: Choose Organization + Console

  1. Select Organization.
  2. Under Select your preferred method, choose Console.
  3. Click Next.

 
Select Organization + Console

Step 3: Select products to monitor

Toggle on any additional products you want SecureSlate to monitor. Your selection determines what permissions SecureSlate will include in the IAM policy you create.

 
Select products (Organization flow)

Organization flow overview

When connecting an AWS Organization, SecureSlate guides you through two parts:

  1. Member accounts: create the required policy + role in each member account you want to scan.
  2. Management account: apply additional permissions in the management (root) account so SecureSlate can discover accounts in the organization.

The AWS Console steps for policy/role creation are the same as the individual account setup, so this guide reuses those screenshots where they match.

Step 4: Member accounts: Create the IAM policy (repeat for each member account)

In the SecureSlate wizard, you’ll see a banner reminding you this step is for member accounts only.

 
Organization flow - member account policy creation

For each member account you want SecureSlate to scan:

  1. In the SecureSlate wizard, copy the policy JSON.

  2. In the AWS Management Console, go to IAMPoliciesCreate policy.

     
    IAM → Policies → Create policy

  3. Open the JSON editor, delete any prefilled text, and paste the policy JSON from SecureSlate.

     
    Create policy → JSON tab

     
    Paste policy JSON

  4. Click Next, then name the policy SecureSlateAdditionalPermissions.

     
    Review and create (policy name)

  5. Click Create policy.

Step 5: Member accounts: Create the IAM role (repeat for each member account)

In the wizard, you’ll also see a banner reminding you to create the role in member accounts only.

 
Organization flow - member account role creation

For each member account you want SecureSlate to scan:

  1. In AWS, go to IAMRolesCreate role.

     
    IAM → Roles → Create role

  2. Select Custom trust policy.

     
    Select trusted entity → Custom trust policy

  3. Paste the trust policy shown in SecureSlate (it includes a required External ID).

     
    Paste trust policy JSON

  4. Click Next.

  5. Attach both required permission policies:

    • AWS managed policy: SecurityAudit
    • Customer-managed policy: SecureSlateAdditionalPermissions

     
    Attach SecurityAudit policy

     
    Attach SecureSlateAdditionalPermissions policy

  6. Finish role creation with the name secureslate-auditor.

Step 6: Management account: Create the organization policy

After member accounts are configured, SecureSlate will prompt you to configure the management (root) account. This step uses a different policy than member accounts (it includes AWS Organizations permissions so SecureSlate can discover accounts).

 
Organization flow - management account policy

In your management account:

  1. In the SecureSlate wizard, copy the management account policy JSON.
  2. In AWS, go to IAMPoliciesCreate policy.
  3. Paste the JSON and create a customer-managed policy named SecureSlateManagementAccountPermissions.
  1. In each AWS account (member accounts, and management account if prompted), open IAMRolessecureslate-auditor.
  2. Copy the Role ARN.
  3. Paste the Role ARN(s) into SecureSlate and click Test Connection.

 
Link Role ARN + Test connection

Step 8: Select regions (scope) and complete connection

  1. Select which AWS regions you want SecureSlate to monitor.
  2. Click Next to complete linking.

 
Select regions

 
Complete connection

SecureSlate will begin fetching and scanning resources. Larger organizations can take longer for the initial sync.

Troubleshooting

  • If a member account fails to connect, confirm that account has:
    • The secureslate-auditor role
    • Both permission policies attached (SecurityAudit + SecureSlateAdditionalPermissions)
    • The correct trust policy (including the External ID from SecureSlate)

Last updated: May 6, 2026