Configuration

Overview

Configure Nullify's AWS integration to specify which accounts and regions to monitor for security findings.

Configuration Parameters

integrations:
  aws:
    enable: true
    role_name_to_assume: nullify-role    # IAM role created by CloudFormation/Terraform
    # Organization-wide scanning
    primary_account_id: "123456789012"   # AWS Organization's management account
    primary_region: "ap-southeast-2"     # Primary region for API calls
    
    # Optional: Selective scanning
    target_regions: ["ap-southeast-2", "us-east-2"]     # Specific regions to scan
    target_accounts: ["123456789012", "123456789013"]   # Specific accounts to scan

Configuration Modes

Organization-wide Scanning

When deployed across your AWS Organization, simply specify:

primary_account_id: Your AWS Organization's management account
primary_region: Primary region for API operations
role_name_to_assume: IAM role name created during deployment

Important Note: Organization-wide scanning requires the IAM role to be deployed in the management account (formerly known as master account) as well as member accounts. Nullify will automatically discover and scan all accounts in your organization.

Selective Scanning

To limit scanning to specific accounts or regions:

target_regions: List of AWS regions to scan
target_accounts: List of AWS account IDs to scan
role_name_to_assume: IAM role name created during deployment

Note: When using selective scanning, primary_account_id and primary_region are not required.

Validation

All account IDs must be valid 12-digit AWS account numbers
Regions must be valid AWS region identifiers
The specified role must exist in all target accounts

Need help with configuration? Reach out to your Nullify support contact.

PreviousPrerequisites NextNullify API

Last updated 26 days ago

Was this helpful?