Configuration

AWS Integration Setup Guide

Requirements

• An active Nullify account

• AWS account with permissions to create IAM roles

• Access to AWS CloudFormation or Terraform

Setup Overview

Nullify's AWS integration follows a secure cross-account access pattern that requires specific configuration parameters. You'll need to provide certain information to complete the integration setup entirely through the Nullify dashboard interface.

Required Information

When setting up the AWS integration, you'll need to provide the following information in your Nullify dashboard:

From Your AWS Deployment

• IAM Role Name: The name of the IAM role created by the CloudFormation/Terraform template

• Target Accounts: List of AWS account IDs where the integration should scan for resources

From Nullify (Provided During Setup)

Your deployment template will need the following parameters from Nullify:

• Nullify Role ARN: The ARN of Nullify's cross-account role (provided in dashboard)

• Bucket Name: S3 bucket name for secure data transfer (if applicable)

• External ID: Unique identifier for secure cross-account access

Note: All account IDs, role ARNs, and bucket names shown in examples use placeholder values. Replace with your actual values during deployment.

Setup Process

1. Access Integration Setup

   • Log in to your Nullify dashboard

   • Navigate to Configure > Integrations

   • Select AWS integration to begin setup

2. Configure Integration Parameters

   • Provide your IAM role name (e.g., nullify-cross-account-role)

   • Specify target AWS account IDs (e.g., 123456789012, 987654321098)

   • Note the provided Nullify role ARN, bucket name, and external ID

3. Deploy the Template

   • Download the customized CloudFormation or Terraform template

   • Deploy using your preferred method:

     • CloudFormation:

       • Single account: Deploy through AWS Console, AWS CLI, or IaC

       • Multi-account: Deploy using AWS CloudFormation StackSets

     • Terraform: Apply using your existing Terraform workflow

Configuration Modes

Single Account

For single AWS account deployments, deploy the template directly to your target account with the provided parameters.

Multi-Account Setup

For organizations managing multiple AWS accounts:

• Use CloudFormation StackSets to deploy consistently across accounts

• Ensure the same IAM role name is used across all accounts

• Currently, the integration uses a single role name across all accounts

Organization-wide Scanning

For AWS Organizations, we recommend using CloudFormation StackSets to deploy the integration across your organization. This ensures consistent deployment and easier management of the Nullify integration across your AWS landscape.

Important: Organization-wide scanning requires the IAM role to be deployed in the management account (formerly master account) as well as all member accounts.

Role Configuration Limitations

Current Limitation: The integration currently supports a single IAM role name across all target accounts. The same role name must be used in all AWS accounts.

Need Different Role Names? Submit a feature request through our GitHub Issues if you need support for different role names per account.

Validation Requirements

• All account IDs must be valid 12-digit AWS account numbers

• The specified IAM role must exist in all target accounts

• Role must have the required permissions as defined in the CloudFormation/Terraform template

Troubleshooting

Common Issues

• Role Not Found: Ensure the IAM role exists in all specified accounts

• Access Denied: Verify the role has correct permissions and trust policy

Security Note

The deployed templates create IAM roles with minimal required permissions that allow Nullify to securely collect only the necessary information for vulnerability analysis. All access follows the principle of least privilege.

Need Help?

• For deployment issues: contact [email protected]

• For feature requests: submit through our GitHub Issues

Kubernetes Integration

Nullify's Kubernetes integration enables security scanning of your Kubernetes clusters to identify vulnerabilities. The integration deploys a collector that gathers cluster information and securely transmits it to Nullify for analysis.

Prerequisites

• Kubernetes cluster (EKS, GKE, AKS, or self-managed)

• Helm v3 installed

• AWS account with Nullify integration configured(IAM role)

Installation

For complete installation instructions, configuration options, and troubleshooting, please refer to our public GitHub repository:

Nullify Kubernetes Collector

The repository contains:

• Detailed Helm installation instructions

• Configuration examples and customization options

• Troubleshooting guides

• Latest releases and updates

Support

• For Kubernetes integration issues: See the GitHub repository for documentation and issues

• For general support: contact [email protected]