Nsasoft US LLC has released NSAuditor AI Enterprise Edition 0.15.3, an audit-accuracy calibration patch that closes the fourth and final AWS S3 public-exposure vector — object-level ACLs — and introduces a BucketOwnerEnforced upstream short-circuit that reduces scan time on modern AWS estates. Plugin count is UNCHANGED at 28, and all six framework coverage matrices are UNCHANGED.
Closing the fourth S3 public-exposure vector
EE 0.15.2 closed three of four S3 public-exposure vectors: bucket policy, bucket ACL, and Public Access Block. The fourth — object-level ACLs — was carried as a documented residual. EE 0.15.3 closes it.
Plugin 1020 (the AWS S3 auditor) now samples object-level ACLs via GetObjectAcl across a configurable first-page sample (AWS_S3_AUDIT_OBJECT_SAMPLE_CAP, default 10, clamped to [1, 1000]). A public AllUsers or AuthenticatedUsers Grantee on any sampled object emits CRITICAL with the locked emission “Object ACL grants public access (groups) on N of M sampled objects – objects publicly accessible”, which routes automatically through the existing "publicly accessible" framework anchor to SOC 2 C1.1, HIPAA §164.312(a)(2)(iv), ISO/IEC 27001:2022 A.5.23 / A.8.3 / A.8.12, and CIS Controls v8 3.3 — no framework JSON gains a new mapping. PAB IgnorePublicAcls neutralizes the grant to LOW informational.
Sample-bias is documented in-emission. Lexicographic-first sampling is fast and deterministic but biased to early keys, and truncation context is preserved on CRITICAL findings so the evidence trail surfaces “could be worse” rather than presenting the sample count as exhaustive.
BucketOwnerEnforced upstream short-circuit + intentional matrix delta
A new GetBucketOwnershipControls call is now made once per bucket. When the bucket has ObjectOwnership = BucketOwnerEnforced — the default on every bucket created after April 2023 — the auditor emits a single informational finding and skips both the bucket-ACL and object-ACL dimensions. The short-circuit saves 11+ API calls per BOE bucket.
This produces an intentional matrix delta from EE 0.15.2: BOE buckets that previously surfaced as CRITICAL on legacy stored ACL grants now surface as informational. S3 structurally ignores ACL grants under BucketOwnerEnforced, so the prior CRITICAL was a false-positive class. The underlying objects are not publicly exposed, and the auditor’s BOE detection now closes that audit-accuracy gap. Operators comparing 0.15.2 → 0.15.3 scans on the same estate should expect this downgrade on any pre-BOE bucket subsequently retrofitted with BOE. The short-circuit is unconditional — by design, since under BOE the ACL findings are structurally false.
The scan-time benefit is real on modern estates: BOE buckets now consume one API call instead of twelve.
Shared helper and evidence-gap discipline
A new module-scoped extractPublicGroups helper is used by both the bucket-ACL and object-ACL dimensions, with AuthenticatedUsers treated equivalently to AllUsers because PAB IgnorePublicAcls blocks both per AWS documentation.
Four new LOW evidence-gap emissions route via a new "S3 object-ACL evidence-gap" substring anchor on SOC 2 CC7.1 and HIPAA §164.312(b) Audit Controls. The four flavors cover ListObjectsV2 AccessDenied (scanner role lacks s3:ListBucket), an IsTruncated coverage gap, and the two per-object GetObjectAcl failure aggregates (AccessDenied above threshold, other-errors above threshold). The conservative-classifier principle: unverifiable ≠ clean.
All six matrices UNCHANGED + tunable configuration
SOC 2 10/4/33 · HIPAA 7/3/45 · NIST CSF 2.0 13/10/83 · PCI DSS 20/8/39 · ISO/IEC 27001:2022 17/14/62 · CIS Controls v8 17/22/114 — verified unchanged. CC7.1 + §164.312(b) gain substrate-depth via the new evidence-gap anchor (both controls were already covered before this cycle).
Three environment variables are exposed for operators: AWS_S3_AUDIT_OBJECT_SAMPLE_CAP (default 10), AWS_S3_AUDIT_OBJECT_RATE_MS (default 50ms, separate from the bucket-level rate-limit), and AWS_S3_AUDIT_OBJECT_ACL_PARTIAL_THRESHOLD (default 0.5).
Live AWS smoke and release
Verified live against a real AWS account in us-east-1: BOE detection (informational only, zero ACL-tier API calls), CRITICAL en-dash byte preservation (U+2013 bytes 0xe2 0x80 0x93 end-to-end through the real AWS API), sampling cap respected, and per-object throttle observable.
EE 0.15.3 ships as the forty-first consecutive trio-publish alongside CE 0.1.84 and agent-skill 0.1.51. Install:
npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latestThe hexa-framework one-scan workflow remains: --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 produces six separate auditor-ready evidence packs from a single scan. Zero data exfiltration — all evidence stays inside your infrastructure.
Full release notes: NSAuditor AI Enterprise Edition.
