The cardinal sin of a compliance scanner is the silent false-clean: blessing an exposed resource as compliant. NSAuditor AI Enterprise 0.31.3 hunts down an entire class of them — the false-clean that hides not in a misread field, but in a failed enumeration.
When the scanner can’t even list the resources
Every cloud audit starts by enumerating a population — list the buckets, the keys, the snapshots — and then inspecting each one. But what happens when the listing itself fails? A least-privilege audit role is denied the List* call. A region throttles after every retry. An API has a transient outage. If the scanner treats “I couldn’t list anything” the same as “there’s nothing wrong here,” it reports a clean bill of health over a population it never actually looked at — the most dangerous false-clean there is, because it is invisible by construction.
EE 0.31.3 closes this across 12 AWS plugins — CloudTrail, DynamoDB, KMS, Secrets Manager, Backup, IAM effective-decrypt, S3 lifecycle, SQS/SNS, VPC endpoints, EC2 security groups, SES, and GCS — in three distinct shapes the audit surfaced:
- The whole plugin went clean. An enumeration call wasn’t wrapped, so a generic (non-permission) error escaped the plugin entirely, and every dimension and every region recorded clean. The call is now guarded, and both the permission-denied and the generic-failure paths route a fail-closed evidence-gap.
- A region went clean. The failure was caught inside the per-region loop, but the routed gap only fired on a permission-denied error — so a persistent throttle or a network blip dropped to a silent warning and that region’s whole resource population read clean. The generic-failure path now routes too. (One SES case was subtler: it was emitting a finding, but the finding matched no compliance anchor and routed to zero controls — a phantom false-clean now re-pointed onto the correct anchored evidence-gap.)
- A least-privilege role went clean. An enumerator caught a permission-denied and returned quietly without throwing, while the gap that should have fired was gated on a condition that path never set. The result: an audit role deliberately denied the primary
List*read its entire region clean. This is the most field-common shape of all — a misscoped read-only role is routine — and it now fails closed to exactly the controls the real violation would.
In every case the new evidence-gap fails closed to exactly the producing source’s own controls — no more, no less — so an unverifiable population can never read clean, and the compliance verdict is precise rather than borrowed.
The Aurora cluster snapshot the instance scan never sees
The release also adds a genuinely new detection surface. Amazon Aurora stores its snapshots at the cluster level (DescribeDBClusterSnapshots) — a separate API from the per-instance snapshot list. An Aurora Serverless v1 cluster has no member instances at all, so an instance-by-instance scanner is structurally blind to it. A cluster snapshot shared restore=all is public: any AWS account on earth can restore it and read every row, regardless of at-rest encryption.
Plugin 1140 now reads that surface directly: a public cluster snapshot is CRITICAL, a cross-account share is HIGH, and an unencrypted cluster snapshot is HIGH — routing identically to the existing instance-snapshot findings across all seven frameworks. A non-Aurora Multi-AZ DB cluster, whose cluster snapshots are likewise invisible to its instance-audited members, now fails closed a routed residual gap rather than reading clean.
A hardening release, by design
EE 0.31.3 is a false-negative-hardening release: no new framework, plugin count unchanged at 28, and all seven coverage matrices unchanged — SOC 2, HIPAA, NIST CSF 2.0, PCI DSS, ISO/IEC 27001, CIS Controls v8, and GDPR Article 32. Fleet-wide read-only (Zero Data Exfiltration) enforcement holds across all 28 plugins; the new code adds only Describe/List reads. For GDPR, the engine evidences GDPR Article 32 infrastructure substrate only — not GDPR compliance — and sits in the Article 83(4) lower fine tier.
EE 0.31.3 pairs with Community Edition 0.2.15 (MIT-licensed) and agent-skill 0.2.15, and requires CE 0.2.8 or later. Upgrade in place — no configuration change, no new dependency. Learn more at nsauditor.com/ai/enterprise.
