What’s new: NSAuditor AI EE 0.4.9 extends the ElastiCache Redis Auditor (plugin 1180) on dimensions 2 and 6, adding kms:DescribeKey cross-reference promotion for at-rest encryption and a subnet route-table verifier that walks each cache subnet’s RT associations to detect internet-gateway routes. The release closes both v1 deferred items (R-MEDIUM-3 KMS promotion + R-LOW-2 subnet RT verifier) and is the fifth consecutive EE + CE + agent-skill trio-publish.
The headline fold — default-VPC main-RT-inheritance false-NEGATIVE closure
Pre-fold the plugin emitted INFO on cache subnets without explicit RT associations. Default-VPC main route tables typically carry 0.0.0.0/0 → igw-* — so those subnets are a real false-NEGATIVE hazard. v2 escalates the emission to LOW + evidenceGap. Real-AWS smoke against the leaky-cache fixture confirms the fold fires demonstrably in production.
What gets verified
- Dim 2 KMS promotion: UNVERIFIABLE
:key/UUIDARN shapes promoted viaKeyMetadata.KeyManager→ deterministic PASS (CUSTOMER) / MEDIUM (AWS). Mirrors plugin 1140 v2 pattern. - Dim 6 subnet verifier:
ec2:DescribeRouteTables --filter association.subnet-idper cache subnet; per-subnet IGW-route detection via/^igw-[a-f0-9]+$/i; HIGH on any IGW-routed subnet with per-subnet IGW destination CIDR evidence.
Numbers
- Plugin count UNCHANGED at 20 (existing 1180 grew in scope)
- +29 new tests; EE full regression 4696/4696
- 45-session 100% green streak preserved
- 7 same-session reviewer folds
- Coverage matrix unchanged at 10/4/33 (substrate depth, not new tile claims)
Install
npm install -g nsauditor-ai@0.1.48 @nsasoft/nsauditor-ai-ee@0.4.9
npm install nsauditor-ai-agent-skill@0.1.15
