What’s new: NSAuditor AI EE 0.5.1 — a patch-level extension in the v0.5.x line — grows the SQS/SNS Auditor (plugin 1150) from 5 to 7 dimensions with CloudWatch alarm coverage. It’s the first plugin-1150 dimension to cross an SDK boundary (SQS+SNS → CloudWatch), closing the “messaging monitoring” SOC 2 dimension.
The headline fold — empty-AlarmActions silent-PASS closure
A CloudWatch alarm with {ActionsEnabled: true, AlarmActions: []} will never page anyone — no SNS topic, no PagerDuty, no Lambda fires on threshold breach. But pre-fold the auditor emitted PASS-tier evidence for it. v2 requires BOTH ActionsEnabled=true AND a non-empty AlarmActions[] array to qualify as actionable. Real production pattern from incomplete IaC modules — a Terraform/CloudFormation template that creates the alarm shell but leaves alarm_actions empty.
What gets verified
- Dim 6 — SQS ApproximateAgeOfOldestMessage alarm coverage. Catches consumer-backlog growth that would otherwise produce no operator paging.
- Dim 7 — SNS NumberOfNotificationsFailed alarm coverage. Catches subscription delivery failures (HTTPS timeouts, Lambda errors, mobile push errors) that would otherwise be silent.
- Four-tier severity ladder on both: PASS / MEDIUM missing / LOW actions-disabled / LOW + evidenceGap unverifiable.
- Dual-mapped to CC7.2 (operational monitoring) + A1.2 (availability) — one substrate check, two control objectives.
Numbers
- Plugin count UNCHANGED at 20 (existing 1150 grew in scope)
- +52 new tests; EE full regression 4860/4860 across 760 suites
- 47-session 100% green streak preserved
- 7 same-session reviewer folds (1 CRITICAL + 1 HIGH + others)
- Seventh consecutive EE + CE + agent-skill trio-publish
Install
npm install -g nsauditor-ai@0.1.50 @nsasoft/nsauditor-ai-ee@0.5.1
npm install nsauditor-ai-agent-skill@0.1.17
