What’s new: NSAuditor AI EE 0.6.0 ships as a minor-version milestone, opening the v0.6.x line with NEW plugin 1160 AWS VPC Endpoints / PrivateLink Auditor. Plugin count grows 20 → 21 — the first plugin growth in this product line in a while.
Why this plugin matters
AWS PrivateLink (VPC Endpoints) is the canonical primitive that lets VPC traffic reach managed services — SQS, SNS, SES, KMS, S3, DynamoDB — without ever touching the public internet. The catch: the most common misconfig is invisible from the AWS console. PrivateDNS off + endpoint deployed = clients still resolve the service-PUBLIC hostname, and traffic goes over the public internet anyway. The endpoint costs money for nothing.
The four dimensions plugin 1160 catches
- CRITICAL — wildcard breaks isolation: Endpoint resource policy with an unconditional wildcard on a sensitive action (s3:*, kms:*, sns:*, sqs:*). Any AWS principal in any account can route through the endpoint. PrivateLink isolation gone.
- MEDIUM — PrivateDNS silent-bypass: Endpoint exists, PrivateDnsEnabled=false. Traffic actually goes over the public internet.
- HIGH — failed-state silent-failure: Endpoint stuck in
failedstate. Clients hit timeouts OR fall through to public-internet routing. - INFO — substrate disclosure: Type / VPC ID / subnet IDs / route-table IDs recorded for the auditor evidence pack.
Numbers
- Plugin count 20 → 21 (first growth since EE 0.4.7)
- +59 new tests; EE full regression 5044/5044 across 792 suites
- 51-session 100% green streak preserved
- 11th consecutive trio-publish (EE + CE + agent-skill)
- Clean reviewer pass — 0 R-CRITICAL + 0 R-HIGH
Install
npm install -g nsauditor-ai@0.1.54 @nsasoft/nsauditor-ai-ee@0.6.0
npm install nsauditor-ai-agent-skill@0.1.21
