Nsasoft US LLC released NSAuditor AI Enterprise Edition v0.6.4 today — an evidence-depth upgrade to plugin 1200 (AWS GuardDuty / Inspector2 Enablement Auditor) that closes a routing-sink false-PASS class at the EventBridge rule level.

Why EventBridge rules alone aren’t enough

When AWS teams set up GuardDuty or Inspector2 alerting, the typical path is: enable the service → create an EventBridge rule that matches the service’s event source → add targets (Lambda, SNS topic, SQS queue) to route findings somewhere useful.

EE 0.6.3 confirmed the first two steps: rule exists, rule is ENABLED, rule matches the right event source. What it didn’t check was whether the rule actually had any targets. AWS allows ENABLED rules with zero targets — the rule fires, the event is produced, and it routes nowhere. Operationally, no one gets paged.

EE 0.6.4 closes this: for each matched EventBridge rule, events:ListTargetsByRule is called to verify that routing sinks exist.

What’s new in the scanner

EventBridge target verification: PASS when at least one matched rule has verified targets. MEDIUM when all matched rules are target-less (routing sinks missing at the rule level). LOW when target verification can’t run — AccessDenied, SDK unavailable, or cap-exceeded. A configurable per-rule cap (default 10, max 100) bounds API cost, and an opt-out is available for cost-sensitive scheduled runs.

Cap-skew fix: If the first N rules are target-less and N+1+ are beyond the verification cap, the old classifier incorrectly emitted MEDIUM TARGETLESS. The corrected classifier emits LOW UNVERIFIABLE — rule N+1 could be the actual sink, so the posture is unverifiable, not confirmed-empty.

Multi-failedAccount surface: Delegated-admin Inspector2 scans now surface all failed accounts from BatchGetAccountStatus, not just the first. Each failed account gets its own LOW finding with account ID, error code, and error message. Per-region output is capped at 10 individual LOWs plus a rollup for the remainder.

Trigger uniformity: Both GuardDuty and Inspector2 alerting-destination checks now gate on service-enabled status, ensuring suspended or disabled services don’t trigger alerting checks on inactive substrates.

Install

npm install -g nsauditor-ai@0.1.58 @nsasoft/nsauditor-ai-ee@0.6.4

Plugin count remains 49 (27 CE + 22 EE). The SOC 2 coverage matrix is unchanged at 10 covered / 4 partial / 33 out-of-scope. More at nsauditor.com/ai/enterprise/.