Nsasoft US LLC released NSAuditor AI Enterprise Edition v0.6.5 today — two practical fixes for common cross-account audit failure modes.

Fix 1: AssumeRole credentials now work across all 18 EE plugins

When using aws sts assume-role for cross-account audits, AWS returns a temporary credential triple: access key, secret key, and a sessionToken. Pre-0.6.5, every EE plugin that constructed AWS SDK v3 clients silently dropped the sessionToken field. The result: all API calls failed signing with InvalidSignature or ExpiredTokenException — and no clear error message pointed to the missing token.

EE 0.6.5 fixes all 18 affected plugins with a conditional spread that threads sessionToken through every SDK client constructor. A new regression test pins the contract so future plugins don’t regress.

Fix 2: Dead EventBridge targets now surface as companion-LOW findings

EE 0.6.4 verified that EventBridge rules had targets — events:ListTargetsByRule confirmed Targets.length > 0. EE 0.6.5 goes further: it checks whether those targets are actually alive.

For each target, the plugin now calls the appropriate liveness probe:

• Lambda: lambda:GetFunction (full ARN, so alias-to-version correctness is verified)
• SNS: sns:GetTopicAttributes
• SQS: sqs:GetQueueUrl + sqs:GetQueueAttributes (partition-aware for GovCloud and China regions)

When any target is dead, a companion LOW finding is emitted alongside the rule’s PASS verdict — the PASS stands (routing path exists at the rule level), but the LOW surfaces the specific dead ARNs for operator action.

To avoid false-positives on freshly-created resources, there’s a one-retry with 750ms backoff on NotFound responses. Probes run in parallel with a 2-second per-target timeout so large accounts don’t stall.

Install

npm install -g nsauditor-ai@0.1.59 @nsasoft/nsauditor-ai-ee@0.6.5

Plugin count: 49 (27 CE + 22 EE). SOC 2 coverage matrix: 10/4/33. More at nsauditor.com/ai/enterprise/.