In an era where data security is paramount, NSAuditor AI has made significant strides in enhancing its AWS auditing capabilities with the release of version 0.30.1 of its Enterprise Edition. This update specifically addresses vulnerabilities tied to Amazon Web Services (AWS) sources, ensuring tighter security and compliance across various frameworks.
Closing Vulnerabilities in AWS Sources
The latest update notably closes the last two AWS sources—RDS (Relational Database Service) and API Gateway—where real exposure could occur. With the introduction of a dedicated false-negative pass for every AWS source, users can now be more confident in their security posture. The RDS auditor has been upgraded to flag any manual DB snapshot shared with a restore option set to “all” as a critical public exposure. This change is crucial because it indicates that even encrypted snapshots can pose risks if the share grants are not properly managed.
Moreover, a named-account share now receives a HIGH flag, indicating a significant risk level. The update also refines the handling of the DescribeDBInstances call, which now no longer reads a whole region cleanly in the case of denied access—a vital adjustment for organizations striving to maintain robust security protocols.
Enhancements to API Gateway Auditing
The API Gateway auditor has also received vital updates, effectively closing a previously existing gap in WAF (Web Application Firewall) deep-audit capabilities. The new version ensures that any stage referencing a Web ACL (Access Control List) that the scanner cannot verify—whether due to deletion, denial, cross-region issues, or malformed configurations—now fails the boundary control checks. This measure is aligned with real WAF findings, enhancing the reliability of security audits.
Specifically, the update introduces six evidence-gap classes that fail closed, mirroring actual WAF findings. For instance, a deleted Web ACL that returns a 403 status for every request is now correctly flagged. Additionally, the auditor can now identify unknown authorization schemes, silently-skipped WebSocket APIs, and unencrypted response caches, which now route properly for analysis.
Compliance Across Frameworks
One of the most significant advantages of the NSAuditor AI EE 0.30.1 updates is that all changes are matrix-neutral across the seven frameworks. For example, an anonymous API Gateway resource policy can now align with PCI DSS 7.2.1 and GDPR Article 32. Conversely, a broken Web ACL will fail to meet PCI 6.4.1 / ISO A.8.21 standards, while an unencrypted cache will not comply with ISO A.8.24.
However, it’s essential to note that the routing related to GDPR is structured only as Article 32 infrastructure substrate and does not equate to full GDPR compliance. Users will need to ensure they meet additional requirements to achieve complete compliance.
Integration and Availability
NSAuditor AI EE 0.30.1 has been developed in tandem with CE 0.2.13 and agent-skill 0.2.13, ensuring that users receive a comprehensive suite of tools for auditing and compliance. The software continues to be available through npm, with the Community version under the MIT license and the Enterprise version available via @nsasoft/nsauditor-ai-ee.
With no new frameworks introduced and the plugin count remaining unchanged at 28, users can be assured that the integrity of the existing coverage matrices remains intact. This update represents a notable step forward in the ongoing battle against data exposure and compliance challenges faced by organizations utilizing AWS services.
