NSAuditor AI EE 0.6.2 Ships Multi-Region AWS Security Auditing and Fixes Silent GovCloud Region Skip

MobNS

Nsasoft US LLC has released NSAuditor AI Enterprise Edition 0.6.2, delivering multi-region AWS threat-detection auditing and closing a structural false-PASS gap that affected GovCloud, ISO, and ISO-B operators running earlier versions of the tool.

Multi-Region Enumeration for GuardDuty and Inspector2

Prior to this release, plugin 1200 — the AWS Inspector2/GuardDuty Enablement Auditor — audited threat detection in only the single AWS region configured on the client. An operator whose credentials defaulted to us-east-1 while GuardDuty was actually deployed in us-west-2 would see a false-HIGH finding against the wrong region, or miss coverage gaps in regions that weren’t audited at all.

EE 0.6.2 resolves this by enumerating all opted-in regions via ec2:DescribeRegions, dispatching audits across each region in parallel, and tagging every finding with the region it came from. Operators can supply an explicit region allowlist, set a safety cap (default 64 regions, configurable to 256), or skip multi-region entirely for cost-sensitive scheduled runs using skipMultiRegion: true.

GovCloud, ISO, and ISO-B Region Bug Fixed

The release also addresses a silent false-CLEAN issue affecting federal and classified-cloud operators. A region ID validation regex in earlier versions rejected four-part region identifiers — the format AWS uses for GovCloud (us-gov-east-1), ISO (us-iso-east-1), ISO-B (us-isob-east-1), and ISO-F (us-isof-south-1) regions. When one of these region IDs was passed explicitly, the plugin silently skipped it and reported a clean result.

Auditors running FedRAMP, StateRAMP, IL5, or higher-classification evidence packs on earlier versions of EE would have received clean results without the regions being audited. The regex has been updated in 0.6.2 to accept both three-part and four-part region identifier forms.

GuardDuty Detection Latency and Inspector2 Baseline

EE 0.6.2 also adds classification of each GuardDuty detector’s FindingPublishingFrequency. AWS supports three publishing cadences: 15 minutes (the recommended default), 1 hour, and 6 hours. Detectors set to the 6-hour cadence amplify mean-time-to-detect for credential exfiltration and reconnaissance activity. Plugin 1200 now emits a LOW evidence-depth finding when a detector’s cadence is weaker than the configured institutional baseline.

In addition, the Inspector2 scan-target baseline has been expanded to include Lambda code scanning and code-repository scanning for GitHub and GitLab, both of which reached general availability through 2024. Operators who have enabled Inspector2 but not these newer scan types will now see a partial-coverage MEDIUM finding rather than a false-CLEAN PASS.

Installation

npm install -g nsauditor-ai@0.1.56 @nsasoft/nsauditor-ai-ee@0.6.2

The plugin count remains at 22 EE plugins (49 total). The SOC 2 coverage matrix is unchanged at 10 covered / 4 partial / 33 out-of-scope. GovCloud, ISO, or ISO-B operators on EE 0.6.1 or earlier should treat this upgrade as mandatory.

]]>

Related Posts:

  • nsauditor-ai-ee-0-6-1-inspector2-guardduty-auditor
  • nsauditor-ai-ee-062-launches-multi-region-aws-security-auditing-and-fixes-govclo
  • nsauditor-ai-ee-0-3-7-0-3-8-cloudtrail-cc72-cc73
  • nsauditor-ai-ee-048-launches-enhanced-database-audit-logging-for-aws-rds-closing
  • NSAuditor AI EE 0.4.0 — 7 New AWS Auditor Plugins (1070-1130); Headline AWS Backup Auditor (1130) Ships 12-Dimension Air-Gapped Vault Attestation Closing the SOC 2 A1.2 Ransomware-Defense Gap