NSAuditor AI EE 0.4.0 — Biggest Enterprise Coverage Expansion Since the SOC 2 Compliance Engine Itself: 7 New AWS Auditor Plugins Land Alongside the 18-Session 545-Test AWS Backup Auditor With 12-Dimension Air-Gapped Vault Attestation
EE 0.4.0 ships 7 new AWS auditor plugins (1070-1130). Headline: plugin 1130 AWS Backup Auditor — 12-dim air-gapped vault attestation closes the A1.2 ransomware gap.
LAS VEGAS, NV — May 13, 2026 — Nsasoft US LLC, a network-security and AI-assisted audit software company, today announced NSAuditor AI Enterprise Edition (EE) v0.4.0, the largest enterprise-coverage release since the SOC 2 compliance engine itself shipped at EE 0.3.0. Seven new AWS auditor plugins (1070–1130) land in a single staging window, anchored by the 18-session EE-RT.12.7–24 AWS Backup Auditor institutional-hardening arc — the largest single-plugin hardening sweep in the EE codebase, with a 12-dimension air-gapped vault attestation arc for LogicallyAirGappedBackupVault resources that substantially closes the documented A1.2 “Backup/recovery posture itself” gap. EE 0.4.0 pairs with Community Edition v0.1.40 (published 2026-05-13 to npm latest).
EE plugin footprint grows 8 → 15
The seven new EE plugins shipping in 0.4.0:
- 1070 AWS KMS Auditor (EE-RT.3 v1) — Validates cryptographic boundary integrity and key governance. Wildcard-principal classifier across 5 severity tiers (CRITICAL unconditional
kms:*takeover; HIGH for sensitive actions; INFO read-only-only; PASS no-wildcard). Coverage spansPrincipal.AWS/Federated/Service/CanonicalUsershapes + case-insensitive AWS/action matching + NotPrincipal-Allow + NotAction-Allow + glob-action coverage. Exports_describeKeyManager()helper consumed by plugin 1060. Maps to CC6.3 + C1.1. 77 new tests. - 1080 AWS Lambda Security Auditor (EE-RT.5 v1) — Runtime EOL detection (institutional-CRITICAL when Lambda returns EOL runtime like
nodejs16.x/python3.7; case-normalized at SDK boundary peraws_string_case_normalization), public function-URL exposure, resource-policy permissive principals, environment-variable secret-suggestive name detection (ZDE-safe: names + presence only — VALUES never inspected), VPC config, KMS-CMK custody, DLQ + reserved-concurrency posture. Maps to CC6.1/CC6.6/CC7.1/C1.1. - 1090 AWS Secrets Manager + SSM Parameter Store Auditor (EE-RT.8 v1) — Secrets Manager rotation cadence + KMS-CMK custody; SSM Parameter Store String vs SecureString classification with secret-suggestive name detection. ZDE-critical: scanner NEVER calls
GetSecretValue/GetParameter— verb-prefix denylist regex enforces metadata-only at SDK boundary. Maps to CC6.1/CC6.6/C1.1. - 1100 AWS CodePipeline + CodeBuild Operational Integrity (EE-RT.9 v1 + 9.1) — Pipeline source-stage encryption, CodeBuild
privilegedModedetection, buildspec drift, IAM wildcard-Action detection, S3 artifact-store encryption. EE-RT.9.1 stale-execution detection: pipelines with executions older than configured cadence aren’t actively defending the build path. Maps to CC6.1/CC7.1/CC8.1/C1.1. - 1110 IAM Effective Decrypt-Path Auditor (EE-RT.10 v1 + 10.1) — Cross-plugin reconciler walks IAM
kms:Decrypt/ReEncrypt*/GenerateDataKeygrants then cross-references against destination KMS key policies (plugin 1070) to compute the effective decrypt path. Closes the NotAction-implicit-decrypt false-PASS class. EE-RT.10.1 case-normalizes Effect+Action discriminators at IAM-graph BFS boundary. Maps to CC6.1/CC6.6/C1.1/C1.2. - 1120 AWS S3 Lifecycle + Cross-Region Replication Auditor (EE-RT.4 v1 + 4.1) — S3 lifecycle policy enumeration + cross-region replication topology. EE-RT.4.1 adds cross-region destination-bucket reachability verification (closes silent-PASS class). Maps to C1.1/C1.2/A1.2.
- 1130 AWS Backup Auditor (EE-RT.12 v1 → v1.24) — headline thread — The largest single-plugin institutional-hardening arc in the EE codebase: ~7800 lines across 18 sessions / 25 commits / 545 plugin tests, with 19 R2-strict recurrence-class same-session closures. Detailed below.
The headline — Plugin 1130 AWS Backup Auditor + 12-dimension air-gapped vault attestation
Plugin 1130 audits the AWS Backup substrate end-to-end: Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing Plans + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. The headline capability is the 12-dimension air-gapped vault attestation arc for LogicallyAirGappedBackupVault resources — AWS’s cryptographically-isolated WORM vault primitive, the canonical institutional ransomware-defense control.
Six primary cryptographic-isolation mechanisms verified:
- Vault TYPE air-gapped (EE-RT.12.8) —
VaultType = LogicallyAirGappedBackupVaultliteral-pin - ARN account-segment-separation (EE-RT.12.9) — vault ARN account segment ≠ source-account caller credentials
- Destination KMS key-policy clean (EE-RT.12.10) — no source-account principals in Allow statements granting decrypt-class actions;
NotPrincipal/NotActionAllow conservatively treated as universal-allow - Destination KMS Grants clean (EE-RT.12.11) — no source-account
GranteePrincipalwith decrypt-classOperations; addresses the class where Grants bypass key-policy entirely - MRK-replica topology clean (EE-RT.12.12) — no MRK replica in source account; primary not in source account; primary key region matches vault region
- Source-account VPC-endpoint policy clean (EE-RT.12.22) — DescribeVpcEndpoints filtered to KMS service endpoints; no source-account-Principal or wildcard-Principal decrypt grants
Plus 6 additional substrate dimensions (PITR / retention / encryption / RestoreTesting cadence / Legal Holds / vault Access Policy).
Cross-service SDK integration spans 4 AWS clients: @aws-sdk/client-kms, @aws-sdk/client-ec2, @aws-sdk/client-config-service, @aws-sdk/client-backup. 74 new soc2.json titlePattern entries mapped across 7 controls: CC6.3 (4), CC6.6 (18), CC7.1 (4), CC8.1 (5), C1.1 (4), C1.2 (25), A1.2 (14) — making C1.2 the most-evidenced control in the 0.4.0 release.
Institutional-hardening process artifact — 19 R2-strict recurrence-class closures
The EE-RT.12.7–24 arc is documented across 18 sessions of two-reviewer same-session fold cycles (R1 general code review + R2 paranoid adversarial review run in parallel). 19 R2-strict recurrence-class same-session closures were catalogued, surfacing 4 new institutional-memory artifacts now applied preemptively across the entire EE codebase:
aws_string_case_normalization— most-recurrent reviewer-discovered class (19× preemptive applications): IAM Condition keys, Lambda runtimes, KMS aliases, Effect/Action discriminators..trim().toLowerCase()AWS-returned strings at SDK-helper boundary.emit_literal_set_drift— bare=== "literal"afterSet.has()guard re-opens the typo channel; lift to named constants referenced at producer + Set + consumer sites.tsc_pi1_sub_criteria— substrate evidence (PITR/retention/encryption) → PI1.5 Stored items, NOT PI1.1 (input data quality). Misclassification is auditor-detectable overclaiming.conservative_classifier_principle— emit INFO+evidenceGap (not vacuous PASS) when ARN-shape disambiguation needs a follow-up API call. False-clean evidence is the worst SOC 2 reporting outcome.
Coverage matrix — AICPA TSC 2017
No matrix shift since 0.3.9 — stays 10 covered / 4 partial / 33 OOS. Institutional honesty: adding plugins that audit the same substrate dimensions more thoroughly is evidence-quality uplift, not coverage expansion. The matrix-shift opportunity is reserved for EE-RT.7 Lambda Runtime Assurance (PI1.1–PI1.4) in EE 0.5 / Q3 Y1.
| Status | Count | Trust Services Criteria |
|---|---|---|
| ✅ Covered | 10 | CC6.1, CC6.2, CC6.6, CC6.7, CC6.8, CC7.1, CC7.2, CC7.3, C1.1, C1.2 |
| 🟡 Partial | 4 | CC6.3, CC8.1, A1.2 (substantially deepened in 0.4.0), PI1.5 |
| ⚪ Out of scope | 33 | CC1.*, CC2.*, CC3.*, CC4.*, CC5.*, CC9.*, PI1.1–PI1.4, P1.0–P8.0, CC6.4, CC6.5 |
Validation evidence
Test counts: 545 plugin tests for 1130 + ~400 across 1070–1120 + 74 new plugin-emission literal-string pins in the drift detector. Full regression: 3792/3792 green at ~132s wall (was 2720/2720 at EE 0.3.9 publish — net +1072 tests across 0.3.9 → 0.4.0). ~200 reviewer folds total. 0 CRITICAL ship-blockers after fold.
Architecture & availability
EE 0.4.0 ships through npm as @nsasoft/nsauditor-ai-ee@0.4.0 (restricted access — Pro/Enterprise license required). The package layers on top of the open-source nsauditor-ai CE engine. EE 0.3.9 is explicitly deprecated on EE 0.4.0 publish. peerDependencies floor bumped ^0.1.38 → ^0.1.40.
npm install -g nsauditor-ai@0.1.40 @nsasoft/nsauditor-ai-ee@0.4.0
nsauditor-ai license install <KEY>
nsauditor-ai scan --host aws --plugins all --compliance soc2 --out evidence.json
# Or run the headline AWS Backup Auditor in isolation:
nsauditor-ai scan --host aws --plugins 1130 --compliance soc2 --out evidence.jsonResources
- npm package:
@nsasoft/nsauditor-ai-ee@0.4.0(restricted; requires Pro/Enterprise license) - CE pairing:
nsauditor-ai@0.1.40(public; MIT; security-fix floor: ≥ 0.1.37) - SOC 2 coverage table: nsauditor.com/ai/docs/soc2/
- TSC reference: AICPA TSC 2017 (A1.2 “Environmental protections, software, data backup processes, recovery infrastructure”; C1.2 “Disposal of Confidential Information”); SEC Rule 17a-4 / FINRA 4511 for WORM retention context
- Pricing & licensing: nsauditor.com/ai/pricing · nsauditor.com/ai/enterprise
Press & analyst contact
Nsasoft US LLC · press@nsasoft.us · nsasoft.us
For SOC 2 audit-team trials with custom AWS scenarios — particularly AWS Backup LogicallyAirGappedBackupVault ransomware-defense walkthroughs, KMS key-policy + IAM Effective Decrypt-Path cross-reference reviews, or pre-Type-II readiness assessments — contact enterprise@nsasoft.us.
