NSAuditor AI EE 0.4.8 Ships Database Audit-Logging for AWS RDS — pgAudit + CloudWatch Logs Close SOC 2 CC7.2 / CC7.3 Gap
NSAuditor AI EE 0.4.8 grows the AWS RDS Auditor from 7 to 10 dimensions, adding pgAudit, CloudWatch Logs exports, and retention checks — closing the SOC 2 CC7.2/CC7.3 database-activity-logs gap.
What’s new: Nsasoft US LLC has shipped NSAuditor AI Enterprise Edition 0.4.8, growing the AWS RDS Auditor plugin (1140) from seven to ten substrate-evidence dimensions. The release adds deterministic checks for pgAudit enablement, CloudWatch Logs exports, and log retention — closing the SOC 2 CC7.2 (continuous monitoring) and CC7.3 (event evaluation) database-activity-logs gap with auditor-grade evidence. Coverage matrix remains unchanged at 10/4/33: this is depth on already-covered controls, not new tile claims.
EE 0.4.8 ships as the fourth consecutive trio-publish alongside CE 0.1.47 and agent-skill 0.1.14, institutionalizing the discipline of keeping the open-source community edition, the enterprise plugins, and the AI-coding-agent catalog all current in a single release window.
Three new audit dimensions on plugin 1140
- Dim 8 — pgAudit enablement (CC7.2 + CC7.3, postgres-only). HIGH on disabled. New MEDIUM category
rds-pgaudit-misconfiguredcloses a real-world false-PASS class:pgaudit.logset toddl,role,writewhileshared_preload_librariesomits the pgaudit token, in which case Postgres silently ignores the GUC. The plugin now cross-checks both parameters and surfaces a distinct MEDIUM with a deterministic remediation path. Non-Postgres engines emit INFO +engine-not-applicable. - Dim 9 — CloudWatch Logs exports (CC7.2). Engine-dispatched essential/optional policy via a frozen
_RDS_ENGINE_CWL_NAMEStable covering mysql, mariadb, aurora-mysql, postgres, aurora-postgresql, oracle-*, and sqlserver-*. Empty exports = HIGH; missing essentials = MEDIUM; all essentials = PASS. - Dim 10 — CloudWatch Logs retention (CC7.2 + CC7.3). Enumerates log groups under engine-dispatched prefixes —
/aws/rds/instance/<id>/for non-Aurora and/aws/rds/cluster/<id>/for Aurora. A 30-day institutional baseline applies, operator-tunable viaopts.auditLogRetentionPassMinDayswithin the CloudWatch Logs canonical max (1..3653 days).
Headline reviewer-fold closures
Independent reviewer-agent inspection produced twelve findings on the v3 cycle; nine were folded same-session.
- HIGH-1 (false-INFO closure): Aurora cluster log-path detection. Pre-fix, the retention helper hard-coded the instance log path and returned zero log groups on every Aurora reader/writer — producing MEDIUM evidenceGap across whole Aurora fleets and drowning real signal. The fix routes
aurora-*engines to the cluster prefix. - MEDIUM-2 (false-PASS closure): the pgAudit-without-shared_preload_libraries class described above.
- MEDIUM-3 / 4 / 5: distinct LOW categories surfaced for CloudWatch Logs opt-out, retention distribution per-group spread, and transient errors — eliminating silent degradation classes in the auditor evidence pack.
End-to-end real-AWS smoke validation
EE 0.4.8 is the first 0.4.x extension cycle to validate both PASS-path and HIGH-path classifiers against live AWS in the same smoke run. Pre-publish modifications on the test account added shared_preload_libraries=pgaudit (pending-reboot) and pgaudit.log=ddl,role,write (immediate), enabled CloudWatch Logs exports on the compliant cluster, rebooted, and applied a 90-day retention policy on the auto-created log group. Account-wide finding distribution: 9 PASS + 2 MEDIUM + 4 INFO + 5 HIGH; durationMs=7812 for two instances including the CWL probe.
Tests, regression, and ecosystem
- +68 new tests (49 v3 base + 19 reviewer-fold pin tests). Test file 102 → 171 tests across 22 → 30 suites.
- Full regression 4642/4642 green. 44-session 100% green streak preserved.
- 7 new
soc2.jsontitlePattern entries under CC7.2 + CC7.3 (3 pgAudit + 4 CloudWatch Logs). - agent-skill 0.1.14: plugin 1140 row updated 7 → 10 dims so Claude Code, Cursor, Windsurf and VS Code Copilot users get current recommendations.
- CE 0.1.47: paired-release docs-only patch (binary code-identical to 0.1.40 → 0.1.46) carrying the EE 0.4.8 narrative to the npm landing page.
Who’s affected
AWS RDS DBA teams and database-platform engineers; Postgres administrators running pgAudit; Aurora fleet operators; SOC 2 readiness teams and Type-II audit firms; AI-coding-agent users who want recommendations to reflect the current EE plugin surface.
Install
npm install -g nsauditor-ai@0.1.47 @nsasoft/nsauditor-ai-ee@0.4.8
npm install nsauditor-ai-agent-skill@0.1.14Sources
- NSAuditor AI Enterprise — official documentation
- @nsasoft/nsauditor-ai-ee on npm
- nsauditor-ai (Community Edition) on npm
