NSAuditor AI EE 0.4.9 Ships ElastiCache Redis Auditor v2 — KMS-DescribeKey Promotion + Subnet Route-Table Verifier Close Both v1 Deferred Items
NSAuditor AI EE 0.4.9 extends the ElastiCache Redis Auditor with kms:DescribeKey promotion + subnet route-table verifier — closing both v1 deferred items. Fifth consecutive trio-publish.
What’s new: Nsasoft US LLC has shipped NSAuditor AI Enterprise Edition 0.4.9, extending the ElastiCache Redis Auditor (plugin 1180) with two headline capabilities and closing both v1 deferred items in a single cycle. The release ships as the fifth consecutive trio-publish alongside CE 0.1.48 and agent-skill 0.1.15. Coverage matrix remains unchanged at 10/4/33 — substrate-evidence depth on already-covered CC6.6 + C1.1, not new tile claims.
Part A — kms:DescribeKey cross-reference promotion (dim 2 at-rest encryption)
UNVERIFIABLE :key/UUID ARN shapes are promoted via KeyMetadata.KeyManager to deterministic verdicts: PASS elasticache-at-rest-customer-managed-kms-promoted when the key is customer-managed; MEDIUM elasticache-at-rest-aws-managed-kms-promoted when it’s AWS-managed. The promotion path mirrors plugin 1140 v2 institutional pattern and is conservative on AccessDenied / NotFound / unknown KeyManager per conservative_classifier_principle. No new SDK dependencies — reuses @aws-sdk/client-kms already declared in optionalDependencies since EE 0.4.5. Closes v1 R-MEDIUM-3.
Part B — Subnet route-table verifier (dim 6 subnet placement)
The plugin now walks elasticache:DescribeCacheSubnetGroups + ec2:DescribeRouteTables --filter association.subnet-id for each cache subnet. Per-subnet IGW-route detection uses /^igw-[a-f0-9]+$/i — correctly excluding egress-only eigw-. HIGH on IGW-routed subnet(s) with per-subnet igwDestinationsBySubnet evidence (R-HIGH-1 reviewer-fold surfaces destinationCidrBlock + destinationIpv6CidrBlock for auditor evidentiary completeness). Together with plugin 1170 EC2 SG Perimeter, the cache tier now has full layer-3 subnet→IGW perimeter and layer-4 SG ingress policy coverage. Closes v1 R-LOW-2.
Headline reviewer-fold closure — R-MEDIUM-2 false-NEGATIVE on default-VPC main-RT-inheritance
Pre-fold, the plugin emitted INFO on cache subnets with no explicit RT associations. Default-VPC main route tables typically carry 0.0.0.0/0 → igw-* — so those subnets are a real false-NEGATIVE hazard that v1 INFO substrate undersold. v2 emits LOW + evidenceGap per conservative_classifier_principle until v3 ships an explicit main-RT cross-reference. Real-AWS smoke against redis-leaky-cache confirms the fold fires demonstrably in production — pre-fold would have under-surfaced the hazard.
Tests, regression, and ecosystem
- +29 new tests (22 v2 base + 7 reviewer-fold pin tests). Test file 90 → 119 across 22 → 28 suites.
- Full regression 4696/4696 green. 45-session 100% green streak preserved.
- 5 new
soc2.jsontitlePattern entries (4 CC6.6 + 1 C1.1 pair). - agent-skill 0.1.15: plugin 1180 row updated to v2 so AI-coding-agent users (Claude Code, Cursor, Windsurf, VS Code Copilot) get current recommendations. Fifth consecutive catalog refresh.
- CE 0.1.48: paired-release docs-only patch (binary code-identical to 0.1.40 → 0.1.47).
Who’s affected
ElastiCache Redis adopters + cache-tier platform engineers; default-VPC operators (the main-RT-inheritance false-NEGATIVE closure catches the canonical default-VPC IGW-route hazard); KMS-CMK auditors; SOC 2 readiness teams; Type-II audit firms; AI-coding-agent users.
Install
npm install -g nsauditor-ai@0.1.48 @nsasoft/nsauditor-ai-ee@0.4.9
npm install nsauditor-ai-agent-skill@0.1.15
