NSAuditor AI EE 0.6.2: Multi-Region GuardDuty and Inspector2 Auditing Closes False-PASS Gap for AWS Security Teams

Nsasoft US LLC has released NSAuditor AI Enterprise Edition 0.6.2, an evidence-acquisition update to plugin 1200 — the AWS Inspector2/GuardDuty Enablement Auditor. The release addresses two categories of false findings that could cause auditors to either overreport risk or miss real coverage gaps, and extends the plugin’s detection baseline to cover AWS threat-detection services more completely.

Single-Region Audit Scope Was Producing False Results

In previous versions, plugin 1200 evaluated GuardDuty and Inspector2 only in the AWS region configured on the client at audit time. This created two failure modes. An operator whose credentials defaulted to us-east-1 — but whose GuardDuty deployment was in us-west-2 — would receive a false-HIGH gd-not-enabled finding against the wrong region. In the inverse scenario, a deployment enabled only in the configured region would appear fully compliant while real coverage gaps existed elsewhere.

EE 0.6.2 resolves this by enumerating all opted-in regions via ec2:DescribeRegions, running GuardDuty and Inspector2 checks against each region, and tagging every finding with its source region. Operators can supply an explicit region allowlist, configure a safety cap (default 64, up to 256), or bypass multi-region enumeration entirely via skipMultiRegion: true for cost-controlled scheduled runs. The enumeration is scoped to opted-in regions only, so deliberately disabled regions do not trigger false-HIGH findings.

GovCloud and Classified-Cloud Region Support

A separate issue affected operators running on AWS GovCloud, ISO, ISO-B, and ISO-F regions. These regions use four-part identifiers — us-gov-east-1, us-iso-east-1, us-isob-east-1, us-isof-south-1 — while the three-part form (us-east-1) is the commercial standard. A validation regex in earlier versions of plugin 1200 rejected four-part IDs outright: passing one of these regions via the regions option resulted in a silent skip, with the plugin reporting a clean result without auditing the region.

Auditors producing evidence packs for FedRAMP, StateRAMP, IL5, or higher-classification assessments on EE 0.6.1 or earlier would have received structurally incomplete results. The regex has been corrected in EE 0.6.2 to accept both three-part and four-part AWS region identifiers. Nsasoft advises GovCloud and classified-cloud operators on any earlier version to treat this upgrade as mandatory.

GuardDuty Detection Latency Classification

GuardDuty detectors can be configured to publish findings at 15 minutes, 1 hour, or 6 hours. The 15-minute interval is the AWS-recommended default; the 6-hour cadence significantly extends mean-time-to-detect for time-sensitive threat categories including credential exfiltration and network reconnaissance. Plugin 1200 now evaluates each detector’s FindingPublishingFrequency against an institutional baseline (default: FIFTEEN_MINUTES) and emits a LOW evidence-depth finding when the configured cadence is weaker. The baseline is operator-configurable via gdFrequencyPassFrequency.

Inspector2 Scan-Target Baseline Expansion

AWS Inspector2 added Lambda code scanning and code-repository scanning for GitHub and GitLab integrations to general availability through 2024. EE 0.6.2 adds both to the plugin’s institutional baseline. Operators who have enabled Inspector2 but have not activated these scan types will now receive a partial-coverage MEDIUM finding listing the disabled resource types by name, replacing what was previously a false-CLEAN PASS.

Upgrade and Installation

npm install -g nsauditor-ai@0.1.56 @nsasoft/nsauditor-ai-ee@0.6.2

The release maintains 22 EE plugins (49 total across CE and EE). The SOC 2 coverage matrix is unchanged at 10 covered / 4 partial / 33 out-of-scope. Compliance routing for plugin 1200’s findings continues to map to CC7.1 (detection procedures) and CC7.2 (monitoring for anomalies), with per-region metadata now flowing through as structured evidence fields in the output pack.