NSAuditor AI EE 0.6.4: EventBridge Target Verification Closes Substrate-Without-Sink False-PASS at the Rule Level
NSAuditor AI EE 0.6.4 closes the substrate-without-sink false-PASS at the rule level in plugin 1200 — EventBridge rules without targets now surface as MEDIUM, plus multi-failedAccount surface for delegated-admin Inspector2 scans.
Nsasoft US LLC today shipped NSAuditor AI Enterprise Edition v0.6.4, closing the substrate-without-sink false-PASS class at the rule level in plugin 1200 — the AWS Inspector2 / GuardDuty Enablement Auditor that debuted in EE 0.6.1 and grew along four dimensions in 0.6.2 and a new alerting-destination dimension in 0.6.3.
The gap EE 0.6.3 left open
EE 0.6.3 introduced the alerting-destination audit dimension: for each AWS region, plugin 1200 verified that at least one EventBridge rule routed GuardDuty or Inspector2 findings downstream, or that a SecurityHub product subscription existed for the service. A rule had to be in ENABLED state and match the correct event pattern source to satisfy the check.
That left a gap. AWS events:PutRule allows ENABLED rules with zero Targets. An operator can create a rule with intent to add targets later — and forget. Targets can also be removed without removing the rule. In both cases the rule fires the event and routes it nowhere. From an audit perspective, the substrate appeared wired; operationally, nothing was paged.
EventBridge target verification in EE 0.6.4
EE 0.6.4 calls events:ListTargetsByRule for each matched EventBridge rule and routes findings on the verified target count:
- PASS
alerting-destination-present— At least one matched rule hasTargets.length > 0. Partial verification is handled correctly: if one rule has verified targets and another returned AccessDenied on ListTargetsByRule, the verdict is PASS. - MEDIUM
alerting-destination-targetless— All matched rules verified target-less. Substrate-without-sink at the rule level. - LOW
alerting-destination-unverifiable— Target verification couldn’t run (AccessDenied, SDK-missing, or cap-exceeded).
The verification has a configurable per-rule cap (default 10 via targetVerificationRuleCap, max 100) to bound API cost, and an explicit opt-out (skipEventBridgeTargetVerification: true) for cost-sensitive scheduled runs or operators without the events:ListTargetsByRule IAM grant.
Cap-skew false-MEDIUM fix
An independent reviewer pass caught a classifier edge case. Pre-fix, when the first 10 rules were target-less and rules 11+ were beyond the verification cap, the classifier emitted MEDIUM TARGETLESS. But rule 11 could be the actual sink — the true posture was unverifiable, not target-less.
Post-fix, the classifier emits LOW UNVERIFIABLE with an explicit “raise targetVerificationRuleCap” remediation prompt. When evidence is incomplete, always route toward the conservative (uncertain) verdict, never toward actionable-confidence MEDIUM.
Multi-failedAccount surface for delegated-admin scans
Inspector2’s BatchGetAccountStatus response includes both accounts[] (successful) and failedAccounts[] (per-account error channel). In EE 0.6.3, the plugin surfaced only failedAccounts[0]. For delegated-admin scans covering multiple member accounts, the rest were silently dropped.
EE 0.6.4 surfaces all failed accounts. Each account gets its own LOW finding carrying accountId, errorCode, and errorMessage for operator triage. Per-region emission is capped at 10 individual LOWs + 1 rollup LOW per region — the rollup carries the omitted count and a 5-account sample.
Trigger uniformity
The GuardDuty and Inspector2 alerting-destination triggers were asymmetric in EE 0.6.3 — GuardDuty fired on any detector presence regardless of status, Inspector2 only fired on status === ENABLED. EE 0.6.4 symmetrizes both gates on enabled-status. A SUSPENDED or DISABLED detector emits zero findings, so its alerting-destination question is moot.
New operator options
skipEventBridgeTargetVerification: true— Opt out of target verification entirely. Rule presence alone implies PASS, but verdicts route to LOW UNVERIFIABLE since target-presence is unknown.targetVerificationRuleCap: 1..100— Cap on the number of rules to verify per call (default 10).
Availability
NSAuditor AI EE 0.6.4, CE 0.1.58, and agent-skill 0.1.25 are available immediately on npm. The SOC 2 coverage matrix is unchanged at 10 covered / 4 partial / 33 out-of-scope.
npm install -g nsauditor-ai@0.1.58 @nsasoft/nsauditor-ai-ee@0.6.4
npm install nsauditor-ai-agent-skill@0.1.25Full release notes at nsauditor.com/ai/enterprise/.
