NSAuditor AI EE 0.15.3 Closes the 4th and Final S3 Public-Exposure Vector with Object-Level ACL Enumeration and a BucketOwnerEnforced Upstream Short-Circuit
EE 0.15.3 ships object-level ACL enumeration and a BucketOwnerEnforced upstream short-circuit, closing the 4th S3 public-exposure vector with audit-accuracy calibration and an intentional matrix delta.
Nsasoft US LLC has shipped NSAuditor AI EE 0.15.3, an audit-accuracy calibration patch on the 0.15.x line of the local-first, zero-data-exfiltration enterprise security scanner. The release closes the fourth and final AWS S3 public-exposure vector — object-level ACLs — and adds a BucketOwnerEnforced upstream short-circuit that materially reduces scan time on modern AWS estates. Plugin count is UNCHANGED at 28, and all six framework coverage matrices are UNCHANGED.
The fourth S3 public-exposure vector, closed
EE 0.15.2 closed three of four S3 public-exposure vectors — bucket policy, bucket ACL, and Public Access Block — and explicitly carried the fourth (object-level ACLs) as a documented residual. EE 0.15.3 closes it.
Plugin 1020 (AWS S3 auditor) now includes a new step 2c: sampled object-level ACL enumeration. For every non-BOE bucket the auditor invokes ListObjectsV2 (max-keys = AWS_S3_AUDIT_OBJECT_SAMPLE_CAP, default 10, clamped to [1, 1000]) and runs GetObjectAcl over the returned page. A public AllUsers or AuthenticatedUsers Grantee on any sampled object emits a CRITICAL finding — “Object ACL grants public access (groups) on N of M sampled objects – objects publicly accessible” — which routes automatically through the existing "publicly accessible" framework anchor across SOC 2 C1.1, HIPAA §164.312(a)(2)(iv), ISO/IEC 27001:2022 A.5.23 / A.8.3 / A.8.12, and CIS Controls v8 3.3. PAB IgnorePublicAcls neutralizes the grant to a LOW informational finding.
Sample-bias is documented in-emission. Lexicographic-first sampling is fast and deterministic but biased to early keys. Truncation context is preserved on CRITICAL findings — “Sample truncated: N of >cap objects scanned; remaining UNVERIFIED — public-exposure count may be higher” — so the evidence trail surfaces “could be worse” rather than presenting the sample count as exhaustive. ListObjectVersions enumeration of non-current versions is a known scope-out, planned for a future cycle.
BucketOwnerEnforced upstream short-circuit
Plugin 1020 also gains a new step 2a: a single GetBucketOwnershipControls API call per bucket. When ObjectOwnership === 'BucketOwnerEnforced' — the default on every bucket created after April 2023 — the auditor emits “Object Ownership: BucketOwnerEnforced (ACL-based public access structurally impossible)” as informational and skips both the bucket-ACL (2b) and object-ACL (2c) dimensions entirely. The short-circuit saves 11+ API calls per BOE bucket on modern estates.
Intentional matrix delta from 0.15.2 — for operators comparing 0.15.2 → 0.15.3 scans on the same estate: BOE buckets that previously surfaced as CRITICAL on legacy stored ACL grants now surface as informational. This is a deliberate downgrade. S3 structurally ignores ACL grants under BucketOwnerEnforced, so the prior CRITICAL was a false-positive class. The underlying objects are not publicly exposed, and the auditor’s BOE detection now closes that audit-accuracy gap. Operators tracking critical-finding count delta between adjacent EE releases should expect this downgrade on any pre-BOE bucket subsequently retrofitted with BOE. The short-circuit is unconditional — by design, since under BOE the ACL findings are structurally false.
Beyond audit-accuracy, the BOE short-circuit materially reduces scan time on modern estates. BOE buckets now consume one API call instead of twelve. On real estates where BOE has been adopted as a hardening default, full-estate scans should see proportional latency improvement.
Shared helper, evidence-gap discipline, and conservative classifier
A new module-scoped extractPublicGroups helper is used by both the bucket-ACL (step 2b, refactored byte-identically) and object-ACL (step 2c) dimensions. AuthenticatedUsers is treated equivalently to AllUsers because PAB IgnorePublicAcls blocks both per AWS documentation — auditors must not demote AuthenticatedUsers as “lower-risk authentication-required” exposure.
Four new LOW evidence-gap emissions route via a new "S3 object-ACL evidence-gap" substring anchor on SOC 2 CC7.1 (mirroring the existing WAF evidence-gap precedent for the plugin 1050 WAF auditor) and HIPAA §164.312(b) Audit Controls. The four flavors: ListObjectsV2 AccessDenied (auditor role lacks s3:ListBucket), an IsTruncated coverage gap, per-object GetObjectAcl AccessDenied above threshold, and per-object GetObjectAcl other-failures above threshold. Per the conservative-classifier principle: unverifiable ≠ clean; remediation is evidence-collection (grant scopes or raise the sample cap), not boundary-control change.
Six-framework routing, all matrices UNCHANGED
The CRITICAL E1 emission automatically inherits the existing "publicly accessible" substring anchor. The 4 LOW evidence-gap emissions route via the new "S3 object-ACL evidence-gap" anchor on SOC 2 CC7.1 and HIPAA §164.312(b). No control gained or lost a first-mapping. All six matrices verified unchanged: SOC 2 10/4/33 · HIPAA 7/3/45 · NIST CSF 2.0 13/10/83 · PCI DSS 20/8/39 · ISO/IEC 27001:2022 17/14/62 · CIS Controls v8 17/22/114.
Tunable configuration
Three environment variables are exposed for operators: AWS_S3_AUDIT_OBJECT_SAMPLE_CAP (default 10, clamped [1, 1000]) controls the first-page sample size; AWS_S3_AUDIT_OBJECT_RATE_MS (default 50ms) throttles per-object GetObjectAcl calls before each invocation, separately from the bucket-level rate-limit; AWS_S3_AUDIT_OBJECT_ACL_PARTIAL_THRESHOLD (default 0.5, range [0.0, 1.0]) controls when the per-object evidence-gap aggregate fires.
Live AWS smoke and release
The release was verified live against a real AWS account (us-east-1) with four spot-checks all passing: a BOE bucket emitted only the BOE informational with zero ACL-tier API calls; the CRITICAL emission preserved the U+2013 en-dash byte-exact (bytes 0xe2 0x80 0x93) end-to-end through the real AWS API; the sampling cap was respected (cap=3 produced exactly 3 GetObjectAcl calls of 5 sampleable objects); and the per-object throttle was observable.
EE 0.15.3 ships as the forty-first consecutive trio-publish alongside CE 0.1.84 and agent-skill 0.1.51. All three are live on npm:
npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latestThe hexa-framework one-scan workflow remains: --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 produces six separate auditor-ready evidence packs from a single scan. Zero data exfiltration — all evidence generated inside your infrastructure.
Full release notes are at the NSAuditor AI Enterprise Edition page.
