NSAuditor AI EE 0.17.0: Scope Your Cloud Audit by AWS Region
EE 0.17.0 adds –aws-region: audit one region, a list, or every region your account has enabled — with genuine per-region fan-out and disclosed scope.
Until now, an NSAuditor AI cloud audit looked at one AWS region — whichever the account was configured for. A bucket left public in eu-west-1, a wide-open security group in ap-southeast-2, an unencrypted database in us-west-2 — all of it invisible if you happened to scan us-east-1. NSAuditor AI Enterprise Edition 0.17.0 closes that blind spot with a single flag: --aws-region.
What changed
EE 0.17.0 introduces --aws-region <one | csv | all> on the CLI and a matching regions argument on the MCP scan_cloud tool. You can now scope an audit to a single region, a comma-separated list such as us-east-1,eu-west-1, or every region your account has enabled.
# one region
nsauditor-ai scan-cloud --provider aws --aws-region eu-west-1 --compliance soc2
# a specific list
nsauditor-ai scan-cloud --provider aws --aws-region us-east-1,eu-west-1
# every enabled region
nsauditor-ai scan-cloud --provider aws --aws-region allGenuine per-region fan-out
This is not a cosmetic flag. The regional auditors — security groups, EC2, RDS, KMS, Lambda, Secrets Manager, DynamoDB, CodePipeline/CodeBuild, Backup, SQS/SNS, VPC endpoints, ElastiCache, SES, and Inspector/GuardDuty/CloudTrail — now run in every in-scope region instead of only the one the account was pointed at.
The S3 auditors go a step further: they resolve each bucket’s own region and skip-and-disclose buckets that fall outside the requested scope, closing a class of latent cross-region false-cleans. Global services such as IAM and account-level S3 enumeration are audited once, as they should be.
Safe defaults, fail-fast scoping
Precedence is --aws-region › AWS_REGION › single-region default. The no-flag path stays single-region and behaviour-preserving — and it now discloses the regions it did not scan rather than leaving them silently assumed clean. An unknown region code fails fast, so a scan never quietly mis-scopes itself.
Full coverage inside Claude Desktop
Because Claude Desktop caps each tool call at roughly 60 seconds, an “all regions” request is covered automatically in small region-group batches, each well within the limit. You get complete multi-region coverage from the assistant without hitting timeouts and without raising any per-call timeout setting.
Why it matters
A single-region audit that reports “clean” is quietly silent about every region it never looked at — and a cross-region false-clean is exactly the kind of gap an attacker, or an auditor, tends to find first. EE 0.17.0 lets you cover the whole footprint and tells you precisely which regions were in scope. Plugin count is unchanged at 28; all six compliance matrices (SOC 2, HIPAA, NIST CSF 2.0, PCI DSS v4.0.1, ISO/IEC 27001:2022, CIS Controls v8) are unchanged. This release is about reach, not new claims.
Availability
Install the Community Edition with npm i -g nsauditor-ai@latest and the licensed Enterprise Edition with @nsasoft/nsauditor-ai-ee@latest, paired with agent-skill nsauditor-ai-agent-skill@0.2.0. NSAuditor AI ships 28 plugins across AWS, Azure, and GCP and six compliance frameworks, with zero data exfiltration. Enterprise is a restricted package — see nsauditor.com/ai/enterprise for access.
