NSAuditor AI EE 0.3.9 — First Matrix Shift Since 0.3.7: New AWS DynamoDB Audit Integrity Plugin (1060) Moves SOC 2 PI1.5 Out-of-Scope → Partial; First Serverless Entry-Point Evidence Plugin (1050 AWS API Gateway); Plugin-ID Range Realignment Closes Silent CE/EE Collision
EE 0.3.9 ships two new plugins (1060 DynamoDB Audit Integrity + 1050 API Gateway Assurance) — first SOC 2 PI1.5 partial coverage + Serverless entry-point evidence.
LAS VEGAS, NV — May 12, 2026 — Nsasoft US LLC, a network-security and AI-assisted audit software company, today announced the immediate availability of NSAuditor AI Enterprise Edition (EE) v0.3.9, the first SOC 2 Processing Integrity evidence release in the v0.4.0 Runtime Assurance track. EE 0.3.9 is the first matrix-shift release since 0.3.7 — PI1.5 (Stored Items) moves out-of-scope to partial via the new aws-dynamodb-auditor plugin (1060). The release also ships the first entry-point evidence plugin for AWS Serverless-Framework deployments (aws-apigateway-auditor, plugin 1050). Coverage matrix shifts 10/3/34 → 10/4/33.
The new EE plugins
1060 AWS DynamoDB Audit Integrity (“audit-the-auditor”)
For Type-II audits on AWS-DynamoDB-backed workloads (payroll, financial-batch, audit-log stores), the institutional auditor’s second walkthrough question is: can the audit record itself be tampered with, lost, or bypassed? Plugin 1060 emits ONE finding per gap — and a CRITICAL “audit record itself not survivable” finding when PITR AND deletion protection are both missing.
- Per-table PITR (Point-in-Time Recovery):
DescribeContinuousBackups.PointInTimeRecoveryStatus. Without it, a corrupted batch write or insider-vandalism event is unrecoverable. HIGH when disabled. - Deletion protection:
Table.DeletionProtectionEnabled. Without it, a singleDeleteTableAPI call vaporizes the table. HIGH when disabled. - Worst case CRITICAL: no PITR AND no deletion protection — “audit record itself not survivable.”
- KMS-CMK classifier with conservative LOW-unverifiable posture: customer-managed alias (
:alias/<customer-alias>) → PASS; AWS-managed alias (:alias/aws/dynamodb) → MEDIUM;:key/UUIDform → LOW unverifiable with explicitaws kms describe-keyverification prompt. R2-CRITICAL-1 fold: pre-fold the:key/UUIDform defaulted to PASS, producing false-clean C1.1 evidence on AWS-managed-KMS tables. - Resource-policy presence audit via the 2024
GetResourcePolicyAPI (soft-degrades on older SDKs with INFO disclosure). An audit-store table with an explicit resource policy denyingDeleteTable/DeleteItem/UpdateItemfor non-audit-writer principals encodes the boundary INDEPENDENTLY of IAM-policy drift. - CloudTrail DynamoDB data-event coverage cross-reference (caller-supplied via
opts.trailDataEvents— orthogonal plugin composition with plugin 1040): HIGH finding when no trail logsAWS::DynamoDB::Tabledata events while DynamoDB tables exist. The canonical audit-the-auditor failure mode.
SOC 2 mapping: CC6.6 (resource-policy absence) + CC7.1 (CloudTrail data-event coverage gap) + C1.1 (5 confidentiality patterns) + PI1.5 (3 anchored-regex patterns — the partial transition). 9 reviewer folds + 57 new tests.
1050 AWS API Gateway Assurance
The first entry-point evidence plugin for AWS Serverless-Framework deployments. The Serverless Framework + AWS Lambda + API Gateway topology dominates modern fintech / payroll / regulated-SaaS architectures. Pre-0.3.9, NSAuditor EE had no per-method authorization evidence stream — auditors performing Type-II walkthroughs on a Serverless app had no scanner-generated CC6.1 entry-point evidence.
- Per-method/route authorization classifier —
NONE= CRITICAL (exposes endpoint without auth);AWS_IAM/ Cognito / JWT = PASS; JWT-with-wildcard-audience = INFO with explicit IdP issuer/audience evidence (precedent: Thread CT.5 OIDC heuristic); Lambda authorizer = INFO with manual-verification prompt. - Custom domain TLS policy audit — TLS_1_0 = HIGH; TLS_1_2 / TLS_1_3 = PASS; unknown/missing = MEDIUM. Worst-policy tracking across mixed-config v2 domains (R1-CRITICAL-1 fold: pre-fold the picker was INVERTED, upgrading TLS_1_0 → TLS_1_2 across mixed configs and masking deprecated listeners as PASS).
- Stage-level access logging — missing
AccessLogSettings.DestinationArn= MEDIUM (CC7.1). - Stage-level throttling — missing burst+rate config = LOW (A1.2 availability gap).
- Stage-level WAF association (REST only) — missing
Stage.webAclArn= MEDIUM (CC6.6); HTTP API stages emitstage-waf-not-applicableINFO with the CloudFront-front architectural caveat.
SOC 2 mapping: CC6.1 + CC6.6 + CC6.7 + CC7.1 + A1.2. 11 reviewer folds (4 CRITICAL + 7 MEDIUM) + 86 new tests.
Institutional disclosure — plugin-ID range realignment
A plugin-ID collision between CE and EE was discovered during 0.3.9 pre-publish review. CE plugin 040 (TLS Cert Auditor) declared the same string ID as EE plugin 040 (AWS CloudTrail Operational Integrity). The CE plugin manager’s findPlugin() resolver returns first-match-wins on .id — with CE plugins loaded first and sorted ascending-by-priority, the CE plugin won the ID lookup. The practical consequence: customers running nsauditor-ai scan --host aws --plugins 040 --compliance soc2 on EE 0.3.7 or 0.3.8 received CE TLS Cert Auditor evidence (not EE CloudTrail evidence) for that ID slot. Verified empirically on a clean install. --plugins all was unaffected — both plugins ran via the iteration path; the collision only manifested in ID-based selection.
Resolution in 0.3.9: all 8 EE plugins moved to a disjoint 1000+ namespace:
| Old EE ID | New EE ID | Plugin |
|---|---|---|
| 020 | 1020 | AWS S3 Security Auditor |
| 021 | 1021 | GCP Security Audit |
| 022 | 1022 | Azure Security Audit |
| 023 | 1023 | Zero Trust Assessment |
| 030 | 1030 | AWS IAM Deep Auditor |
| 040 | 1040 | AWS CloudTrail Operational Integrity |
| (new) | 1050 | AWS API Gateway Assurance |
| (new) | 1060 | AWS DynamoDB Audit Integrity |
CE retains 001–099. EE reserves 1000+ from this release forward. Type-II auditors evaluating EE evidence from prior 0.3.7 + 0.3.8 scans should treat any --plugins 040 evidence as CE TLS evidence (not EE CloudTrail), and re-scan with 0.3.9 + --plugins 1040 for the intended CloudTrail evidence.
PI1.5 partial-coverage scope (institutional disclosure)
PI1.5 cannot reach PASS via static substrate scanning alone — full PASS requires application-tier processing integrity evidence (write-through validation, idempotency, exactly-once semantics), planned for EE-RT.7 Lambda Runtime Assurance in v0.4.1+. The partialReason in soc2.json is explicit: substrate-only scope; auditor must accept the LOW-PARTIAL confidence.
Coverage matrix — AICPA TSC 2017
| Status | Count | Trust Services Criteria |
|---|---|---|
| ✅ Covered | 10 | CC6.1, CC6.2, CC6.6, CC6.7, CC6.8, CC7.1, CC7.2, CC7.3, C1.1, C1.2 |
| 🟡 Partial | 4 | CC6.3, CC8.1, A1.2, PI1.5 (NEW — Stored items) |
| ⚪ Out of scope | 33 | CC1.*, CC2.*, CC3.*, CC4.*, CC5.*, CC9.*, PI1.1–PI1.4, P1.0–P8.0, CC6.4, CC6.5 |
Validation evidence
- Test counts: 86 tests for plugin 1050 (R2-C1 sanitization pin; deterministic sort + effectiveCap; JWT audience demote; TLS worst-policy tracking) + 57 tests for plugin 1060 (R2-C1 KMS unverifiable pin; R1-C2 disclosure pin; data-event coverage cross-reference; ZDE pin) + drift detector + golden-fixture updates + PI1.5 partial / OOS count re-pinning.
- Full regression: 2720/2720 green at ~131s wall.
- Reviewer cycles: 4 same-session two-reviewer cycles. 20 reviewer folds total (EE-RT.11: 11; EE-RT.2: 9). 0 CRITICAL ship-blockers after fold.
- ZDE maintained: all new fields emit only AWS-public-namespace identifiers;
conclude()field-selection allowlist extended on both plugins.
Architecture & availability
EE 0.3.9 ships through npm as @nsasoft/nsauditor-ai-ee@0.3.9 (restricted access — Pro/Enterprise license required). The package layers on top of the open-source nsauditor-ai CE engine. EE 0.3.8 is explicitly deprecated on npm with a pointer to 0.3.9 that names the matrix shift and the plugin-ID rename. Eight EE plugins now ship (was 6 in 0.3.8).
npm install -g nsauditor-ai@0.1.38 @nsasoft/nsauditor-ai-ee@0.3.9
nsauditor-ai license install <KEY>
nsauditor-ai scan --host aws --plugins 1020,1030,1040,1050,1060 --compliance soc2 --out evidence.jsonNew optionalDependencies (added in 0.3.9): @aws-sdk/client-api-gateway, @aws-sdk/client-apigatewayv2, @aws-sdk/client-dynamodb (all ^3.0.0).
Resources
- npm package:
@nsasoft/nsauditor-ai-ee@0.3.9(restricted; requires Pro/Enterprise license) - CE pairing:
nsauditor-ai@0.1.38(public; MIT; security-fix floor: ≥ 0.1.37) - SOC 2 coverage table: nsauditor.com/ai/docs/soc2/ (v2.7 with new PI1.5 partial section)
- Pricing & licensing: nsauditor.com/ai/pricing · nsauditor.com/ai/enterprise
Press & analyst contact
Nsasoft US LLC
press@nsasoft.us · nsasoft.us
For SOC 2 audit-team trials with custom AWS scenarios, Serverless-Framework API Gateway walkthroughs, DynamoDB audit-the-auditor evidence reviews, or pre-Type-II readiness assessments, contact enterprise@nsasoft.us.
