NSAuditor AI EE 0.30.0: Closing Cloud False-Negatives and Unifying the Compliance Verdict Across Seven Frameworks
EE 0.30.0 deepens AWS + Azure detection so real exposures that read clean now surface, and aligns the mapping layer so the same exposure routes to the same control on every framework.
NSAuditor AI Enterprise Edition 0.30.0 is now available — the largest non-framework release in the product’s history, and a deliberate, systematic pass at the quietest failure mode in a compliance scanner: the real cloud exposure that reads clean.
A compliance scanner has two ways to be wrong, and the worse one is the quiet one. Over-claiming — telling you that you are compliant when you are not — is loud and tends to get caught. Under-claiming — a genuine exposure that reads clean, or a finding that fails on one framework’s report yet is silently absent from another’s — stays invisible until an auditor or an attacker finds it first. EE 0.30.0 spends an entire release on that second failure mode. No new framework, no new plugins (still 28), and no changes to any of the seven coverage matrices — this is a correctness and depth release.
Detection depth: exposures that used to read clean now fire
AWS S3 access points. A bucket locked down at the bucket level can still be reachable from the public internet through an access point when the bucket delegates authority. EE 0.30.0 now evaluates the full four-way join — network origin, access-point policy, Block Public Access over both the access point and the account, and the bucket’s delegation posture — and flags the bypass. Every leg it cannot read becomes an explicit evidence gap, never a silent pass.
AWS resource policies. A shared effective-exposure classifier now reads the resource policies of Lambda, DynamoDB, SQS, SNS, VPC endpoints, Secrets Manager and API Gateway, catching public and cross-account grants that previously went unexamined — while correctly leaving the recommended private-API pattern alone.
AWS security groups, KMS and IAM. Public-versus-private CIDR and split-range detection on EC2 security groups (including mask-aware IPv6); broader KMS effective-decrypt and cross-account key-policy analysis, without false-flagging the ubiquitous default key policy; and paginated IAM user enumeration, so an over-privileged user beyond the first page is no longer missed.
Azure. A depth-pass across Azure storage, network security groups, Key Vault and the cloud scanner closed every remaining un-enumerable fail-open. An unreadable scope now produces a routed evidence gap instead of a clean result, bringing the whole Azure fleet under a single structural routing-completeness guard.
Mapping parity: the same exposure, the same verdict, on every framework
Architecturally-identical confidentiality and least-privilege exposures used to route to different controls across the seven frameworks. EE 0.30.0 closes that inconsistency in both directions, and every change is matrix-neutral:
- An over-broad KMS decrypt grant or an anonymous queue read now reaches the confidentiality controls on ISO/IEC 27001, CIS Controls v8 and GDPR Article 32 — not just SOC 2.
- A public, unauthenticated application entry point — a Lambda Function URL with no authentication, or an API Gateway method with
AuthorizationType: NONE— now appears under NIST CSF 2.0 PR.AA-05 (access enforcement and least privilege), where before it failed SOC 2 and ISO but read clean on a NIST report. - An over-claim was corrected too: a KMS grant that covers only integrity or availability actions, not a read, no longer claims the confidentiality facet.
The no-silent-false-clean discipline, made structural
The cycle’s durable byproduct is a new build-time guard that asserts, per source and per framework, that an evidence gap fails closed on exactly the controls its real findings attest — automatically catching the under-claim class that the existing inheritance and matrix tests could not see. The fleet-wide read-only enforcement guard continues to hold across all 28 plugins, even as this batch added new (read-only) cloud API calls.
A note on GDPR scope
This release adds GDPR Article 32(1)(b) routing for two exposure classes; it does not change the scope doctrine. The engine evidences the GDPR Article 32 infrastructure substrate only — not GDPR compliance. Findings remain substrate for the operator’s four-factor proportionality determination, carry the personal-data-scope caveat, and sit in the Article 83(4) lower fine tier — never the headline tier. A send- or delete-only grant does not claim confidentiality.
One scan, seven frameworks
nsauditor-ai scan --host aws --compliance soc2,hipaa,nist,pci,iso,cis,gdprTrust in a security tool is built on what it does not miss and what it does not overstate. EE 0.30.0 spends a full release on both. The Community Edition is open source (npm i -g nsauditor-ai@latest); the Enterprise cloud-compliance surface is licensed (@nsasoft/nsauditor-ai-ee@latest). Full details are at nsauditor.com/ai/enterprise.
