NSAuditor AI EE 0.31.5 Closes a Backup-Shaped False-Clean: RDS Cluster Snapshot Detection and Seven-Framework At-Rest Routing
EE 0.31.5 detects non-Aurora RDS Multi-AZ DB cluster snapshots for real and routes an unencrypted database snapshot to the encryption-at-rest control of all seven compliance frameworks.
Nsasoft has shipped NSAuditor AI Enterprise Edition 0.31.5, a patch that closes a backup-shaped false-clean across the RDS database-snapshot audit surface. A database snapshot is a complete, restorable copy of the data — and an attacker who can read or restore one bypasses every control on the live database. NSAuditor AI EE has audited live-database encryption and instance snapshots for many releases; 0.31.5 closes the two remaining gaps in that surface.
The cluster snapshot nobody was watching
AWS RDS exposes two cluster shapes through DescribeDBClusters: Amazon Aurora clusters and the newer RDS Multi-AZ DB clusters — a three-node MySQL/PostgreSQL high-availability deployment. Both keep their snapshots at the cluster level, invisible to the instance-level DescribeDBSnapshots that a per-instance scan uses. A prior release began auditing Aurora cluster snapshots; the non-Aurora Multi-AZ DB cluster snapshot was left as an honest fail-closed evidence-gap pending real detection.
EE 0.31.5 ships that detection. The cluster-snapshot classifiers now run over every enumerated cluster, so a publicly shared Multi-AZ DB cluster snapshot — any AWS account can RestoreDBClusterFromSnapshot and read every row — surfaces as the CRITICAL it is, with a HIGH for a cross-account or unencrypted one. The finding’s prose is derived from the engine so it reads accurately (“RDS Multi-AZ DB cluster” vs “Aurora DB cluster”), and the member-defer logic was generalized so that a truncated-out cluster, or an orphan Aurora instance returned without its cluster id, fails closed rather than reading clean.
One exposure, seven reports — and they disagreed
The deeper finding came from the principal review. An unencrypted live database routed to the encryption-at-rest control of all seven frameworks. An unencrypted snapshot of that same database routed to only two — SOC 2 and HIPAA. The result: an operator running a PCI-DSS-only, ISO-27001-only, CIS-only, GDPR-only or NIST-CSF-only report saw the unencrypted backup read CLEAN under that framework, even though the live volume would have failed.
EE 0.31.5’s at-rest snapshot routing sweep makes the snapshot a superset of the live-database mapping. An unencrypted snapshot now routes to NIST CSF PR.DS-01, PCI DSS 3.5.1, ISO 27001 A.8.24, CIS 3.11 and GDPR Art. 32(1)(a) alongside SOC 2 C1.1 and HIPAA §164.312(a)(2)(iv). Because a snapshot is recovery data — the RDS-native backup mechanism — it additionally routes to CIS Safeguard 11.3 “Protect Recovery Data” (Implementation Group 1, the cyber-insurance baseline), which the live-database dimension does not claim.
A public share is an access-control failure
A snapshot shared publicly or cross-account is, first and foremost, an access-control failure. EE 0.31.5 routes that share finding to the access-control control of each framework and corrects two that had filed it elsewhere: it now also routes to SOC 2 CC6.1 and the Required HIPAA §164.312(a)(1) Access Control standard, so the Required control no longer reads clean over a publicly-restorable snapshot.
Engineering rigor
The release was built skill-first and test-driven, then put through a multi-lens adversarial principal review — with every routing change re-derived against the live compliance engine, routing real classifier output through the real framework maps rather than hand-typed fixtures. The review confirmed the new detection introduced no live defect and drove three folds (a prose-label correction, an orphan-Aurora fail-close hardening, and a real-emission drift guard) plus the seven-framework routing sweep. Fleet-wide read-only (Zero Data Exfiltration) enforcement holds across all 28 plugins — the new cluster reads use Describe* APIs only.
This is a patch: no new framework, plugin count unchanged at 28, and all seven coverage matrices unchanged — the mapping changes are additive anchors to already-covered controls. On the GDPR side, the engine substrate-evidences GDPR Article 32 infrastructure substrate only — not GDPR compliance; findings remain substrate for the operator’s four-factor proportionality determination and sit in the Article 83(4) lower fine tier.
Availability
@nsasoft/nsauditor-ai-ee@0.31.5 (Enterprise, restricted) pairs with nsauditor-ai@0.2.19 (Community, MIT) and nsauditor-ai-agent-skill@0.2.17. EE 0.31.5 requires CE 0.2.8+. Upgrade in place — no configuration change, no new dependency. Details at nsauditor.com/ai/enterprise.
