NSAuditor AI EE 0.31.6: Enumeration Truncation Can No Longer Read as Compliance

NSAuditor AI Enterprise Edition 0.31.6 is now live on npm, paired with Community Edition 0.2.20 and agent-skill 0.2.18. The release closes an entire class of misleadingly clean verdicts in the AWS RDS auditor — the kind that appears not because a database is secure, but because the scanner stopped counting — and maps RDS audit-log retention to every compliance framework, moving the CIS Controls v8 coverage matrix for the first time since the 0.13.1 DMARC flip.

A cloud audit is only as honest as its coverage

AWS exposes RDS inventory through paginated API calls, each with a page cap. A scanner that reads the first 2,000 snapshots and silently drops the rest will report a clean encryption posture over a 2,001st snapshot that is wide open. That class of failure — enumeration truncation read as compliance — is invisible by construction: there is no error and no finding, just an absence. EE 0.31.6 hunts it down across the entire RDS auditor.

Four enumerators, one doctrine: truncation fails closed

RDS exposes its inventory through four paginated calls. As of 0.31.6, every one of them fails closed on truncation:

• Snapshots (instance and cluster). A would-be “all snapshots encrypted” pass over a truncated set is now converted to a fail-closed evidence gap — at both the all-encrypted exit and the subtle zero-visible exit, where AWS can return empty pages that still carry a continuation token. A confirmed-bad snapshot still fires its finding first.
• Live databases and clusters. A region holding more databases or clusters than a single list returns now emits a routed “could not be scanned in full” gap that fails closed the entire RDS native control set — routing identically to an access-denied region, so the tail is never mistaken for clean.
• Audit-log groups. A truncation flag the retention classifier had quietly ignored is now wired in: a minimum-retention pass computed over a truncated subset fails closed, unless the visible set already shows a confirmed below-baseline group.

Every gap reuses an existing compliance anchor, so it routes to exactly the controls the real violation would — verified against the live compliance engine, framework by framework.

Audit-log retention, mapped to every framework

NSAuditor AI reads each RDS instance’s CloudWatch Logs retention and flags below-baseline retention. Until now that finding routed only to SOC 2 and HIPAA — so a PCI DSS-only, NIST CSF-only, ISO 27001-only or CIS-only report read clean over a database whose audit logs were being discarded early, even though PCI DSS Requirement 10.5.1 mandates retaining audit-log history. EE 0.31.6 maps the retention finding to each framework’s retention control: PCI DSS 10.5.1, NIST CSF PR.PS-04, ISO 27001 A.8.15, and CIS Controls v8 Safeguard 8.10 (Retain Audit Logs) — alongside SOC 2 CC7.2 and HIPAA §164.312(b). The presence check — do the log groups even exist? — correctly stays on the floor controls, because presence is not the same compliance question as duration.

One deliberate matrix move: CIS Safeguard 8.10

Routing audit-log retention to CIS Safeguard 8.10 moves it from out-of-scope to partial, so the CIS Controls v8 coverage matrix shifts 17/22/114 → 17/23/113. The Implementation Group 1 cyber-insurance baseline is unchanged at 23 of 56 (8.10 is an IG2 Safeguard); IG2-cumulative substrate rises to 38 of 130 and IG3-cumulative to 40 of 153. The six other framework matrices are unchanged: SOC 2 10/4/33, HIPAA 7/3/45, NIST CSF 2.0 13/10/83, PCI DSS v4.0.1 19/9/39, ISO 27001 17/14/62, and GDPR Article 32 4/5/2. Plugin count is unchanged at 28.

Honest about the threshold

The retention classifier flags below the 30-day institutional baseline. It does not yet evaluate a framework’s specific retention duration — PCI DSS 10.5.1’s twelve-month bar, for instance — and it deliberately does not flag an instance at 60–365 days as a hard violation, because audit logs are commonly archived to S3/Glacier for long-term retention that CloudWatch’s retention setting alone cannot see. That depth — a cardholder-data-scoped, archival-aware retention evidence gap — is a recorded, deferred follow-up. The release ships PCI DSS 10.5.1 as an honest partial, not as a fully-closed control.

Availability

@nsasoft/nsauditor-ai-ee@0.31.6 (Enterprise) pairs with nsauditor-ai@0.2.20 (Community, MIT) and nsauditor-ai-agent-skill@0.2.18. EE 0.31.6 requires CE 0.2.8+. Read-only (Zero Data Exfiltration) enforcement holds across all 28 plugins — the release adds no mutating call. Upgrade in place, no configuration change. Full details at the NSAuditor AI Enterprise page and the CIS Controls v8 coverage matrix.