NSAuditor AI Enterprise 0.32.4: Closing Three RDS Blind Spots — Cleartext Proxy Connections, Backups That Outlive Their Database, and One Coherent Aurora Verdict
NSAuditor AI EE 0.32.4 closes three real Amazon RDS exposures — a cleartext RDS Proxy, an unencrypted retained backup, and contradictory Aurora verdicts — matrix-neutral.
Nsasoft US LLC has released NSAuditor AI Enterprise 0.32.4, a matrix-neutral depth pass on the AWS RDS auditor that closes three real exposures the scanner previously missed — plus a report-quality fix. Every new finding routes to a control the scanner already covers, so no compliance number moves: there is no new framework, the plugin count stays at 28, and all seven coverage matrices are unchanged.
1. The RDS Proxy that accepts cleartext
Amazon RDS Proxy sits between an application and its database, pooling connections. It has a switch, RequireTLS, that decides whether clients must connect over TLS — and it defaults to off. A proxy left at the default happily accepts unencrypted client connections: queries and result rows travel the network in the clear, and the authentication handshake is exposed to interception — even when the database behind the proxy enforces SSL on its own hop. Because the existing SSL check reads the database parameter group, it never looked at the proxy’s flag.
0.32.4 audits DescribeDBProxies.RequireTLS directly. A proxy that does not require TLS is now a HIGH finding, fail-closed: if the flag is off or absent it flags; if the proxy list cannot be read, it degrades to an explicit evidence gap rather than a silent pass. The finding routes to the same transit-encryption controls as the database SSL check across all seven frameworks.
2. The backup that outlived the database it protected
When you delete an RDS database or Aurora cluster, its automated backups do not necessarily go with it. AWS can retain them and can replicate them to another region. Those backups still hold the full contents of the source database — and they are invisible to the two calls a scanner naturally reaches for: the deleted database no longer appears in DescribeDBInstances / DescribeDBClusters, and a retained automated backup is not a snapshot, so it is absent from DescribeDBSnapshots too. An unencrypted retained backup is a copy of your data at rest that you can no longer crypto-shred.
0.32.4 enumerates automated backups directly and flags an unencrypted one. The filter is deliberately fail-closed: it skips only a backup whose source is a live database already audited in the same run — every retained, cross-region-replicated, or unknown-status backup is classified, never assumed clean.
3. One Aurora cluster, one coherent verdict
An earlier release taught the scanner to read an Aurora cluster’s SSL setting, which surfaced a contradiction on provisioned clusters: the cluster-level check reported SSL enforced, while each member instance — reading the same cluster-scoped setting from the wrong level — reported it not enforced. 0.32.4 makes the cluster authoritative: an Aurora member now defers its SSL and Multi-AZ verdicts to its cluster (fail-closed, and only for Aurora), and cluster availability is judged from the cluster’s own DBCluster.MultiAZ.
4. No control-id leaks between frameworks
A finding’s description renders verbatim as the violation line in every report NSAuditor produces. 0.32.4 adds a single renderer-level backstop that strips foreign framework control-ids out of the violation and positive-evidence prose at the moment the report is assembled, for every plugin at once. It is purely presentational — routing happens upstream, so nothing is mis-mapped or dropped.
Matrix-neutral, and honest about it
Every change is a false-negative closure or a report-quality fix on the RDS auditor, each confirmed fail-closed. The coverage matrices remain SOC 2 10/4/33, HIPAA 7/3/45, NIST CSF 2.0 13/10/83, PCI DSS v4.0.1 19/9/39, ISO 27001 17/14/62, CIS Controls v8 17/23/113, and GDPR Article 32 4/5/2. NSAuditor AI is local-first with zero data exfiltration and audits AWS, Azure, and GCP from one scan. Learn more at the NSAuditor AI Enterprise page.



