NSAuditor AI EE 0.5.1 Ships SQS/SNS Auditor v2 — CloudWatch Alarm Coverage on ApproximateAgeOfOldestMessage + NumberOfNotificationsFailed; R-CRITICAL Empty-AlarmActions Silent-PASS Closure
EE 0.5.1 patch-level extension — SQS/SNS Auditor v2 with CloudWatch alarm coverage. R-CRITICAL empty-AlarmActions silent-PASS closure catches alarms that look fine but never page anyone.
What’s new: Nsasoft US LLC has shipped NSAuditor AI Enterprise Edition 0.5.1 — a patch-level extension in the v0.5.x line that grows plugin 1150 (SQS/SNS Auditor) from 5 to 7 dimensions with CloudWatch alarm coverage on SQS ApproximateAgeOfOldestMessage and SNS NumberOfNotificationsFailed. It is the first plugin-1150 dimension to cross an SDK boundary (SQS+SNS → CloudWatch), closing the “messaging monitoring” SOC 2 dimension per the audit-canonical checklist. The release is the seventh consecutive trio-publish alongside CE 0.1.50 and agent-skill 0.1.17.
Dim 6 — SQS ApproximateAgeOfOldestMessage CloudWatch alarm coverage
Per-queue classifier checks whether the queue has at least one CloudWatch MetricAlarm on AWS/SQS:ApproximateAgeOfOldestMessage with the queue’s QueueName dimension AND both ActionsEnabled=true AND a non-empty AlarmActions[] array. Four outcomes:
- PASS
sqs-age-alarm-covered— at least one actionable alarm - MEDIUM
sqs-age-alarm-missing— no matching alarm; consumer backlog growth produces NO operator paging (silent service-degradation class) - LOW
sqs-age-alarm-actions-disabled— matching alarm exists but disabled or empty AlarmActions (informational-only, no paging substrate) - LOW + evidenceGap
sqs-age-alarm-coverage-unverifiable— CW SDK unavailable / DescribeAlarms AccessDenied / pagination truncated
Dim 7 — SNS NumberOfNotificationsFailed CloudWatch alarm coverage
Per-topic analogue. Closes the canonical false-CLEAN window where SNS subscription delivery failures (HTTPS endpoint timeouts, Lambda invocation errors, SQS DLQ exhaustion on fan-out, mobile push errors) produce NO operator paging — silent message-loss class for downstream subscribers.
The R-CRITICAL fold — empty-AlarmActions silent-PASS closure
Pre-fold, an alarm with {ActionsEnabled: true, AlarmActions: []} passed as PASS-tier evidence — but CloudWatch semantics fire NO operator paging when the action list is empty. No SNS topic, no PagerDuty integration, no Lambda function is invoked on threshold breach. Post-fold, actionable requires BOTH ActionsEnabled=true AND a non-empty AlarmActions[] array. The LOW remediation narrative discriminates “all disabled” vs “all empty actions” so operators get the right hint (toggle Actions vs populate AlarmActions ARN list). This is a real production pattern from incomplete IaC modules — a Terraform or CloudFormation template that creates the alarm shell but leaves alarm_actions empty would have silently passed pre-fold.
Single-fetch budget pattern
Mirrors the plugin 1040 _auditAlarmCoverage scaffold: _enumerateMetricAlarms paginates cloudwatch:DescribeAlarms ONCE per scan; _buildAlarmIndex builds two per-resource Maps (sqsAgeByQueueName + snsFailureByTopicName) for O(1) per-resource lookup rather than O(queues × alarms) round-trips. Pagination cap default 20 pages × 100 alarms = 2000-alarm ceiling, operator-tunable via opts.cwAlarmPageCap. Soft-degrade contract: CW SDK load failure routes per-resource to LOW + evidenceGap rather than blocking the SQS+SNS primary substrate audit. No new SDK dependencies.
Stats
- Plugin count UNCHANGED at 20 (existing 1150 grew in scope)
- +52 new tests (41 v2 base + 11 reviewer-fold pin; plugin 1150 test count 116 → 168 across 22 → 33 suites)
- EE full regression: 4860/4860 across 760 suites (was 4787/4787 across 745 suites at 0.5.0)
- 47-session 100% green streak preserved
- 12 new aws-sqs-sns-auditor
soc2.jsonmapping rules (8 CC7.2 + 4 A1.2 dual-mapped) - Memory closures:
aws_string_case_normalizationreinforced via split-surface QueueName/TopicName discipline;conservative_classifier_principlereinforced in 4 new fold sites;emit_literal_set_driftextended with 7 new named CW constants
Smoke validation
This cycle ships synthetic-mock validation only. The 168-test plugin suite exercises all 7 severity branches across both classifiers via mocked CloudWatch DescribeAlarms responses, including the R-CRITICAL fold (empty AlarmActions) and R-LOW FIFO end-to-end matching. Real-AWS smoke validation queued for a future ship cycle once SQS + SNS fixtures land in test-infra-builder — institutional rule: ship-without when fixture-provisioning gap is documented, per the EE 0.5.0 SES precedent.
Coverage matrix unchanged at 10/4/33
Institutional honesty per the project’s matrix-shift discipline — substrate-evidence depth on already-covered CC7.2 + A1.2, not new SOC 2 tile claims. The patch-level bump (0.5.0 → 0.5.1) signals continued widening within the v0.5.x evidence-acquisition envelope (network-layer DNS in 0.5.0 → cross-SDK CloudWatch alarm-coverage in 0.5.1).
Who’s affected
AWS SQS + SNS adopters and event-driven-architecture engineers; AWS SRE / on-call teams operating production SQS + SNS workloads (the R-CRITICAL fold catches the institutional class where ActionsEnabled=true + AlarmActions=[] alarms exist in CloudWatch but fire NO paging); CC7.2 + A1.2 substrate-evidence buyers; SOC 2 readiness teams; AI-coding-agent users.
Recommended install (0.5.1)
npm install -g nsauditor-ai@0.1.50 @nsasoft/nsauditor-ai-ee@0.5.1
nsauditor-ai scan --host aws --plugins all --compliance soc2 --out evidence.json
# AI-coding-agent users also pull the refreshed skill:
npm install nsauditor-ai-agent-skill@0.1.17
