NSAuditor AI EE 0.6.3 Closes Alerting-Destination False-PASS in GuardDuty and Inspector2 Audit

What’s new: Nsasoft US LLC has released NSAuditor AI Enterprise Edition v0.6.3, closing a critical substrate-without-sink false-PASS class in plugin 1200 (AWS Inspector2 / GuardDuty Enablement Auditor). Prior to this release, the plugin could return a PASS verdict for service enablement even when no downstream routing path existed — GuardDuty was running, but no operator was paged when it detected a threat.

The alerting-destination audit

EE 0.6.3 adds a new audit dimension to plugin 1200 that verifies at least one downstream routing path is wired per service per region — either an EventBridge rule whose event pattern matches aws.guardduty or aws.inspector2 in ENABLED state, or a SecurityHub product subscription for the service.

Four verdict tiers

• PASS alerting-destination-present — At least one EventBridge rule routes findings from the service source
• MEDIUM alerting-destination-sh-only — SecurityHub subscription present but no EventBridge rule; aggregation only — auditor walkthrough required to confirm the SH-to-paging chain
• HIGH alerting-destination-missing — No EventBridge rule AND no SecurityHub integration; operator must wire a routing path to satisfy CC7.1 monitoring evidence
• LOW alerting-destination-unverifiable — AccessDenied or SDK unavailable on routing-check APIs; conservative classifier per institutional discipline

R-CRITICAL ARN-collision close-out

An independent reviewer pass caught a critical boundary bug: the SecurityHub product ARN check used :product/aws/inspector to detect Inspector2 subscriptions. That substring is a prefix of :product/aws/inspector2 — a stale Amazon Inspector Classic subscription (deprecated by AWS in 2024) would have satisfied the Inspector2 alerting-destination check and emitted a false PASS. EE 0.6.3 uses boundary-anchored matching with the constant /aws/inspector2, and a regression pin in the test suite prevents the class from recurring.

EventBridge wildcard matching

The EventBridge source matcher was also extended to recognise content-filter rule forms — {"prefix": "aws."} and {"wildcard": "aws.guard*"} — so catch-all routing patterns used in many IaC templates now match correctly instead of emitting a false-HIGH “no destination” finding.

Compliance coverage

Five new entries in data/compliance/soc2.json route the new emissions under CC7.1 and CC7.2. The SOC 2 coverage matrix remains at 10 covered / 4 partial / 33 out-of-scope. Plugin count is unchanged at 49 (27 CE + 22 EE).

Install

npm install -g nsauditor-ai@0.1.57 @nsasoft/nsauditor-ai-ee@0.6.3

Sources

• NSAuditor AI Enterprise Edition