NSAuditor AI EE 0.6.5: sessionToken Sweep + Dead-Target Liveness Probes Close Two Real-World Audit Gaps

nsamag May 18, 2026

NSAuditor AI EE 0.6.5 fixes sessionToken handling across all 18 EE AWS plugins — unblocking AssumeRole auditors — and adds per-target liveness probes to plugin 1200’s EventBridge dimension.

nsauditor-ai-ee-0-6-5-session-token-dead-target-liveness

Nsasoft US LLC today shipped NSAuditor AI Enterprise Edition v0.6.5, closing two deferred items from the EE 0.6.4 reviewer pass: a cross-plugin sessionToken sweep that unblocks AssumeRole-style auditor credentials across the entire EE catalog, and dead-target liveness probes that add a companion-LOW finding when EventBridge rule targets reference deleted or detached AWS resources.

sessionToken cross-plugin sweep — 18 plugins fixed

Auditors performing cross-account audits use aws sts assume-role to obtain temporary credentials consisting of an access key, secret key, and sessionToken. Pre-0.6.5, the 18 EE AWS plugins that construct AWS SDK v3 clients with operator-supplied credentials silently dropped the sessionToken. Every auto-loaded client then failed request signing — operators saw cryptic InvalidSignature or ExpiredTokenException errors with no clear root cause.

EE 0.6.5 threads sessionToken through the credentials block in all 18 plugins via a conditional spread:

...(config.sessionToken ? { sessionToken: config.sessionToken } : {})

A new source-level regression test (tests/aws_session_token_sweep.test.mjs) pins this contract — any future plugin added without sessionToken support gets caught at regression time.

Dead-target companion-LOW on plugin 1200

EE 0.6.4 introduced EventBridge target verification: events:ListTargetsByRule confirmed each matched rule had at least one target. That left a documented gap — target COUNT was verified, but per-target LIVENESS was not. An EventBridge rule with a Target.Arn pointing to a deleted Lambda function, detached SNS topic, or non-existent SQS queue still passed the PASS verdict even though the invocation would silently fail.

EE 0.6.5 closes this with per-target liveness probes for the three most-common target types:

  • Lambda functionslambda:GetFunction on the full qualified ARN (alias/version correctness verified server-side; alias PROD pointing to a deleted version surfaces as DEAD)
  • SNS topicssns:GetTopicAttributes
  • SQS queuessqs:GetQueueUrl + sqs:GetQueueAttributes (partition-aware; correct for GovCloud, ISO, and aws-cn)

When a rule contains at least one dead target, plugin 1200 emits a companion LOW finding alongside the PASS verdict — the PASS stands at the rule level (routing path exists), but the companion-LOW surfaces the per-target liveness gap with the affected ARNs (capped at 10 surfaced + deadTargetArnsTruncated count for tooling consumers).

Eventual-consistency defense

A freshly-created Lambda function may transiently return ResourceNotFoundException on GetFunction within the first ~30 seconds. EE 0.6.5 includes a one-retry-on-NotFound mechanism with a 750ms backoff — only after the retry also returns NotFound does the probe confirm DEAD. This prevents false-DEAD findings on legitimately-active resources.

Parallel probes + per-target timeout

The probe loop within a rule runs in parallel via Promise.all with a per-target 2-second timeout (operator-tunable via deadTargetProbeTimeoutMs). Timed-out probes route to UNVERIFIABLE rather than blocking the region scan. Unknown ARN shapes (IAM role, API destination, CloudWatch Logs) also route to UNVERIFIABLE per conservative-classifier discipline.

Sentinel observability

The 0.6.4 cycle introduced a targetCount: null sentinel to signal unverifiable failure modes — but auditors couldn’t drill down by reason. EE 0.6.5 extends the rule shape with targetVerificationReason carrying one of four stable enum values: AccessDenied, SdkUnavailable, BeyondCap, or SkippedByOpts.

New operator options

  • skipTargetLivenessProbe: true — opt out of per-target liveness probing (preserves 0.6.4 behavior)
  • deadTargetProbeTimeoutMs — per-target timeout in milliseconds (default 2000, minimum 100)

Availability

NSAuditor AI EE 0.6.5, CE 0.1.59, and agent-skill 0.1.26 are available immediately on npm. The SOC 2 coverage matrix is unchanged at 10 covered / 4 partial / 33 out-of-scope.

npm install -g nsauditor-ai@0.1.59 @nsasoft/nsauditor-ai-ee@0.6.5
npm install nsauditor-ai-agent-skill@0.1.26

Full release notes at nsauditor.com/ai/enterprise/.

Related Posts:

More Stories

nsauditor-ai-ee-066-launches-bfs-graph-walk-to-mitigate-aws-security-group-vulne

“NSAuditor AI EE 0.6.6 Launches BFS Graph-Walk to Mitigate AWS Security Group Vulnerabilities”

nsamag May 18, 2026
cisa-adds-cisco-sd-wan-cve-2026-20182-to-kev-after-admin-access-exploits

CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits

nsamag May 18, 2026
nsauditor-ai-ee-066-launches-with-advanced-security-features-to-combat-multi-hop

“NSAuditor AI EE 0.6.6 Launches with Advanced Security Features to Combat Multi-Hop Threats”

nsamag May 18, 2026

You may have missed

nsauditor-ai-ee-066-launches-bfs-graph-walk-to-mitigate-aws-security-group-vulne

“NSAuditor AI EE 0.6.6 Launches BFS Graph-Walk to Mitigate AWS Security Group Vulnerabilities”

nsamag May 18, 2026
cisa-adds-cisco-sd-wan-cve-2026-20182-to-kev-after-admin-access-exploits

CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits

nsamag May 18, 2026
nsauditor-ai-ee-066-launches-with-advanced-security-features-to-combat-multi-hop

“NSAuditor AI EE 0.6.6 Launches with Advanced Security Features to Combat Multi-Hop Threats”

nsamag May 18, 2026
nsauditor-ai-ee-0-6-5-session-token-dead-target-liveness

NSAuditor AI EE 0.6.5: sessionToken Sweep + Dead-Target Liveness Probes Close Two Real-World Audit Gaps

nsamag May 18, 2026
nsauditor-ai-ee-0-6-4-eventbridge-target-verification

NSAuditor AI EE 0.6.4: EventBridge Target Verification Closes Substrate-Without-Sink False-PASS at the Rule Level

nsamag May 18, 2026