“NSAuditor AI EE 0.30.1 Strengthens AWS Security by Closing Vulnerabilities in RDS and API Gateway”
“NSAuditor AI EE 0.30.1 Strengthens AWS Security by Closing Vulnerabilities in RDS and API Gateway” — NSAUDITOR AI EE 0.30.1 ENHANCEMENTS STRENGTHEN AWS SECUR
NSAuditor AI EE 0.30.1 Enhancements Strengthen AWS Security Posture
In a significant update, NSAuditor AI Enterprise version 0.30.1 has successfully closed the last two AWS sources where real exposure could read clean—Amazon RDS (Relational Database Service) and API Gateway. This release marks a pivotal moment in the tool’s evolution, as it now brings every AWS source under a dedicated false-negative pass, ensuring a more robust security analysis for users.
Enhanced RDS Auditor Functionality
The RDS auditor has been upgraded to flag a manual DB snapshot shared with restore permissions set to “all” as a critical public exposure. This vulnerability is particularly concerning, as it can be triggered even when the snapshot is encrypted. The share grant itself exposes sensitive data, illustrating the importance of careful permission management. Furthermore, a named-account share is now categorized as a HIGH risk, emphasizing the need for stringent access controls.
Additionally, a previously accepted practice where a denied DescribeDBInstances call would read a whole region clean has been re-evaluated. Under the new framework, such calls will no longer pass without scrutiny, ensuring that potentially critical vulnerabilities are not overlooked.
API Gateway Auditor Improvements
On the API Gateway front, the NSAuditor AI EE 0.30.1 release closes a significant gap in the WAF (Web Application Firewall) deep audit. This update addresses a scenario where a stage referencing a Web ACL could not be verified by the scanner due to various conditions—such as being deleted, denied, cross-region, or malformed. Previously, these scenarios would allow vulnerabilities to pass through undetected. Now, the system introduces six evidence-gap classes that fail closed, mirroring real WAF findings.
Key improvements include detecting a deleted Web ACL that returns a 403 status for every request. The scanner can now also identify unknown authorization schemes, silently-skipped WebSocket APIs, and unencrypted response caches, which were previously unmonitored. This comprehensive coverage significantly bolsters the security posture of applications utilizing AWS services.
Compliance and Framework Neutrality
One of the standout features of this release is its matrix-neutral approach across the seven compliance frameworks. For instance, an anonymous API Gateway resource policy now aligns with PCI DSS 7.2.1 and GDPR Article 32, while a broken Web ACL will fail PCI 6.4.1 and ISO A.8.21. Furthermore, an unencrypted cache is flagged under ISO A.8.24, reinforcing the need for encryption in cloud services.
It is important to note that the GDPR routing in this update pertains only to Article 32’s infrastructure substrate and does not imply full GDPR compliance. However, these enhancements clearly demonstrate NSAuditor’s commitment to ensuring that clients can maintain a strong security and compliance posture across various regulatory requirements.
Despite these substantial improvements, the update does not introduce a new framework or increase the plugin count, which remains at 28. The coverage matrices across all seven frameworks are unchanged, allowing users to seamlessly integrate this update without the need for extensive retraining or adjustments.
Integration and Availability
NSAuditor AI EE 0.30.1 is designed to work in tandem with CE 0.2.13 and agent-skill 0.2.13, further enhancing the overall user experience. The updated tool is available via npm under two packages: nsauditor-ai for Community users under the MIT license, and @nsasoft/nsauditor-ai-ee for Enterprise users.
Conclusion
The latest enhancements in NSAuditor AI EE 0.30.1 not only close critical security gaps in AWS but also reinforce the tool’s commitment to providing a comprehensive security analysis framework. With these improvements, organizations can better protect their cloud infrastructure against evolving threats and maintain compliance with industry standards.
