NSAuditor AI Enterprise 0.19.1 Strengthens Cloud Security by Closing Seven Critical False Negatives Across AWS, Azure, and GCP

NSAuditor AI Enterprise 0.19.1 Enhances Cloud Security with Robust Updates

NSAuditor AI Enterprise has rolled out its latest version, 0.19.1, which effectively closes seven confirmed false negatives related to cloud auditing across major platforms including AWS, Azure, and Google Cloud Platform (GCP). This update aims to enhance security posture by addressing various vulnerabilities and ensuring compliance with established frameworks.

Privileged Escalation Mitigations for AWS IAM

One of the significant improvements in this release is the hardening of AWS Identity and Access Management (IAM) against prefix-glob privilege escalation. A previously identified vulnerability involved policies that allowed silent shadow-admin access through the use of permissive actions like iam:Create*, iam:Put*, and sts:Assume*. NSAuditor’s new approach ensures that these policies are thoroughly audited, closing the gap on potential escalations.

In addition to this, revived access-key hygiene checks have been implemented, ensuring that users adhere to best practices regarding the management of access keys, minimizing the risk of unauthorized access.

Enhanced Monitoring for SQS and SNS

NSAuditor has also addressed a critical issue with Amazon Simple Queue Service (SQS) where a world-open queue policy (with Principal: "*") had previously gone unchecked. The latest version now audits these policies at parity with Amazon Simple Notification Service (SNS), strengthening the overall monitoring capabilities for both messaging services.

Secure Backup Vaults and S3 Bucket Management

Another noteworthy enhancement is in the treatment of air-gapped backup vaults. The update ensures that permissions like KMS CreateGrant and GenerateDataKey are now treated as decrypt-enabling actions, thus reinforcing the security of sensitive data stored in backup vaults.

Moreover, versioned Amazon S3 buckets that previously only wrote delete markers without disposing of noncurrent versions are now detected through a read-only GetBucketVersioning fetch. This improvement helps maintain better version control and mitigates risks associated with unintentional data loss.

Lambda Runtime Management and GCP Permissions

NSAuditor 0.19.1 has also addressed the concerns surrounding deprecated and unknown AWS Lambda runtimes, which previously passed through the allowlist-by-exclusion mechanism. This version now correctly identifies and flags these problematic runtimes, enhancing the security of serverless computing environments.

In GCP, the creation of OIDC-impersonation and Workload Identity Federation providers via custom-role permissions is now treated as admin-equivalent, thus raising the security bar for identity management within the cloud environment.

VPC Endpoint Security and Evidence-Gap Reporting

Additionally, the scanner now includes VPC-endpoint sensitive-action matching based on service namespace, ensuring that sensitive operations are adequately monitored. In scenarios where the scanner genuinely cannot verify a control—such as when versioning is denied or an unknown runtime is detected—it now emits a routed evidence-gap. This mechanism ensures that any affected control is flagged as failing, rather than being inaccurately reported as secure.

Compliance and Frameworks Remain Unchanged

The plugin count remains stable at 28, with all six compliance frameworks, including SOC 2, HIPAA, NIST CSF 2.0, PCI DSS v4.0.1, ISO/IEC 27001:2022, and CIS Controls v8, unchanged in count. This consistency reflects NSAuditor’s commitment to maintaining robust compliance measures while enhancing security features.

Overall, the release of NSAuditor AI Enterprise 0.19.1 demonstrates a proactive approach to cloud security, focusing on closing vulnerabilities while ensuring compliance with industry standards. With a local-first design that emphasizes zero data exfiltration, organizations can trust that their cloud environments are more secure than ever.