npm - nsauditor-ai - Versions diffs - 0.1.60 → 0.1.62 - Mend

nsauditor-ai 0.1.60 → 0.1.62

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +42 -49
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -17,18 +17,15 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
 ## What's New
-For complete per-release history, see [CHANGELOG.md](./CHANGELOG.md). The Community Edition binary has been unchanged since 0.1.40; recent CE patches are documentation refreshes paired with Enterprise Edition (`@nsasoft/nsauditor-ai-ee`) ships.
-- **0.1.60 (current)** — Paired with EE 0.6.6: minor cycle — **EE-RT.16 v3 plugin 1170 SG→SG transitive chain reachability** (closes false-CLEAN class on multi-hop SG exposure: BFS from public-CIDR roots through `UserIdGroupPairs` chains with cycle defense + depth cap + per-target chain cap; 2-hop emits **HIGH**, 3+ hop emits **CRITICAL** per operator-blindness principle; cross-VPC edges skipped as INFO trailer) **+ EE-RT.20.5 v6 plugin 1200 dead-target probe warm-up** (closes 0.6.5-reviewer-deferred long-tail: IAM role `iam:GetRole` + EventBridge API destination `events:DescribeApiDestination` + CloudWatch Logs `logs:DescribeLogGroups` with exact-name disambiguation; new SDK deps `@aws-sdk/client-iam` + `@aws-sdk/client-cloudwatch-logs`). 5 R1 reviewer folds: R-HIGH-1 BFS no-enqueue-past-cap (closes path-enumeration explosion on hub-and-spoke topologies) + R-MEDIUM-1 IAM `NoSuchEntityException` lifted into `_DEAD_TARGET_NOTFOUND_ERROR_NAMES` Set (restores eventual-consistency retry for IAM — the canonical worst case) + R-MEDIUM-2 IAM partition-routing contract documented + R-LOW-2 depth-cap-hit surfaced separately from per-target-cap + R-LOW-2 API destination ARN regex future-proofed. 3 new soc2.json mappings under CC6.6.
-- **0.1.59** — Paired with EE 0.6.5: plugin 1200 v5 v4-reviewer-cleanup cycle — R-NIT named-constants + targetVerificationReason sentinel observability + **sessionToken cross-plugin sweep** (18 plugins; unblocks AssumeRole-style auditor credentials across the EE catalog) + **dead-target companion-LOW** (per-target liveness probes for Lambda / SNS / SQS; emits LOW alongside PASS when targets point to deleted resources). 5 R1 reviewer folds incl. case-insensitive NotFound + Lambda full-ARN + one-retry on eventual-consistency + parallel probes + SQS partition-aware via `GetQueueUrl`.
-- **0.1.58** — Paired with EE 0.6.4: plugin 1200 v4 reviewer-cleanup — EventBridge target verification (closes substrate-without-sink false-PASS at the RULE level via `events:ListTargetsByRule`; sink-less rule → MEDIUM TARGETLESS), multi-failedAccount surface (delegated-admin Inspector2 scans now emit per-account LOWs with per-region cap + rollup), trigger uniformity (GD/Inspector2 alerting gates symmetrized on enabled-status). 5 R1 reviewer folds incl. R-HIGH-1 cap-skew classifier closure.
-- **0.1.57** — Paired with EE 0.6.3: plugin 1200 v3 alerting-destination dim — closes the substrate-without-sink false-PASS class for GuardDuty / Inspector2 (no EventBridge rule + no SecurityHub integration = HIGH). SH-only path emits MEDIUM (aggregation-only). R-CRITICAL Inspector Classic ARN-collision closure + EventBridge content-filter grammar (`{prefix}` / `{wildcard}`).
-- **0.1.56** — Paired with EE 0.6.2: plugin 1200 v2 evidence-acquisition extension — multi-region GuardDuty + Inspector2 enumeration (closes the single-region false-PASS class), GovCloud + ISO region support (closes a FedRAMP / StateRAMP / IL5+ false-PASS class), GuardDuty `FindingPublishingFrequency` check, Inspector2 baseline expansion (lambdaCode + codeRepository for Inspector2 GA 2024+).
-- **0.1.55** — Paired with EE 0.6.1: NEW EE plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor (CC7.1 + CC7.2).
-- **0.1.54** — Paired with EE 0.6.0: NEW EE plugin 1160 AWS VPC Endpoints / PrivateLink Auditor (CC6.6 + A1.2 + CC7.2).
-- **0.1.50 – 0.1.53** — Paired with EE 0.5.x line (SES / SQS-SNS / cross-plugin hardening cycles).
-- **0.1.46 – 0.1.49** — Paired with EE 0.4.7 – 0.4.9 (SES / RDS / ElastiCache Redis extensions).
-- **Earlier** — CE 0.1.30 → 0.1.45 release notes (full per-release history) live in [CHANGELOG.md](./CHANGELOG.md).
+- **CE 0.1.62** (current) — paired with **EE 0.6.8** (May 2026). **23 enterprise plugins** across AWS / Azure / GCP, mapped to 10 fully-covered + 4 partial AICPA TSC controls. Cycle headline: **NEW plugin 1024 GCP Cloud Storage Auditor** — first multi-cloud parity plugin since EE 0.6.1. Six dimensions mirroring AWS S3: bucket-level IAM public bindings, Uniform Bucket-Level Access, Object Versioning, Bucket Lock retention policy (SEC 17a-4 / FINRA 4511 WORM-alignment), CMEK via Cloud KMS (four-tier custody ladder), bucket-level access logging. New SDK dep `@google-cloud/storage` in optionalDependencies.
+For prior releases, see [CHANGELOG.md](./CHANGELOG.md).
+### Try Enterprise
+→ **[See a sample scan walk-through](https://www.nsauditor.com/ai/docs/sample-scan/)** — full EE 0.6.7 output against a fictional Acme Corp AWS account + home-office router. Real engine output, synthetic data, no signup required.
+→ **[NSAuditor AI Enterprise Edition](https://www.nsauditor.com/ai/enterprise/)** — 22 cloud plugins, signed SOC 2 evidence with RFC 3161 timestamps, native Vanta / Drata / Secureframe push, runs entirely inside your infrastructure (zero data exfiltration by architecture). Pricing from **$2k/yr (5 seats)** to **$10k+/yr (unlimited + custom SLA)**.
 ---
@@ -185,54 +182,50 @@ Results land in `./out/<host>_<timestamp>/`:
 ### Pro/Enterprise Plugins (via @nsasoft/nsauditor-ai-ee)
-**EE 0.6.1 ships 22 enterprise plugins** (UP FROM 21 — the 0.6.1 patch-level new-plugin extension is EE-RT.20 v1 NEW plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor; first AWS-managed-threat-detection substrate audit; 4 active SOC 2 dimensions; 6 same-session R1 reviewer folds incl. R1-CRITICAL-1 soc2.json titlePattern misalignment closure preventing a shipping false-CLEAN on the compliance-mapping layer).
-**EE 0.6.0 (superseded)** —**EE 0.6.0 ships 21 enterprise plugins** (UP FROM 20 — the 0.6.0 minor-version milestone is the first new plugin since EE 0.4.7: EE-RT.19 v1 NEW plugin 1160 AWS VPC Endpoints / PrivateLink Auditor; first plugin to specifically audit the PrivateLink isolation boundary; 4 SOC 2 dimensions; clean reviewer pass).
-**EE 0.5.4 (superseded)** —**EE 0.5.4 ships 20 enterprise plugins** (UNCHANGED from EE 0.5.3 — the 0.5.4 bump is a cross-plugin Thread H sweep: §7.5 `_promote*FromKms` signature hardening on plugin 1140 v2 + 1180 v2 + §8 operator-config DoS caps on plugin 1170 v2; clean reviewer pass with 0 R-CRITICAL + 0 R-HIGH; final v0.5.x close-out cycle).
+**22 enterprise plugins** across AWS, GCP, and Azure substrate audits — all mapped to AICPA Trust Services Criteria 2017 (10 covered + 4 partial controls). EE plugins live in the disjoint 1000+ ID range; CE reserves 001-099. Once licensed, the EE package installs alongside the CE binary and discovers automatically.
-**EE 0.5.3 (superseded)** —**EE 0.5.3 ships 20 enterprise plugins** (UNCHANGED from EE 0.5.2 — the 0.5.3 patch-level bump is a pure plugin 1190 EE-RT.18 v3 extension: Part A DKIM public-key fingerprint capture/pin + Part B in-band DMARC alignment classifier; 5 same-session reviewer folds incl. 1 R-CRITICAL false-CLEAN closure on truncated DKIM keys).
+→ **[Watch a sample scan run end-to-end](https://www.nsauditor.com/ai/docs/sample-scan/)** — synthetic Acme Corp AWS account + home-office router. Real EE 0.6.7 output, no signup required. See the transitive SG chain reachability finding, the multi-region GuardDuty audit, the dnsmasq CVE detection, and what the signed evidence pack actually looks like.
-**EE 0.5.2 (superseded)** —**EE 0.5.2 ships 20 enterprise plugins** (UNCHANGED from EE 0.5.1 — the 0.5.2 patch-level bump is a pure consolidation cycle: plugin 1190 `aws-ses-auditor` deferred-items sweep via **EE-RT.18 v2.1** closing all 7 deferred reviewer-fold items from the 0.5.0 cycle; 6 same-session reviewer folds incl. 1 CRITICAL soc2 mapping closure + silent-loss-class closure on SES classic API quota exhaustion). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
+→ **[Buy NSAuditor AI Enterprise Edition](https://www.nsauditor.com/ai/enterprise/)** · $2k / $5k / $10k+ per year · 5 / 25 / unlimited seats · onboarding call included.
 **All EE plugins follow the same institutional plumbing pattern:**
 - **Thread H `_instrumentSdkClient` wrap** — per-API AccessDenied counter + ZDE structural guard (verb-prefix denylist regex blocks `Get*` / `Retrieve*` / `Read*` value-reading APIs at SDK boundary) + idempotency sentinel
-- **EE-RT.1.5 throttle-retry** — exponential-backoff retry on `Throttling*` / `RequestLimitExceeded` / `TooManyRequestsException` with per-command wall-clock budget
+- **Throttle-retry** — exponential-backoff retry on `Throttling*` / `RequestLimitExceeded` / `TooManyRequestsException` with per-command wall-clock budget
 - **Thread F `conclude()` field-selection allowlist** — structured-data ZDE: only AWS-public-namespace identifiers + integer counts flow through to findings; customer policy content / key material / encrypted payloads NEVER propagate
 - **`conservative_classifier_principle`** — emit INFO+evidenceGap with verification prompt when ARN-shape disambiguation needs a follow-up API call; vacuous PASS on partial substrate evidence is treated as the worst SOC 2 reporting outcome
 - **`aws_string_case_normalization`** — trim + lowercase AWS-returned strings at SDK-helper boundary; protects against the 7+ recurrent classes of case-sensitivity fail-open (IAM Condition keys, Lambda runtimes, KMS aliases, Effect/Action discriminators, FULL_ADMIN sentinel, S3 region)
-| ID | Name | Tier | Purpose |
+| ID | Name | Tier | What it audits |
 |---|---|---|---|
-| 1020 | AWS Cloud Scanner | Enterprise | S3 bucket hardening (PAB, encryption, versioning, Object Lock, MFA Delete, logging), SOC 2 evidence mapping |
-| 1021 | GCP Cloud Scanner | Enterprise | Firewall rules + IAM bindings + Storage bucket public-access (CC6.1 / CC6.6 / C1.1) |
-| 1022 | Azure Cloud Scanner | Enterprise | NSG rules + RBAC role assignments + Storage account hardening, SOC 2 evidence mapping (CC6.1 / CC6.6 / C1.1) |
-| 1023 | Zero Trust Checker | Enterprise | Segmentation, encryption, identity, lateral movement scoring |
-| 1030 | AWS IAM Deep Auditor | Enterprise | Shadow-admin path detection via BFS over PassRole / AssumeRole / federated trust; per-finding remediation pointers; restrictive-Condition allowlist (Auth0 / Okta / Cognito User Pool OIDC heuristic); SOC 2 CC6.1 evidence |
-| 1040 | AWS CloudTrail Operational Integrity | Enterprise | CloudTrail trail health (multi-region default-ON, log-file validation, KMS-CMK, IsLogging); CloudWatch alarm coverage against CIS AWS Foundations Benchmark v1.5 §3.1–3.14 (v2 auditor-canonical `logs:DescribeMetricFilters` evidence stream); AWS Config + ConfigurationAggregator detection + STS `GetCallerIdentity` deterministic account-coverage check; cross-account S3 trail-destination WORM verification (SEC 17a-4 / FINRA 4511). CC7.2 + CC7.3 covered. |
-| 1050 | AWS API Gateway Assurance (EE 0.3.9) | Enterprise | Entry-point evidence for Serverless-Framework deployments. Per-method/route authorization classifier (NONE = CRITICAL; AWS_IAM / Cognito / JWT = PASS; Lambda authorizer = INFO); custom-domain TLS policy (TLS_1_0 = HIGH); stage-level access logging / throttling / WAF; public-endpoint exposure. CC6.1 / CC6.6 / CC6.7 / CC7.1 / A1.2. |
-| 1060 | AWS DynamoDB Audit Integrity (EE 0.3.9 — PI1.5 matrix shift) | Enterprise | First PI1-class evidence plugin ("audit-the-auditor"). Per-table PITR + deletion protection + KMS-CMK (conservative LOW-unverifiable when `:key/UUID` form); resource-policy presence; CloudTrail DynamoDB data-event coverage cross-reference. **Opens partial PI1.5 (Stored items)**. CC6.6 / CC7.1 / C1.1 / **PI1.5**. |
-| **1070** | **AWS KMS Auditor** (NEW EE 0.4.0) | Enterprise | Cryptographic boundary integrity + key governance. Per-key rotation status; **wildcard-principal classifier across 5 severity tiers** (CRITICAL unconditional `kms:*` takeover; HIGH for sensitive actions; INFO read-only; PASS no-wildcard) covering Principal.AWS / Federated / Service / CanonicalUser shapes + case-insensitive AWS/action matching + NotPrincipal-Allow + NotAction-Allow + glob-action (`kms:Encrypt*` / `kms:Sign*`). Exports `_describeKeyManager()` helper for plugin 1060 cross-reference (closes EE-RT.2.1.1). CC6.3 / C1.1. |
-| **1080** | **AWS Lambda Security Auditor** (NEW EE 0.4.0) | Enterprise | Runtime EOL detection (institutional-CRITICAL on `nodejs16.x` / `python3.7` etc. — case-normalized at boundary), public function-URL exposure, resource-policy permissive principals, environment-variable secret-suggestive name detection (ZDE-safe: VALUES never inspected — only names + presence), VPC configuration, KMS-CMK vs AWS-managed key custody, DLQ + reserved concurrency posture. CC6.1 / CC6.6 / CC7.1 / C1.1. |
-| **1090** | **AWS Secrets Manager + SSM Parameter Store Auditor** (NEW EE 0.4.0) | Enterprise | Secrets Manager `ListSecrets` + `DescribeSecret` (rotation cadence, KMS-CMK custody, tag-driven prod-tier classification) + SSM Parameter Store `DescribeParameters` (String/SecureString classification + secret-suggestive name detection). **ZDE-critical**: scanner NEVER calls `GetSecretValue` / `GetParameter` — only `Describe*` / `List*` (metadata only). Defense-in-depth: verb-prefix denylist regex blocks `Get*` / `Retrieve*` / `Read*` at SDK boundary. CC6.1 / CC6.6 / C1.1. |
-| **1100** | **AWS CodePipeline + CodeBuild Operational Integrity** (NEW EE 0.4.0) | Enterprise | Pipeline source-stage encryption, CodeBuild `privilegedMode` detection (HIGH for non-Docker-image), buildspec inlined-vs-S3 (drift surface), secrets via env vars vs Secrets Manager reference, IAM role wildcard-Action detection, S3 artifact-store encryption. Runtime-state audit surfaces stale-execution detection (pipeline's latest execution older than configured cadence). CC6.1 / CC7.1 / CC8.1 / C1.1. |
-| **1110** | **IAM Effective Decrypt-Path Auditor** (NEW EE 0.4.0) | Enterprise | Cross-plugin reconciler: walks IAM policies for `kms:Decrypt` / `kms:ReEncrypt*` / `kms:GenerateDataKey` grants and cross-references against destination KMS key policies (plugin 1070) to compute the **effective decrypt path**. Closes institutional NotAction-implicit-decrypt false-PASS class (`Allow + NotAction:[...] + Resource:*` over-grants decrypt implicitly). Cross-plugin sister-fix in 1030: Effect + Action case-normalization at IAM-graph BFS boundary. CC6.1 / CC6.6 / C1.1 / C1.2. |
-| **1120** | **AWS S3 Lifecycle + Cross-Region Replication Auditor** (NEW EE 0.4.0) | Enterprise | S3 lifecycle policy enumeration (CC7.1 retention-cadence evidence) + cross-region replication topology (A1.2 disaster-recovery substrate). Cross-region destination-bucket reachability verification closes silent-PASS class where replication source FAILED but emitted clean. C1.1 / C1.2 / A1.2. |
-| **1130** | **AWS Backup Auditor — headline thread** (NEW EE 0.4.0; EE-RT.12 v1 → v1.24, 18-session institutional hardening arc) | Enterprise | The **largest single-plugin institutional-hardening arc in the EE codebase**: ~7800 lines / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls. Audits the AWS Backup substrate end-to-end: Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. **Headline capability: 12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources — 6 cryptographic-isolation mechanisms (vault TYPE air-gapped + ARN account-segment-separation + destination KMS key-policy clean + destination KMS Grants clean + MRK-replica topology clean + source-account VPC-endpoint policy clean) PLUS 6 substrate dimensions (PITR / retention / encryption / RestoreTesting / Legal Holds / vault Access Policy). Cross-service SDK integration (`@aws-sdk/client-kms`, `@aws-sdk/client-ec2`, `@aws-sdk/client-config-service`, `@aws-sdk/client-backup`). CC6.3 / **CC6.6** / CC7.1 / CC8.1 / C1.1 / **C1.2** / **A1.2**. |
-| **1140** | **AWS RDS Auditor** (EE 0.4.3 v1; **GROWN in EE 0.4.5 v2** — 3 dims → 7 dims + kms:DescribeKey cross-reference; **GROWN AGAIN in EE 0.4.8 v3** — 7 dims → 10 dims + database audit-logging) | Enterprise | Audits AWS RDS DB instances against **10 SOC 2 substrate-evidence dimensions** (v1 = 3 + v2 = 4 + v3 = 3): **v3 dim 8 pgAudit enabled** (CC7.2 + CC7.3, postgres-only — `DescribeDBParameters → pgaudit.log` non-empty AND `shared_preload_libraries` contains `pgaudit` token per R-MEDIUM-2 reviewer-fold **false-PASS closure** since Postgres silently ignores the GUC when SPL omits pgaudit; HIGH on disabled / new MEDIUM `rds-pgaudit-misconfigured` on SPL-omitted / PASS on fully configured; non-postgres engines = INFO + engine-not-applicable per `conservative_classifier_principle`); **v3 dim 9 CloudWatch Logs exports** (CC7.2 — `EnabledCloudwatchLogsExports` engine-dispatched essential/optional policy via frozen `_RDS_ENGINE_CWL_NAMES` dispatch table covering mysql/mariadb/aurora-mysql (essential=`error`) / postgres/aurora-postgresql (essential=`postgresql`) / oracle-* (essential=`audit`+`trace`) / sqlserver-* (essential=`error`); empty=HIGH, partial=MEDIUM, complete=PASS, unknown engine=INFO+engine-not-supported); **v3 dim 10 CloudWatch Logs retention** (CC7.2 + CC7.3 — `logs:DescribeLogGroups` enumeration on engine-dispatched prefix per R-HIGH-1 reviewer-fold **false-INFO closure**: `/aws/rds/instance/<id>/` for non-Aurora; `/aws/rds/cluster/<DBClusterIdentifier>/` for `aurora-*` engines — pre-fold hard-coded the instance path → 0 log groups on every Aurora node = false-INFO MEDIUM across the whole Aurora fleet; 30-day institutional baseline operator-tunable via `opts.auditLogRetentionPassMinDays` clamped 1..3653; distinct categories for never-expire INFO + below-baseline MEDIUM + cwl-opt-out LOW R-MEDIUM-3 fold + probe-failed LOW R-MEDIUM-5 fold + AccessDenied LOW + retentionDistribution per-group spread R-MEDIUM-4 fold). **v2 dim 1-7** preserved (Multi-AZ A1.2 / storage encryption + KMS-key custody with kms:DescribeKey cross-reference C1.1 / parameter-group SSL enforcement C1.1 / backup retention period A1.2 / public accessibility CC6.6 / IAM database authentication CC6.1 / snapshot encryption C1.1). **9 same-session v3 reviewer folds applied** (HIGH-1 Aurora cluster log-path; MEDIUM-2 pgAudit-SPL cross-check; MEDIUM-3 cwl-opt-out distinct; MEDIUM-4 retentionDistribution surfaced; MEDIUM-5 transient-error distinct; LOW-8 `_PGAUDIT_LIBRARY_NAME` + `_SHARED_PRELOAD_LIBRARIES_PARAM` named constants; LOW-9 engine case-norm tests; LOW-10 `truncated:bool` + `distributionTruncated:bool` flags; NIT-12 Aurora cluster integration test). 7 new v3 soc2.json titlePattern entries under CC7.2 (cumulative 25 across v1+v2+v3). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). `@aws-sdk/client-cloudwatch-logs` already in optionalDependencies (used by plugin 1040 since EE 0.4.0); v3 reuses via new `_loadCwlSdk` lazy loader. **Real-AWS smoke END-TO-END against `test-infra-builder` paired fixtures** in account 522412052794: in-place modification of `rds-compliant-cluster` (cost $0; brief Multi-AZ failover during apply-immediately reboot) validated ALL 3 v3 PASS-path classifiers; unmodified `rds-violator-db` validated HIGH path; account-wide finding distribution 9 PASS + 2 MEDIUM + 4 INFO + 5 HIGH. **First 0.4.x extension cycle to validate BOTH PASS-path AND HIGH-path classifiers** against real AWS in the same smoke run. **A1.2 / CC6.1 / CC6.6 / C1.1 / CC7.2 / CC7.3**. |
-| **1150** | **AWS SQS/SNS Auditor** (NEW EE 0.4.4 v1; **EXTENDED EE 0.5.1 v2** — 5 → 7 dimensions: CloudWatch alarm coverage on SQS ApproximateAgeOfOldestMessage + SNS NumberOfNotificationsFailed; first plugin-1150 dim to cross an SDK boundary — SQS+SNS → CloudWatch) | Enterprise | Audits AWS SQS queues + SNS topics against **7 SOC 2 substrate-evidence dimensions** spanning two services in one plugin (institutional bundling — both substrate-evidence event-driven-architecture stores, both use the same SDK auth surface). **SQS encryption at rest** (C1.1 confidentiality — `GetQueueAttributes → SqsManagedSseEnabled` OR `KmsMasterKeyId`; four-tier severity ladder: HIGH unencrypted → MEDIUM AWS-managed-SSE OR `alias/aws/sqs` → PASS customer-managed CMK alias → LOW+evidenceGap on bare-UUID / `:key/UUID` ARN form per `conservative_classifier_principle`); **SQS transit-encryption policy** (CC6.6 segmentation — `aws:SecureTransport=false` Deny statement defense-in-depth over the HTTPS-only transport-layer guarantee); **SNS topic encryption at rest** (C1.1 confidentiality — `GetTopicAttributes → KmsMasterKeyId`; SNS has no SQS-managed-SSE equivalent so absent = HIGH); **SNS topic-policy permissive-Principal** (CC6.6 segmentation — wildcard-Principal classifier on sensitive actions sns:Publish / Subscribe / SetTopicAttributes / AddPermission / RemovePermission / DeleteTopic + `sns:*` / `*` wildcards; includes **NotAction-Allow** handling + **NotPrincipal-Allow** handling + **Resource-scope filtering**; severity ladder CRITICAL unconditional-wildcard → HIGH wildcard-WITH-Condition → PASS no-wildcard-sensitive); **SQS dead-letter queue presence** (A1.2 availability + CC7.1 anomaly-detection, **dual-mapped** — `RedrivePolicy` analysis; missing DLQ is the canonical silent-message-loss class). **NEW in v2 (EE 0.5.1): Dim 6 — SQS ApproximateAgeOfOldestMessage CloudWatch alarm coverage** (CC7.2 system-monitoring + A1.2 availability, dual-mapped — per-queue classifier checks for at least one `AWS/SQS:ApproximateAgeOfOldestMessage` MetricAlarm with the queue's `QueueName` dimension AND **both** `ActionsEnabled=true` AND non-empty `AlarmActions[]`; four severity outcomes PASS / MEDIUM / LOW / LOW+evidenceGap). **NEW in v2: Dim 7 — SNS NumberOfNotificationsFailed CloudWatch alarm coverage** (CC7.2 + A1.2, dual-mapped — per-topic analogue with `AWS/SNS:NumberOfNotificationsFailed` metric + `TopicName` dimension; closes silent message-loss class for downstream subscribers). **v2 single-fetch budget pattern** (mirrors plugin 1040 `_auditAlarmCoverage` scaffold): `_enumerateMetricAlarms` paginates `cloudwatch:DescribeAlarms` ONCE per scan; `_buildAlarmIndex` builds per-resource Maps (`sqsAgeByQueueName` + `snsFailureByTopicName`) for O(1) per-resource lookup. Pagination cap default 20 pages × 100 alarms = 2000 alarm ceiling, operator-tunable via `opts.cwAlarmPageCap`. **Soft-degrade contract** — CW SDK load failure routes per-resource classifier to LOW + evidenceGap rather than blocking SQS+SNS primary substrate audit. **R-CRITICAL v2 same-session fold (false-CLEAN closure)**: `actionable` requires BOTH `ActionsEnabled=true` AND non-empty `AlarmActions[]` array (pre-fold an `{ActionsEnabled:true, AlarmActions:[]}` alarm passed as PASS-tier evidence on a structurally broken alarm — CloudWatch fires NO operator paging when action list is empty). **First EE plugin to ship WITHOUT a smoke-time SDK hotfix** (v1) — `@aws-sdk/client-sqs` + `@aws-sdk/client-sns` were added to `optionalDependencies` PREEMPTIVELY per the 11th pre-implementation checklist item; v2 reuses `@aws-sdk/client-cloudwatch` already declared since EE 0.4.0 (no new SDK deps). **23 soc2.json titlePattern entries total** (11 v1 + 12 v2: 8 CC7.2 + 4 A1.2 dual-mapped). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap on BOTH SQS + SNS clients + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold + preemptive `aws_string_case_normalization` fold-sites). v1: 3 same-session reviewer folds. v2: 7 same-session reviewer folds (1 CRITICAL + 1 HIGH + 2 MEDIUM + 1 LOW + 1 NIT; 6 folded same-session). Smoke-validated against `test-infra-builder` paired fixtures (v1 only; v2 synthetic-mock only — no SQS/SNS CW alarms in fixtures yet). **C1.1 / CC6.6 / A1.2 / CC7.1 / CC7.2**. |
-| **1160** | **AWS VPC Endpoints / PrivateLink Auditor** (**NEW EE 0.6.0** — first new plugin since EE 0.4.7; first plugin to audit the PrivateLink isolation boundary) | Enterprise | Audits AWS VPC endpoints (Interface + Gateway flavors) against **4 SOC 2 substrate-evidence dimensions** — VPC endpoints are the AWS-canonical PrivateLink primitive governing VPC-to-managed-service traffic without public-internet traversal. **Complements plugin 1170 SG perimeter** (1170 = layer-4 ingress; 1160 = service-layer perimeter). **Dim 1 — Endpoint policy permissive principals** (CC6.6 segmentation — wildcard-Principal classifier mirroring plugin 1150 SNS topic-policy discipline; NotPrincipal-Allow + Action-sensitivity filter via `_VPCE_SENSITIVE_ACTIONS` frozen Set; unconditional wildcard on sensitive action = CRITICAL `vpce-policy-wildcard-unconditional` — PrivateLink isolation BROKEN at the policy layer; WITH Condition = HIGH walkthroughRequired). **Dim 2 — PrivateDNS enabled** (CC6.6 — Interface + PrivateDnsEnabled=false = MEDIUM `vpce-private-dns-disabled` silent-bypass class; common operator misconfig where endpoint exists but clients still resolve service-public hostname → traffic over public internet; Gateway = INFO not-applicable). **Dim 3 — Endpoint state** (A1.2 + CC7.2 — `available` = PASS; `failed` = HIGH `vpce-state-failed` silent-failure class; transient = INFO; unknown enum = LOW + evidenceGap per `[[conservative_classifier_principle]]`). **Dim 4 — Endpoint type substrate disclosure** (Privacy + CC6.6 — INFO substrate evidence per VPC; records PrivateLink connectivity attestation for auditor evidence pack). **2 same-session reviewer folds**: R-MEDIUM unknown-type fail-safe (defaults to Interface — more thorough audit path) + R-NIT Effect case-insensitivity regression pin. **No new SDK dependencies** — `@aws-sdk/client-ec2` already declared since EE 0.4.5. 7 new soc2.json titlePattern entries (5 CC6.6 + 2 CC7.2/A1.2 dual-mapped). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 57 plugin tests + 2 reviewer-fold pins (59 total). Synthetic-mock validation only — no VPC endpoint paired fixtures yet in test-infra-builder. **CC6.6 / A1.2 / CC7.2 / Privacy (substrate)**. |
-| **1170** | **AWS EC2 SG Perimeter Auditor** (EE 0.4.5 v1; **EXTENDED in EE 0.4.6 v2** — RESTRICTED_PORTS 13 → 23 ports per CIS AWS Foundations v3.0 + operator-config + per-SG cardinality cap) | Enterprise | Audits AWS EC2 Security Groups against SOC 2 CC6.6 network-segmentation evidence — reads the AWS-API DECLARED SG policy via `DescribeSecurityGroups`. **Orthogonal evidence to plugin 1023 zero-trust-checker** (1023 reads OBSERVED open ports from prior network probes; 1170 reads DECLARED SG policy). The pair gives auditors complete coverage of "is this port reachable, and is it supposed to be?" **Cross-plugin sister of EE-RT.14 v2 `_classifyPublicAccessibility`** dimension in plugin 1140 (which emits "auditor walkthrough required for SG analysis"; plugin 1170 closes that walkthrough deterministically). **6 audit dimensions:** **IPv4 0.0.0.0/0 ingress to RESTRICTED_PORTS** (CC6.6 perimeter — CRITICAL; **v2 RESTRICTED_PORTS covers 23 ports** per CIS AWS Foundations v3.0 alignment + emerging-data-tier coverage: SSH (22), RDP (3389), MS SQL (1433), MySQL (3306), Postgres (5432), Redshift (5439 — NEW v2), Redis (6379), Memcached (11211), MongoDB (27017), Elasticsearch (9200, 9300), CouchDB (5984), Docker daemon (2375), Kubelet API (10250), **K8s API server (6443 — NEW v2), etcd (2379-2380 — NEW v2), Kibana (5601 — NEW v2), InfluxDB (8086 — NEW v2), Kafka (9092 — NEW v2), Consul (8500 — NEW v2), ZooKeeper (2181 — NEW v2), Vault (8200 — NEW v2)**); **IPv6 ::/0 ingress to RESTRICTED_PORTS** (CC6.6 — CRITICAL IPv6 sibling; operators often miss while locking IPv4 down); **all-protocol (-1) ingress from 0.0.0.0/0** (CC6.6 — CRITICAL worst-possible perimeter posture; **per R-MEDIUM-1 fold suppresses dim 1+2 emissions at SG-scope** — auditor pack stays at one CRITICAL/SG instead of N+1); **public ingress to non-restricted ports** (CC6.6 substrate — INFO + walkthroughRequired; 80/443/8080-style web tier likely intentional, auditor verifies intent); **egress 0.0.0.0/0** (CC6.6 substrate — INFO; AWS-default posture; out-of-scope for SG-layer DLP concerns); **orphan SGs** (CC6.2 governance — LOW; SG with no attached ENI via `DescribeNetworkInterfaces` cross-reference; AWS-default `default` SGs per-VPC excluded; **v2 system-managed-SG name-prefix exclusion list** excludes `ElasticMapReduce-`, `eks-cluster-sg-`, `AWSServiceRole`, `awseb-` etc. from orphan-detection — these are AWS-service-controlled and structurally non-deletable). **v2 operator-config knob `opts.additionalRestrictedPorts`** — lets tenants add custom ports beyond the baseline (validated 0-65535 integer + deduped against baseline). **v2 per-SG cardinality cap via `_USER_GROUP_DISPLAY_CAP = 10`** with rollup trailer (`...and N more`) defends against finding-size DoS on 1000+ SG accounts. **`UserIdGroupPairs` (SG-as-source) rules** surfaced as INFO + evidenceGap + walkthroughRequired per R-HIGH-1 fold — v1 only analyzes CIDR-source rules; transitive SG→SG chain reachability deferred to v3 (EE-RT.16 v3). 10 new soc2.json titlePattern entries across v1 + v2 (6 CC6.6 + 1 CC6.2 from v1; 1 PASS-tier fix + 2 cardinality-cap trailers from v2). Full institutional contract applied day-1. **7 same-session v2 reviewer folds including 2 CONVERGENT-CRITICAL findings** (C1 pre-existing v1 PASS-tier titlePattern bug; C2 cardinality-cap-trailer titlePatterns silently dropped at framework-engine harvest pre-fold). Smoke-validated against `test-infra-builder` paired fixtures (`nsauditor-secure-sg` + `nsauditor-exposed-sg`) in account 522412052794. **CC6.6 / CC6.2**. |
-| **1190** | **AWS SES Email Integrity Auditor** (NEW EE 0.4.7; **EXTENDED EE 0.5.0 v2** — dims 1 + 2 + 4 grown in scope: DKIM CNAME DNS resolution + DMARC TXT record parser + SES classic API parity; first plugin in EE to depend on `node:dns/promises` for live DNS cross-reference) | Enterprise | Audits AWS SES + SESv2 email-sending substrate against **6 SOC 2 evidence dimensions** spanning confidentiality + email-integrity. Closes the next-highest-priority gap from the AWS SOC 2 audit-canonical compliance checklist after Redis closed in EE 0.4.6. **DKIM enablement + signing status** (CC6.1 / Privacy — `DkimAttributes.SigningEnabled` + 5-enum Status classifier: SUCCESS PASS / PENDING-TEMPORARY_FAILURE-NOT_STARTED INFO+walkthroughRequired transient / FAILED MEDIUM on DNS drift / unknown LOW+evidenceGap per `conservative_classifier_principle`; HIGH on SigningEnabled=false because outbound mail unsigned defeats SPF+DKIM+DMARC trust chain). **Custom MailFrom domain alignment** (Privacy substrate — `MailFromAttributes.MailFromDomain` + `MailFromDomainStatus`; INFO + walkthroughRequired on default amazonses.com because DMARC strict alignment impossible without custom MailFrom subdomain; PASS on custom + Status=SUCCESS). **Configuration set TLS enforcement** (C1.1 transit — `DeliveryOptions.TlsPolicy`; REQUIRE PASS / OPTIONAL HIGH opens SMTP-downgrade-attack window where network-layer adversary can strip STARTTLS from EHLO response forcing cleartext delivery of message body + headers; **distinct LOW + `tlsPolicyType` evidence branch** per R-MEDIUM-7 reviewer-fold catches non-string SDK-contract violations separately from missing-field unverifiable — pre-fold both flowed through identical narrative with empty quotes). **Identity sending authorization policy permissive principals** (CC6.6 — JSON-parsed IAM policy with **multi-class wildcard detector** covering bare `"*"` + `{AWS:"*"}` + `{Service:"*"}` + `{Federated:"*"}` + `{CanonicalUser:"*"}` + array-form `[*]` per R-HIGH-4 reviewer-fold walking every Principal class value; **distinct HIGH `ses-sending-auth-notprincipal-allow`** per R-CRITICAL-1 reviewer-fold catches NotPrincipal+Effect=Allow wildcard-EQUIVALENT class (universal grant minus exclusion list — pre-fold silently classified as bounded = false-CLEAN; matches plugins 1070 + 1150 NotPrincipal+Allow discipline); **LOW + evidenceGap `ses-sending-auth-malformed-statement`** per R-HIGH-2 reviewer-fold surfaces Effect-missing send-action statements that pre-fold were silently dropped). **Dedicated IP pool sending posture** (CC7.1 substrate, account-level — `ListDedicatedIpPools`; INFO + walkthroughRequired on configured pools / INFO on shared-pool default). **Suppression list state** (CC7.1 deliverability substrate, account-level — `ListSuppressedDestinations`; **ZDE invariant: NEVER reads suppressed-destination email addresses** — count + reason only; verified at run() envelope boundary via sentinel-string assertion per R-LOW-8 reviewer-fold). **Dual API surface discipline:** v1 uses SESv2 only (canonical modern API surface covers all 6 dimensions); `@aws-sdk/client-ses` declared in optionalDependencies for v2+ cross-API parity (per the dual-API discipline established in plugin 1180) — `_loadSesClassicSdk` dead-code load-check REMOVED per R-MEDIUM-6 reviewer-fold (false-degraded risk: pre-fold a missing classic SDK in production forced run() into "Plugin skipped" path even though v1 never exercises any classic export). 8 new soc2.json titlePattern entries (3 CC6.1 + 3 CC6.6 + 2 C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). **11 same-session reviewer folds applied** — ties the single-cycle reviewer-fold record (independent `general-purpose-agent` review yielded 12 findings; 11 folded same-session, 1 deferred to cross-plugin Thread H sweep). **Fourth EE plugin to ship without smoke-time SDK hotfix** (`@aws-sdk/client-ses` + `@aws-sdk/client-sesv2` both preemptively added to optionalDependencies). **No real-AWS smoke against violation-tier fixtures** — test-infra-builder has NO SES paired fixtures yet (full-stack fixtures deferred to EE-RT.18 v2 alongside DKIM CNAME DNS resolution + DMARC TXT record parsing). Empty-account smoke baseline against 522412052794 DID succeed end-to-end: plugin loads via CE→EE binding, all 4 SESv2 API enumerations succeed, baseline 2 INFO findings emit correctly, durationMs=842, ZDE invariant preserved. **CC6.1 / CC6.6 / C1.1 / CC7.1 (substrate) / Privacy (substrate)**. |
-| **1180** | **AWS ElastiCache Redis Auditor** (EE 0.4.6 v1; **EXTENDED in EE 0.4.9 v2** — dims 2 + 6 grown in scope: kms:DescribeKey promotion + subnet route-table verifier; closes both v1 deferred items R-MEDIUM-3 + R-LOW-2) | Enterprise | Audits AWS ElastiCache Redis clusters against **6 SOC 2 substrate-evidence dimensions** spanning confidentiality + availability + segmentation. Closes the highest-priority gap from the AWS SOC 2 audit-canonical compliance checklist. **Transit encryption** (C1.1 PASS/HIGH — `TransitEncryptionEnabled=true` wraps RESP in TLS for client→cluster + primary→replica connections; HIGH on disabled — cleartext RESP on wire + AUTH tokens flow cleartext; cannot be toggled in place, requires snapshot+restore). **At-rest encryption with KMS key custody** (C1.1 four-tier ladder — HIGH disabled → MEDIUM AWS-owned-default (encrypted but no customer KmsKeyId) → MEDIUM `alias/aws/elasticache` (AWS-managed alias via `_AWS_MANAGED_ELASTICACHE_ALIAS_RE`) → PASS customer-managed CMK + LOW+evidenceGap on `:key/UUID` ARN form per `conservative_classifier_principle`). **Redis AUTH / IAM-auth user groups** (CC6.1 + CC6.2 — PASS on UserGroupIds configured (Redis 7+ ACL/IAM-auth user groups replace long-lived AUTH passwords); MEDIUM on no-authentication (cluster relies solely on SG perimeter — cross-plugin sister with plugin 1170 SG-perimeter audit); UserGroupIds cardinality cap 10 + "...and N more" overflow per R-MEDIUM-1 fold). **Multi-AZ deployment** (A1.2 availability — HIGH on `MultiAZ=disabled` for replication groups; INFO + standalone-not-applicable on single-node CacheClusters; INFO + evidenceGap on transient states `enabling` / `disabling` per `conservative_classifier_principle`). **SnapshotRetentionLimit cadence** (A1.2 — 0 = HIGH (no snapshots), 1-6 days = MEDIUM (below 7-day baseline), ≥7 days = PASS; operator-tunable via `opts.snapshotRetentionPassMinDays` clamped 1..35). **Subnet placement** (CC6.6 perimeter — INFO + walkthroughRequired on `default` subnet group per `conservative_classifier_principle` — operator may have private subnets named "default"). **Dual API enumeration with inter-API dedup**: `DescribeReplicationGroups` + `DescribeCacheClusters` covers both replication-group and standalone-CacheCluster surfaces; CacheClusters with `ReplicationGroupId` set are skipped (member-of-replication-group rule) to avoid double-emission. `_ELASTICACHE_SUPPORTED_ENGINES = Object.freeze(new Set(["redis"]))` — Memcached is out-of-scope by design (no native AUTH; no transit encryption substrate). 16 new soc2.json titlePattern entries (4 CC6.1 + 1 CC6.6 + 5 A1.2 + 8 C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 3 same-session reviewer folds applied (R-MEDIUM-1 UserGroupIds cardinality cap canonical-parity, R-LOW-1 transient Multi-AZ state INFO + evidenceGap, R-LOW-2 inter-API dedup test pin). **Third EE plugin to ship without smoke-time SDK hotfix** (`@aws-sdk/client-elasticache` preemptively added to optionalDependencies). Smoke-validated against `test-infra-builder` paired fixtures (`redis-secure-cache` + `redis-leaky-cache`) in account 522412052794. **CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1**. |
-| **1200** | **AWS Inspector2 / GuardDuty Enablement Auditor** (**NEW EE 0.6.1** — first AWS-managed-threat-detection substrate audit; second multi-service plugin in EE after plugin 1150 SQS+SNS) | Enterprise | Audits AWS GuardDuty + AWS Inspector2 enablement state — the **foundation-layer institutional evidence for CC7.1 detection procedures + CC7.2 monitoring** (an audit pack without managed-threat-detection evidence has no AWS-native anomaly-detection or CVE-detection stream). **4 active SOC 2 dimensions** (dim 5 org-scope deferred to v2 per EE-RT.20.1): **Dim 1 — GuardDuty Detector enablement per region** (CC7.1 — `guardduty:ListDetectors`; zero detectors = HIGH `gd-not-enabled` institutional silent-blind class — GuardDuty would catch reconnaissance / credential exfiltration / crypto-mining / malicious-IP communication). **Dim 2 — GuardDuty protection-feature coverage** (CC7.1 evidence depth — per-detector `guardduty:GetDetector`; institutional baseline S3_DATA_EVENTS / EKS_AUDIT_LOGS / EBS_MALWARE_PROTECTION / **RDS_LOGIN_EVENTS (R1-HIGH-3 fold)** / LAMBDA_NETWORK_LOGS / RUNTIME_MONITORING; modern Features[] + legacy DataSources fallback both supported with shared case-insensitive `_statusEnabled` predicate per `[[aws_string_case_normalization]]` R1-CRITICAL-2 fold). **Dim 3 — Inspector2 enablement** (CC7.1 + CC7.2 — `inspector2:BatchGetAccountStatus`; DISABLED/SUSPENDED = HIGH silent-blind for CVE coverage on EC2/ECR/Lambda; transient = INFO; unknown enum = LOW + evidenceGap per `[[conservative_classifier_principle]]`). **Dim 4 — Inspector2 scan-target coverage** (CC7.1 zero / CC7.2 partial — institutional baseline {EC2, ECR, Lambda}; zero resource types active = HIGH `inspector2-coverage-zero` silent-blind class; partial = MEDIUM with explicit `disabledResources` list). **6 same-session R1 reviewer folds** (network-security + Explore in parallel; 2 R-CRITICAL + 3 R-HIGH + 1 institutional-discipline): **R1-CRITICAL-1 soc2.json titlePattern misalignment closure** — 4 patterns would have silently failed CC7.1/CC7.2 compliance routing; all re-anchored to actual emission strings. **R1-CRITICAL-1 AccessDenied distinct findings** — distinct `_CAT_GD_ACCESSDENIED` / `_CAT_INS_ACCESSDENIED` categories so auditor walkthrough knows the cause is auditor-IAM gap not service absence. **R1-CRITICAL-2 legacy DataSources case normalization** via shared `_statusEnabled` predicate. **R1-HIGH-2 SUSPENDED/DISABLED Detector silent-blind closure** — Status guard added → HIGH `_CAT_GD_DETECTOR_NOT_ENABLED`. **R1-HIGH-3/4 dead-code drift closures**. **4 R2 reviewer-deferred** (queued in EE-RT.20.1): all-regions enumeration / FindingPublishingFrequency check / alerting-destination check / BatchGetAccountStatus contract verification. **No new SDK dependencies** — `@aws-sdk/client-guardduty` + `@aws-sdk/client-inspector2` added to optionalDependencies. 7 new soc2.json titlePattern entries (4 CC7.1 + 3 CC7.2) — all anchored to actual plugin emission strings after R1-CRITICAL-1 fold. Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID + Thread H wrap on BOTH GuardDuty + Inspector2 clients + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 48 plugin tests + 4 R1-fold regression pins (52 total). Synthetic-mock validation only — no GuardDuty/Inspector2 paired fixtures yet in test-infra-builder. **CC7.1 / CC7.2**. |
-| — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 control mapping (10 covered + 4 partial controls post-EE 0.3.9 / 0.4.0), chain-of-custody, RFC 3161 timestamps, suppression workflow |
-| — | SLA & MTTR Tracking | Enterprise | Per-severity SLA targets, compensating-control flow, finding lifecycle |
-| — | Recurring-Scan Attestation | Enterprise | Multi-scan chronological matrix, cadence gap detection, scope drift (CC8.1) |
-| — | GRC Platform Connector | Enterprise | Native API push to Vanta with retry/backoff, idempotency, rate-limit handling |
-| — | WORM Evidence Storage | Enterprise | S3 Object Lock COMPLIANCE-mode, resource redaction, SHA-256 manifest |
-| — | Tabletop Simulation | Enterprise | Probe-event manifest + SIEM detection correlation, configurable coverage bands |
+| 1020 | AWS S3 Security | Enterprise | Bucket hardening: public-access block, encryption at rest, versioning, Object Lock COMPLIANCE-mode, MFA Delete, access logging. **CC6.1 / C1.1 / C1.2** |
+| 1021 | GCP Cloud Scanner | Enterprise | Firewall rules + IAM bindings + Storage bucket public-access. **CC6.1 / CC6.6 / C1.1** |
+| 1022 | Azure Cloud Scanner | Enterprise | NSG rules + RBAC role assignments + Storage account hardening. **CC6.1 / CC6.6 / C1.1** |
+| 1023 | Zero Trust Checker | Enterprise | Segmentation, encryption, identity, lateral-movement scoring across the network surface. **CC6.1 / CC6.6** |
+| 1030 | AWS IAM Deep Auditor | Enterprise | Shadow-admin path detection via BFS over PassRole / AssumeRole / federated trust. Restrictive-Condition allowlist for Auth0 / Okta / Cognito OIDC patterns. **CC6.1** |
+| 1040 | AWS CloudTrail Operational Integrity | Enterprise | Trail health + CloudWatch alarm coverage against CIS AWS Benchmark §3.1–3.14 + AWS Config + cross-account S3 trail-destination WORM verification (SEC 17a-4 / FINRA 4511). **CC7.2 / CC7.3** |
+| 1050 | AWS API Gateway Assurance | Enterprise | Per-route authz classifier (`NONE`=CRITICAL), custom-domain TLS policy, stage-level access logging + WAF, public-endpoint exposure. Entry-point evidence for serverless deployments. **CC6.1 / CC6.6 / CC6.7 / CC7.1 / A1.2** |
+| 1060 | AWS DynamoDB Audit Integrity | Enterprise | First "audit-the-auditor" plugin. PITR + deletion protection + KMS-CMK custody + resource-policy presence + CloudTrail data-event cross-reference. **CC6.6 / CC7.1 / C1.1 / PI1.5** |
+| 1070 | AWS KMS Auditor | Enterprise | Per-key rotation + wildcard-Principal classifier across 5 severity tiers (covers `Principal.AWS` / Federated / Service / CanonicalUser + NotPrincipal-Allow + NotAction-Allow + glob actions). **CC6.3 / C1.1** |
+| 1080 | AWS Lambda Security | Enterprise | Runtime EOL detection (CRITICAL on `nodejs16.x` / `python3.7` etc.), public function URLs, resource-policy wildcards, env-var secret-name detection (ZDE-safe), VPC config, KMS custody, DLQ. **CC6.1 / CC6.6 / CC7.1 / C1.1** |
+| 1090 | AWS Secrets Manager + SSM Parameter Store | Enterprise | Rotation cadence + KMS-CMK custody + SecureString classification + secret-name detection. **ZDE-critical**: never calls `GetSecretValue` / `GetParameter` — metadata only. Verb-prefix denylist blocks `Get*` / `Retrieve*` / `Read*` at the SDK boundary. **CC6.1 / CC6.6 / C1.1** |
+| 1100 | AWS CodePipeline + CodeBuild | Enterprise | Source-stage encryption, `privilegedMode` detection, buildspec drift, secrets-via-env vs Secrets-Manager, IAM wildcard-Action, artifact-store encryption, stale-execution detection. **CC6.1 / CC7.1 / CC8.1 / C1.1** |
+| 1110 | IAM Effective Decrypt-Path Auditor | Enterprise | Cross-plugin reconciler — walks IAM policies for `kms:Decrypt` / `ReEncrypt*` / `GenerateDataKey` grants and cross-references against KMS key policies to compute the effective decrypt path. Closes the NotAction-implicit-decrypt false-PASS class. **CC6.1 / CC6.6 / C1.1 / C1.2** |
+| 1120 | AWS S3 Lifecycle + Cross-Region Replication | Enterprise | Lifecycle policy enumeration + cross-region replication topology. Cross-region destination-bucket reachability check closes silent-PASS where replication FAILED but emitted clean. **C1.1 / C1.2 / A1.2** |
+| 1130 | AWS Backup Auditor | Enterprise | The flagship plugin — 12-dimension air-gapped vault attestation arc for `LogicallyAirGappedBackupVault` resources. Audits Plans + Vaults + Recovery Points + Frameworks + Restore Testing + Legal Holds + vault Access Policy. SEC 17a-4 / FINRA 4511 ransomware-defense substrate. **CC6.3 / CC6.6 / CC7.1 / CC8.1 / C1.1 / C1.2 / A1.2** |
+| 1140 | AWS RDS Auditor | Enterprise | 10 dimensions: Multi-AZ, storage encryption + KMS custody, parameter-group SSL, backup retention, public accessibility, IAM database auth, snapshot encryption, **pgAudit + SPL cross-check**, CloudWatch Logs exports (engine-dispatched), log retention. **A1.2 / CC6.1 / CC6.6 / C1.1 / CC7.2 / CC7.3** |
+| 1150 | AWS SQS/SNS Auditor | Enterprise | 7 dimensions across both services: encryption at rest + KMS custody, transit-encryption policy, topic-policy wildcards (CRITICAL on unconditional + NotPrincipal-Allow), DLQ presence, CloudWatch alarm coverage on `ApproximateAgeOfOldestMessage` + `NumberOfNotificationsFailed`. **C1.1 / CC6.6 / A1.2 / CC7.1 / CC7.2** |
+| 1160 | AWS VPC Endpoints / PrivateLink | Enterprise | Endpoint-policy wildcards (CRITICAL on PrivateLink-breaking unconditional), PrivateDNS enabled (silent-bypass class), endpoint state (`failed` = silent failure), type substrate disclosure. **CC6.6 / A1.2 / CC7.2** |
+| 1170 | AWS EC2 SG Perimeter | Enterprise | RESTRICTED_PORTS (23 ports per CIS AWS Foundations v3.0) wildcard ingress + IPv6 ::/0 + all-protocol-from-wildcard + orphan SG detection. **SG→SG transitive chain reachability**: BFS from public-CIDR roots through `UserIdGroupPairs` — 2-hop = HIGH, 3+ hop = CRITICAL. Catches the ALB → app → database exposure that per-SG audits silently miss. **CC6.6 / CC6.2** |
+| 1180 | AWS ElastiCache Redis | Enterprise | 6 dimensions: transit encryption, at-rest + KMS custody (four-tier ladder), Redis AUTH / IAM user groups (Redis 7+ ACL), Multi-AZ, snapshot retention cadence, subnet placement. Cross-plugin sister to plugin 1170 for cache-tier perimeter. **CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1** |
+| 1190 | AWS SES Email Integrity | Enterprise | 6 dimensions: DKIM enablement + CNAME DNS resolution + key-fingerprint pin, DMARC TXT parsing + alignment classifier, custom MailFrom alignment, config-set TLS enforcement, sending-auth policy wildcards, dedicated IP pool, suppression list (count-only — ZDE invariant: never reads addresses). **CC6.1 / CC6.6 / C1.1 / CC7.1 / Privacy** |
+| 1200 | AWS Inspector2 / GuardDuty Enablement | Enterprise | 4 dimensions across all opted-in regions (17+ incl. GovCloud / ISO): GuardDuty Detector + protection features (S3 / EKS / EBS-malware / RDS-login / Lambda / RuntimeMonitoring), Inspector2 enablement, scan-target coverage. Plus alerting-destination dim (EventBridge or SecurityHub) and per-target liveness probes for Lambda / SNS / SQS / IAM / API destination / CloudWatch Logs. **CC7.1 / CC7.2** |
+| — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 mapping (10 covered + 4 partial controls), chain-of-custody, RFC 3161 timestamps, suppression workflow with Ed25519 signing. |
+| — | SLA & MTTR Tracking | Enterprise | Per-severity SLA targets, compensating-control flow, finding lifecycle, Type II rolling-quarter cadence. |
+| — | Recurring-Scan Attestation | Enterprise | Multi-scan chronological matrix, cadence gap detection, scope-drift surface (CC8.1). |
+| — | GRC Platform Connector | Enterprise | Native API push to Vanta / Drata / Secureframe with retry/backoff, idempotency, rate-limit handling, per-tenant token rotation. |
+| — | WORM Evidence Storage | Enterprise | S3 Object Lock COMPLIANCE-mode + resource redaction + SHA-256 manifest. SEC 17a-4 / FINRA 4511 retention-compatible. |
+| — | Tabletop Simulation | Enterprise | Probe-event manifest + SIEM detection correlation, configurable coverage bands (Type II / High-Assurance presets). |
 **Running EE plugins** (after `nsauditor-ai license install <key>`):

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.60",
+  "version": "0.1.62",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,