nsauditor-ai 0.1.61 → 0.1.62

package/README.md

@@ -17,19 +17,15 @@ NSAuditor AI is the open-source core of a privacy-first security intelligence pl
 
 ## What's New
 
-For complete per-release history, see [CHANGELOG.md](./CHANGELOG.md). The Community Edition binary has been unchanged since 0.1.40; recent CE patches are documentation refreshes paired with Enterprise Edition (`@nsasoft/nsauditor-ai-ee`) ships.
-
-- **0.1.61 (current)** — Paired with EE 0.6.7: patch-level R2 reviewer-deferred-items cleanup cycle — closes BOTH R2 items queued from the 0.6.6 reviewer pass. **EE-RT.16 v3.1 plugin 1170 SG-reference-graph edge dedup** (`_buildSgReferenceGraph` now dedupes edges by `(sourceGroupId, targetGroupId)` with `ports` aggregated as array; pre-fold a real-world ALB-fronting-app SG with 3 ingress perms on different ports referencing the same source SG emitted 3 distinct edges A→B, inflating BFS `chainCount` 2-5× and exhausting per-target chain caps on noise; `isCrossVpc` AND-aggregation per `[[conservative_classifier_principle]]`). **EE-RT.20.5 v6.1 plugin 1200 CloudWatch Logs probe retry-on-empty parity** (`_retryOnNotFound` accepts optional retry-on-result predicate; restructured to two-phase to cap total network calls at 2 even on compound paths — pre-fold CWL probe hit DEAD on first call without retry, losing eventual-consistency parity with IAM/Lambda/SNS/SQS branches). 4 R1 reviewer folds (0 R-CRITICAL + 0 R-HIGH + 1 R-MEDIUM + 3 R-LOW — clean review pass) + 1 unanticipated `_retryOnNotFound` two-phase restructure (caught by test interaction, prevents triple-retry on compound paths). soc2.json UNCHANGED — no new emission categories.
-- **0.1.60** — Paired with EE 0.6.6: minor cycle — **EE-RT.16 v3 plugin 1170 SG→SG transitive chain reachability** (closes false-CLEAN class on multi-hop SG exposure: BFS from public-CIDR roots through `UserIdGroupPairs` chains with cycle defense + depth cap + per-target chain cap; 2-hop emits **HIGH**, 3+ hop emits **CRITICAL** per operator-blindness principle; cross-VPC edges skipped as INFO trailer) **+ EE-RT.20.5 v6 plugin 1200 dead-target probe warm-up** (closes 0.6.5-reviewer-deferred long-tail: IAM role `iam:GetRole` + EventBridge API destination `events:DescribeApiDestination` + CloudWatch Logs `logs:DescribeLogGroups` with exact-name disambiguation; new SDK deps `@aws-sdk/client-iam` + `@aws-sdk/client-cloudwatch-logs`). 5 R1 reviewer folds: R-HIGH-1 BFS no-enqueue-past-cap (closes path-enumeration explosion on hub-and-spoke topologies) + R-MEDIUM-1 IAM `NoSuchEntityException` lifted into `_DEAD_TARGET_NOTFOUND_ERROR_NAMES` Set (restores eventual-consistency retry for IAM — the canonical worst case) + R-MEDIUM-2 IAM partition-routing contract documented + R-LOW-2 depth-cap-hit surfaced separately from per-target-cap + R-LOW-2 API destination ARN regex future-proofed. 3 new soc2.json mappings under CC6.6.
-- **0.1.59** — Paired with EE 0.6.5: plugin 1200 v5 v4-reviewer-cleanup cycle — R-NIT named-constants + targetVerificationReason sentinel observability + **sessionToken cross-plugin sweep** (18 plugins; unblocks AssumeRole-style auditor credentials across the EE catalog) + **dead-target companion-LOW** (per-target liveness probes for Lambda / SNS / SQS; emits LOW alongside PASS when targets point to deleted resources). 5 R1 reviewer folds incl. case-insensitive NotFound + Lambda full-ARN + one-retry on eventual-consistency + parallel probes + SQS partition-aware via `GetQueueUrl`.
-- **0.1.58** — Paired with EE 0.6.4: plugin 1200 v4 reviewer-cleanup — EventBridge target verification (closes substrate-without-sink false-PASS at the RULE level via `events:ListTargetsByRule`; sink-less rule → MEDIUM TARGETLESS), multi-failedAccount surface (delegated-admin Inspector2 scans now emit per-account LOWs with per-region cap + rollup), trigger uniformity (GD/Inspector2 alerting gates symmetrized on enabled-status). 5 R1 reviewer folds incl. R-HIGH-1 cap-skew classifier closure.
-- **0.1.57** — Paired with EE 0.6.3: plugin 1200 v3 alerting-destination dim — closes the substrate-without-sink false-PASS class for GuardDuty / Inspector2 (no EventBridge rule + no SecurityHub integration = HIGH). SH-only path emits MEDIUM (aggregation-only). R-CRITICAL Inspector Classic ARN-collision closure + EventBridge content-filter grammar (`{prefix}` / `{wildcard}`).
-- **0.1.56** — Paired with EE 0.6.2: plugin 1200 v2 evidence-acquisition extension — multi-region GuardDuty + Inspector2 enumeration (closes the single-region false-PASS class), GovCloud + ISO region support (closes a FedRAMP / StateRAMP / IL5+ false-PASS class), GuardDuty `FindingPublishingFrequency` check, Inspector2 baseline expansion (lambdaCode + codeRepository for Inspector2 GA 2024+).
-- **0.1.55** — Paired with EE 0.6.1: NEW EE plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor (CC7.1 + CC7.2).
-- **0.1.54** — Paired with EE 0.6.0: NEW EE plugin 1160 AWS VPC Endpoints / PrivateLink Auditor (CC6.6 + A1.2 + CC7.2).
-- **0.1.50 – 0.1.53** — Paired with EE 0.5.x line (SES / SQS-SNS / cross-plugin hardening cycles).
-- **0.1.46 – 0.1.49** — Paired with EE 0.4.7 – 0.4.9 (SES / RDS / ElastiCache Redis extensions).
-- **Earlier** — CE 0.1.30 → 0.1.45 release notes (full per-release history) live in [CHANGELOG.md](./CHANGELOG.md).
+- **CE 0.1.62** (current) — paired with **EE 0.6.8** (May 2026). **23 enterprise plugins** across AWS / Azure / GCP, mapped to 10 fully-covered + 4 partial AICPA TSC controls. Cycle headline: **NEW plugin 1024 GCP Cloud Storage Auditor** — first multi-cloud parity plugin since EE 0.6.1. Six dimensions mirroring AWS S3: bucket-level IAM public bindings, Uniform Bucket-Level Access, Object Versioning, Bucket Lock retention policy (SEC 17a-4 / FINRA 4511 WORM-alignment), CMEK via Cloud KMS (four-tier custody ladder), bucket-level access logging. New SDK dep `@google-cloud/storage` in optionalDependencies.
+
+For prior releases, see [CHANGELOG.md](./CHANGELOG.md).
+
+### Try Enterprise
+
+→ **[See a sample scan walk-through](https://www.nsauditor.com/ai/docs/sample-scan/)** — full EE 0.6.7 output against a fictional Acme Corp AWS account + home-office router. Real engine output, synthetic data, no signup required.
+
+→ **[NSAuditor AI Enterprise Edition](https://www.nsauditor.com/ai/enterprise/)** — 22 cloud plugins, signed SOC 2 evidence with RFC 3161 timestamps, native Vanta / Drata / Secureframe push, runs entirely inside your infrastructure (zero data exfiltration by architecture). Pricing from **$2k/yr (5 seats)** to **$10k+/yr (unlimited + custom SLA)**.
 
 ---
 
@@ -186,54 +182,50 @@ Results land in `./out/<host>_<timestamp>/`:
 
 ### Pro/Enterprise Plugins (via @nsasoft/nsauditor-ai-ee)
 
-**EE 0.6.1 ships 22 enterprise plugins** (UP FROM 21 — the 0.6.1 patch-level new-plugin extension is EE-RT.20 v1 NEW plugin 1200 AWS Inspector2 / GuardDuty Enablement Auditor; first AWS-managed-threat-detection substrate audit; 4 active SOC 2 dimensions; 6 same-session R1 reviewer folds incl. R1-CRITICAL-1 soc2.json titlePattern misalignment closure preventing a shipping false-CLEAN on the compliance-mapping layer).
-
-**EE 0.6.0 (superseded)** —**EE 0.6.0 ships 21 enterprise plugins** (UP FROM 20 — the 0.6.0 minor-version milestone is the first new plugin since EE 0.4.7: EE-RT.19 v1 NEW plugin 1160 AWS VPC Endpoints / PrivateLink Auditor; first plugin to specifically audit the PrivateLink isolation boundary; 4 SOC 2 dimensions; clean reviewer pass).
-
-**EE 0.5.4 (superseded)** —**EE 0.5.4 ships 20 enterprise plugins** (UNCHANGED from EE 0.5.3 — the 0.5.4 bump is a cross-plugin Thread H sweep: §7.5 `_promote*FromKms` signature hardening on plugin 1140 v2 + 1180 v2 + §8 operator-config DoS caps on plugin 1170 v2; clean reviewer pass with 0 R-CRITICAL + 0 R-HIGH; final v0.5.x close-out cycle).
+**22 enterprise plugins** across AWS, GCP, and Azure substrate audits — all mapped to AICPA Trust Services Criteria 2017 (10 covered + 4 partial controls). EE plugins live in the disjoint 1000+ ID range; CE reserves 001-099. Once licensed, the EE package installs alongside the CE binary and discovers automatically.
 
-**EE 0.5.3 (superseded)** —**EE 0.5.3 ships 20 enterprise plugins** (UNCHANGED from EE 0.5.2 — the 0.5.3 patch-level bump is a pure plugin 1190 EE-RT.18 v3 extension: Part A DKIM public-key fingerprint capture/pin + Part B in-band DMARC alignment classifier; 5 same-session reviewer folds incl. 1 R-CRITICAL false-CLEAN closure on truncated DKIM keys).
+→ **[Watch a sample scan run end-to-end](https://www.nsauditor.com/ai/docs/sample-scan/)** — synthetic Acme Corp AWS account + home-office router. Real EE 0.6.7 output, no signup required. See the transitive SG chain reachability finding, the multi-region GuardDuty audit, the dnsmasq CVE detection, and what the signed evidence pack actually looks like.
 
-**EE 0.5.2 (superseded)** —**EE 0.5.2 ships 20 enterprise plugins** (UNCHANGED from EE 0.5.1 — the 0.5.2 patch-level bump is a pure consolidation cycle: plugin 1190 `aws-ses-auditor` deferred-items sweep via **EE-RT.18 v2.1** closing all 7 deferred reviewer-fold items from the 0.5.0 cycle; 6 same-session reviewer folds incl. 1 CRITICAL soc2 mapping closure + silent-loss-class closure on SES classic API quota exhaustion). EE plugins use the disjoint 1000+ ID range; CE reserves 001-099. Plugins audit AWS / GCP / Azure cloud substrate end-to-end against the AICPA Trust Services Criteria 2017 framework; every plugin is enterprise-gated by the `cloudScanners` capability and runs against customer-supplied cloud credentials. Once licensed, the EE package installs alongside the CE binary; auditor-facing TSC mapping documentation (`CHANGELOG.md` + `docs/soc2-coverage.md`) ships bundled.
+→ **[Buy NSAuditor AI Enterprise Edition](https://www.nsauditor.com/ai/enterprise/)** · $2k / $5k / $10k+ per year · 5 / 25 / unlimited seats · onboarding call included.
 
 **All EE plugins follow the same institutional plumbing pattern:**
 
 - **Thread H `_instrumentSdkClient` wrap** — per-API AccessDenied counter + ZDE structural guard (verb-prefix denylist regex blocks `Get*` / `Retrieve*` / `Read*` value-reading APIs at SDK boundary) + idempotency sentinel
-- **EE-RT.1.5 throttle-retry** — exponential-backoff retry on `Throttling*` / `RequestLimitExceeded` / `TooManyRequestsException` with per-command wall-clock budget
+- **Throttle-retry** — exponential-backoff retry on `Throttling*` / `RequestLimitExceeded` / `TooManyRequestsException` with per-command wall-clock budget
 - **Thread F `conclude()` field-selection allowlist** — structured-data ZDE: only AWS-public-namespace identifiers + integer counts flow through to findings; customer policy content / key material / encrypted payloads NEVER propagate
 - **`conservative_classifier_principle`** — emit INFO+evidenceGap with verification prompt when ARN-shape disambiguation needs a follow-up API call; vacuous PASS on partial substrate evidence is treated as the worst SOC 2 reporting outcome
 - **`aws_string_case_normalization`** — trim + lowercase AWS-returned strings at SDK-helper boundary; protects against the 7+ recurrent classes of case-sensitivity fail-open (IAM Condition keys, Lambda runtimes, KMS aliases, Effect/Action discriminators, FULL_ADMIN sentinel, S3 region)
 
-| ID | Name | Tier | Purpose |
+| ID | Name | Tier | What it audits |
 |---|---|---|---|
-| 1020 | AWS Cloud Scanner | Enterprise | S3 bucket hardening (PAB, encryption, versioning, Object Lock, MFA Delete, logging), SOC 2 evidence mapping |
-| 1021 | GCP Cloud Scanner | Enterprise | Firewall rules + IAM bindings + Storage bucket public-access (CC6.1 / CC6.6 / C1.1) |
-| 1022 | Azure Cloud Scanner | Enterprise | NSG rules + RBAC role assignments + Storage account hardening, SOC 2 evidence mapping (CC6.1 / CC6.6 / C1.1) |
-| 1023 | Zero Trust Checker | Enterprise | Segmentation, encryption, identity, lateral movement scoring |
-| 1030 | AWS IAM Deep Auditor | Enterprise | Shadow-admin path detection via BFS over PassRole / AssumeRole / federated trust; per-finding remediation pointers; restrictive-Condition allowlist (Auth0 / Okta / Cognito User Pool OIDC heuristic); SOC 2 CC6.1 evidence |
-| 1040 | AWS CloudTrail Operational Integrity | Enterprise | CloudTrail trail health (multi-region default-ON, log-file validation, KMS-CMK, IsLogging); CloudWatch alarm coverage against CIS AWS Foundations Benchmark v1.5 §3.1–3.14 (v2 auditor-canonical `logs:DescribeMetricFilters` evidence stream); AWS Config + ConfigurationAggregator detection + STS `GetCallerIdentity` deterministic account-coverage check; cross-account S3 trail-destination WORM verification (SEC 17a-4 / FINRA 4511). CC7.2 + CC7.3 covered. |
-| 1050 | AWS API Gateway Assurance (EE 0.3.9) | Enterprise | Entry-point evidence for Serverless-Framework deployments. Per-method/route authorization classifier (NONE = CRITICAL; AWS_IAM / Cognito / JWT = PASS; Lambda authorizer = INFO); custom-domain TLS policy (TLS_1_0 = HIGH); stage-level access logging / throttling / WAF; public-endpoint exposure. CC6.1 / CC6.6 / CC6.7 / CC7.1 / A1.2. |
-| 1060 | AWS DynamoDB Audit Integrity (EE 0.3.9 — PI1.5 matrix shift) | Enterprise | First PI1-class evidence plugin ("audit-the-auditor"). Per-table PITR + deletion protection + KMS-CMK (conservative LOW-unverifiable when `:key/UUID` form); resource-policy presence; CloudTrail DynamoDB data-event coverage cross-reference. **Opens partial PI1.5 (Stored items)**. CC6.6 / CC7.1 / C1.1 / **PI1.5**. |
-| **1070** | **AWS KMS Auditor** (NEW EE 0.4.0) | Enterprise | Cryptographic boundary integrity + key governance. Per-key rotation status; **wildcard-principal classifier across 5 severity tiers** (CRITICAL unconditional `kms:*` takeover; HIGH for sensitive actions; INFO read-only; PASS no-wildcard) covering Principal.AWS / Federated / Service / CanonicalUser shapes + case-insensitive AWS/action matching + NotPrincipal-Allow + NotAction-Allow + glob-action (`kms:Encrypt*` / `kms:Sign*`). Exports `_describeKeyManager()` helper for plugin 1060 cross-reference (closes EE-RT.2.1.1). CC6.3 / C1.1. |
-| **1080** | **AWS Lambda Security Auditor** (NEW EE 0.4.0) | Enterprise | Runtime EOL detection (institutional-CRITICAL on `nodejs16.x` / `python3.7` etc. — case-normalized at boundary), public function-URL exposure, resource-policy permissive principals, environment-variable secret-suggestive name detection (ZDE-safe: VALUES never inspected — only names + presence), VPC configuration, KMS-CMK vs AWS-managed key custody, DLQ + reserved concurrency posture. CC6.1 / CC6.6 / CC7.1 / C1.1. |
-| **1090** | **AWS Secrets Manager + SSM Parameter Store Auditor** (NEW EE 0.4.0) | Enterprise | Secrets Manager `ListSecrets` + `DescribeSecret` (rotation cadence, KMS-CMK custody, tag-driven prod-tier classification) + SSM Parameter Store `DescribeParameters` (String/SecureString classification + secret-suggestive name detection). **ZDE-critical**: scanner NEVER calls `GetSecretValue` / `GetParameter` — only `Describe*` / `List*` (metadata only). Defense-in-depth: verb-prefix denylist regex blocks `Get*` / `Retrieve*` / `Read*` at SDK boundary. CC6.1 / CC6.6 / C1.1. |
-| **1100** | **AWS CodePipeline + CodeBuild Operational Integrity** (NEW EE 0.4.0) | Enterprise | Pipeline source-stage encryption, CodeBuild `privilegedMode` detection (HIGH for non-Docker-image), buildspec inlined-vs-S3 (drift surface), secrets via env vars vs Secrets Manager reference, IAM role wildcard-Action detection, S3 artifact-store encryption. Runtime-state audit surfaces stale-execution detection (pipeline's latest execution older than configured cadence). CC6.1 / CC7.1 / CC8.1 / C1.1. |
-| **1110** | **IAM Effective Decrypt-Path Auditor** (NEW EE 0.4.0) | Enterprise | Cross-plugin reconciler: walks IAM policies for `kms:Decrypt` / `kms:ReEncrypt*` / `kms:GenerateDataKey` grants and cross-references against destination KMS key policies (plugin 1070) to compute the **effective decrypt path**. Closes institutional NotAction-implicit-decrypt false-PASS class (`Allow + NotAction:[...] + Resource:*` over-grants decrypt implicitly). Cross-plugin sister-fix in 1030: Effect + Action case-normalization at IAM-graph BFS boundary. CC6.1 / CC6.6 / C1.1 / C1.2. |
-| **1120** | **AWS S3 Lifecycle + Cross-Region Replication Auditor** (NEW EE 0.4.0) | Enterprise | S3 lifecycle policy enumeration (CC7.1 retention-cadence evidence) + cross-region replication topology (A1.2 disaster-recovery substrate). Cross-region destination-bucket reachability verification closes silent-PASS class where replication source FAILED but emitted clean. C1.1 / C1.2 / A1.2. |
-| **1130** | **AWS Backup Auditor — headline thread** (NEW EE 0.4.0; EE-RT.12 v1 → v1.24, 18-session institutional hardening arc) | Enterprise | The **largest single-plugin institutional-hardening arc in the EE codebase**: ~7800 lines / 545 plugin tests / 19 R2-strict recurrence-class same-session closures / 74 new soc2.json titlePattern entries across 7 controls. Audits the AWS Backup substrate end-to-end: Plans + Vaults + Recovery Points + Selections + Frameworks + Restore Testing + ReportPlans + Legal Holds + VaultType + Vault Tags + Vault Access Policy. **Headline capability: 12-dimension air-gapped vault attestation arc** for `LogicallyAirGappedBackupVault` resources — 6 cryptographic-isolation mechanisms (vault TYPE air-gapped + ARN account-segment-separation + destination KMS key-policy clean + destination KMS Grants clean + MRK-replica topology clean + source-account VPC-endpoint policy clean) PLUS 6 substrate dimensions (PITR / retention / encryption / RestoreTesting / Legal Holds / vault Access Policy). Cross-service SDK integration (`@aws-sdk/client-kms`, `@aws-sdk/client-ec2`, `@aws-sdk/client-config-service`, `@aws-sdk/client-backup`). CC6.3 / **CC6.6** / CC7.1 / CC8.1 / C1.1 / **C1.2** / **A1.2**. |
-| **1140** | **AWS RDS Auditor** (EE 0.4.3 v1; **GROWN in EE 0.4.5 v2** — 3 dims → 7 dims + kms:DescribeKey cross-reference; **GROWN AGAIN in EE 0.4.8 v3** — 7 dims → 10 dims + database audit-logging) | Enterprise | Audits AWS RDS DB instances against **10 SOC 2 substrate-evidence dimensions** (v1 = 3 + v2 = 4 + v3 = 3): **v3 dim 8 pgAudit enabled** (CC7.2 + CC7.3, postgres-only — `DescribeDBParameters → pgaudit.log` non-empty AND `shared_preload_libraries` contains `pgaudit` token per R-MEDIUM-2 reviewer-fold **false-PASS closure** since Postgres silently ignores the GUC when SPL omits pgaudit; HIGH on disabled / new MEDIUM `rds-pgaudit-misconfigured` on SPL-omitted / PASS on fully configured; non-postgres engines = INFO + engine-not-applicable per `conservative_classifier_principle`); **v3 dim 9 CloudWatch Logs exports** (CC7.2 — `EnabledCloudwatchLogsExports` engine-dispatched essential/optional policy via frozen `_RDS_ENGINE_CWL_NAMES` dispatch table covering mysql/mariadb/aurora-mysql (essential=`error`) / postgres/aurora-postgresql (essential=`postgresql`) / oracle-* (essential=`audit`+`trace`) / sqlserver-* (essential=`error`); empty=HIGH, partial=MEDIUM, complete=PASS, unknown engine=INFO+engine-not-supported); **v3 dim 10 CloudWatch Logs retention** (CC7.2 + CC7.3 — `logs:DescribeLogGroups` enumeration on engine-dispatched prefix per R-HIGH-1 reviewer-fold **false-INFO closure**: `/aws/rds/instance/<id>/` for non-Aurora; `/aws/rds/cluster/<DBClusterIdentifier>/` for `aurora-*` engines — pre-fold hard-coded the instance path → 0 log groups on every Aurora node = false-INFO MEDIUM across the whole Aurora fleet; 30-day institutional baseline operator-tunable via `opts.auditLogRetentionPassMinDays` clamped 1..3653; distinct categories for never-expire INFO + below-baseline MEDIUM + cwl-opt-out LOW R-MEDIUM-3 fold + probe-failed LOW R-MEDIUM-5 fold + AccessDenied LOW + retentionDistribution per-group spread R-MEDIUM-4 fold). **v2 dim 1-7** preserved (Multi-AZ A1.2 / storage encryption + KMS-key custody with kms:DescribeKey cross-reference C1.1 / parameter-group SSL enforcement C1.1 / backup retention period A1.2 / public accessibility CC6.6 / IAM database authentication CC6.1 / snapshot encryption C1.1). **9 same-session v3 reviewer folds applied** (HIGH-1 Aurora cluster log-path; MEDIUM-2 pgAudit-SPL cross-check; MEDIUM-3 cwl-opt-out distinct; MEDIUM-4 retentionDistribution surfaced; MEDIUM-5 transient-error distinct; LOW-8 `_PGAUDIT_LIBRARY_NAME` + `_SHARED_PRELOAD_LIBRARIES_PARAM` named constants; LOW-9 engine case-norm tests; LOW-10 `truncated:bool` + `distributionTruncated:bool` flags; NIT-12 Aurora cluster integration test). 7 new v3 soc2.json titlePattern entries under CC7.2 (cumulative 25 across v1+v2+v3). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). `@aws-sdk/client-cloudwatch-logs` already in optionalDependencies (used by plugin 1040 since EE 0.4.0); v3 reuses via new `_loadCwlSdk` lazy loader. **Real-AWS smoke END-TO-END against `test-infra-builder` paired fixtures** in account 522412052794: in-place modification of `rds-compliant-cluster` (cost $0; brief Multi-AZ failover during apply-immediately reboot) validated ALL 3 v3 PASS-path classifiers; unmodified `rds-violator-db` validated HIGH path; account-wide finding distribution 9 PASS + 2 MEDIUM + 4 INFO + 5 HIGH. **First 0.4.x extension cycle to validate BOTH PASS-path AND HIGH-path classifiers** against real AWS in the same smoke run. **A1.2 / CC6.1 / CC6.6 / C1.1 / CC7.2 / CC7.3**. |
-| **1150** | **AWS SQS/SNS Auditor** (NEW EE 0.4.4 v1; **EXTENDED EE 0.5.1 v2** — 5 → 7 dimensions: CloudWatch alarm coverage on SQS ApproximateAgeOfOldestMessage + SNS NumberOfNotificationsFailed; first plugin-1150 dim to cross an SDK boundary — SQS+SNS → CloudWatch) | Enterprise | Audits AWS SQS queues + SNS topics against **7 SOC 2 substrate-evidence dimensions** spanning two services in one plugin (institutional bundling — both substrate-evidence event-driven-architecture stores, both use the same SDK auth surface). **SQS encryption at rest** (C1.1 confidentiality — `GetQueueAttributes → SqsManagedSseEnabled` OR `KmsMasterKeyId`; four-tier severity ladder: HIGH unencrypted → MEDIUM AWS-managed-SSE OR `alias/aws/sqs` → PASS customer-managed CMK alias → LOW+evidenceGap on bare-UUID / `:key/UUID` ARN form per `conservative_classifier_principle`); **SQS transit-encryption policy** (CC6.6 segmentation — `aws:SecureTransport=false` Deny statement defense-in-depth over the HTTPS-only transport-layer guarantee); **SNS topic encryption at rest** (C1.1 confidentiality — `GetTopicAttributes → KmsMasterKeyId`; SNS has no SQS-managed-SSE equivalent so absent = HIGH); **SNS topic-policy permissive-Principal** (CC6.6 segmentation — wildcard-Principal classifier on sensitive actions sns:Publish / Subscribe / SetTopicAttributes / AddPermission / RemovePermission / DeleteTopic + `sns:*` / `*` wildcards; includes **NotAction-Allow** handling + **NotPrincipal-Allow** handling + **Resource-scope filtering**; severity ladder CRITICAL unconditional-wildcard → HIGH wildcard-WITH-Condition → PASS no-wildcard-sensitive); **SQS dead-letter queue presence** (A1.2 availability + CC7.1 anomaly-detection, **dual-mapped** — `RedrivePolicy` analysis; missing DLQ is the canonical silent-message-loss class). **NEW in v2 (EE 0.5.1): Dim 6 — SQS ApproximateAgeOfOldestMessage CloudWatch alarm coverage** (CC7.2 system-monitoring + A1.2 availability, dual-mapped — per-queue classifier checks for at least one `AWS/SQS:ApproximateAgeOfOldestMessage` MetricAlarm with the queue's `QueueName` dimension AND **both** `ActionsEnabled=true` AND non-empty `AlarmActions[]`; four severity outcomes PASS / MEDIUM / LOW / LOW+evidenceGap). **NEW in v2: Dim 7 — SNS NumberOfNotificationsFailed CloudWatch alarm coverage** (CC7.2 + A1.2, dual-mapped — per-topic analogue with `AWS/SNS:NumberOfNotificationsFailed` metric + `TopicName` dimension; closes silent message-loss class for downstream subscribers). **v2 single-fetch budget pattern** (mirrors plugin 1040 `_auditAlarmCoverage` scaffold): `_enumerateMetricAlarms` paginates `cloudwatch:DescribeAlarms` ONCE per scan; `_buildAlarmIndex` builds per-resource Maps (`sqsAgeByQueueName` + `snsFailureByTopicName`) for O(1) per-resource lookup. Pagination cap default 20 pages × 100 alarms = 2000 alarm ceiling, operator-tunable via `opts.cwAlarmPageCap`. **Soft-degrade contract** — CW SDK load failure routes per-resource classifier to LOW + evidenceGap rather than blocking SQS+SNS primary substrate audit. **R-CRITICAL v2 same-session fold (false-CLEAN closure)**: `actionable` requires BOTH `ActionsEnabled=true` AND non-empty `AlarmActions[]` array (pre-fold an `{ActionsEnabled:true, AlarmActions:[]}` alarm passed as PASS-tier evidence on a structurally broken alarm — CloudWatch fires NO operator paging when action list is empty). **First EE plugin to ship WITHOUT a smoke-time SDK hotfix** (v1) — `@aws-sdk/client-sqs` + `@aws-sdk/client-sns` were added to `optionalDependencies` PREEMPTIVELY per the 11th pre-implementation checklist item; v2 reuses `@aws-sdk/client-cloudwatch` already declared since EE 0.4.0 (no new SDK deps). **23 soc2.json titlePattern entries total** (11 v1 + 12 v2: 8 CC7.2 + 4 A1.2 dual-mapped). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap on BOTH SQS + SNS clients + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold + preemptive `aws_string_case_normalization` fold-sites). v1: 3 same-session reviewer folds. v2: 7 same-session reviewer folds (1 CRITICAL + 1 HIGH + 2 MEDIUM + 1 LOW + 1 NIT; 6 folded same-session). Smoke-validated against `test-infra-builder` paired fixtures (v1 only; v2 synthetic-mock only — no SQS/SNS CW alarms in fixtures yet). **C1.1 / CC6.6 / A1.2 / CC7.1 / CC7.2**. |
-| **1160** | **AWS VPC Endpoints / PrivateLink Auditor** (**NEW EE 0.6.0** — first new plugin since EE 0.4.7; first plugin to audit the PrivateLink isolation boundary) | Enterprise | Audits AWS VPC endpoints (Interface + Gateway flavors) against **4 SOC 2 substrate-evidence dimensions** — VPC endpoints are the AWS-canonical PrivateLink primitive governing VPC-to-managed-service traffic without public-internet traversal. **Complements plugin 1170 SG perimeter** (1170 = layer-4 ingress; 1160 = service-layer perimeter). **Dim 1 — Endpoint policy permissive principals** (CC6.6 segmentation — wildcard-Principal classifier mirroring plugin 1150 SNS topic-policy discipline; NotPrincipal-Allow + Action-sensitivity filter via `_VPCE_SENSITIVE_ACTIONS` frozen Set; unconditional wildcard on sensitive action = CRITICAL `vpce-policy-wildcard-unconditional` — PrivateLink isolation BROKEN at the policy layer; WITH Condition = HIGH walkthroughRequired). **Dim 2 — PrivateDNS enabled** (CC6.6 — Interface + PrivateDnsEnabled=false = MEDIUM `vpce-private-dns-disabled` silent-bypass class; common operator misconfig where endpoint exists but clients still resolve service-public hostname → traffic over public internet; Gateway = INFO not-applicable). **Dim 3 — Endpoint state** (A1.2 + CC7.2 — `available` = PASS; `failed` = HIGH `vpce-state-failed` silent-failure class; transient = INFO; unknown enum = LOW + evidenceGap per `[[conservative_classifier_principle]]`). **Dim 4 — Endpoint type substrate disclosure** (Privacy + CC6.6 — INFO substrate evidence per VPC; records PrivateLink connectivity attestation for auditor evidence pack). **2 same-session reviewer folds**: R-MEDIUM unknown-type fail-safe (defaults to Interface — more thorough audit path) + R-NIT Effect case-insensitivity regression pin. **No new SDK dependencies** — `@aws-sdk/client-ec2` already declared since EE 0.4.5. 7 new soc2.json titlePattern entries (5 CC6.6 + 2 CC7.2/A1.2 dual-mapped). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 57 plugin tests + 2 reviewer-fold pins (59 total). Synthetic-mock validation only — no VPC endpoint paired fixtures yet in test-infra-builder. **CC6.6 / A1.2 / CC7.2 / Privacy (substrate)**. |
-| **1170** | **AWS EC2 SG Perimeter Auditor** (EE 0.4.5 v1; **EXTENDED in EE 0.4.6 v2** — RESTRICTED_PORTS 13 → 23 ports per CIS AWS Foundations v3.0 + operator-config + per-SG cardinality cap) | Enterprise | Audits AWS EC2 Security Groups against SOC 2 CC6.6 network-segmentation evidence — reads the AWS-API DECLARED SG policy via `DescribeSecurityGroups`. **Orthogonal evidence to plugin 1023 zero-trust-checker** (1023 reads OBSERVED open ports from prior network probes; 1170 reads DECLARED SG policy). The pair gives auditors complete coverage of "is this port reachable, and is it supposed to be?" **Cross-plugin sister of EE-RT.14 v2 `_classifyPublicAccessibility`** dimension in plugin 1140 (which emits "auditor walkthrough required for SG analysis"; plugin 1170 closes that walkthrough deterministically). **6 audit dimensions:** **IPv4 0.0.0.0/0 ingress to RESTRICTED_PORTS** (CC6.6 perimeter — CRITICAL; **v2 RESTRICTED_PORTS covers 23 ports** per CIS AWS Foundations v3.0 alignment + emerging-data-tier coverage: SSH (22), RDP (3389), MS SQL (1433), MySQL (3306), Postgres (5432), Redshift (5439 — NEW v2), Redis (6379), Memcached (11211), MongoDB (27017), Elasticsearch (9200, 9300), CouchDB (5984), Docker daemon (2375), Kubelet API (10250), **K8s API server (6443 — NEW v2), etcd (2379-2380 — NEW v2), Kibana (5601 — NEW v2), InfluxDB (8086 — NEW v2), Kafka (9092 — NEW v2), Consul (8500 — NEW v2), ZooKeeper (2181 — NEW v2), Vault (8200 — NEW v2)**); **IPv6 ::/0 ingress to RESTRICTED_PORTS** (CC6.6 — CRITICAL IPv6 sibling; operators often miss while locking IPv4 down); **all-protocol (-1) ingress from 0.0.0.0/0** (CC6.6 — CRITICAL worst-possible perimeter posture; **per R-MEDIUM-1 fold suppresses dim 1+2 emissions at SG-scope** — auditor pack stays at one CRITICAL/SG instead of N+1); **public ingress to non-restricted ports** (CC6.6 substrate — INFO + walkthroughRequired; 80/443/8080-style web tier likely intentional, auditor verifies intent); **egress 0.0.0.0/0** (CC6.6 substrate — INFO; AWS-default posture; out-of-scope for SG-layer DLP concerns); **orphan SGs** (CC6.2 governance — LOW; SG with no attached ENI via `DescribeNetworkInterfaces` cross-reference; AWS-default `default` SGs per-VPC excluded; **v2 system-managed-SG name-prefix exclusion list** excludes `ElasticMapReduce-`, `eks-cluster-sg-`, `AWSServiceRole`, `awseb-` etc. from orphan-detection — these are AWS-service-controlled and structurally non-deletable). **v2 operator-config knob `opts.additionalRestrictedPorts`** — lets tenants add custom ports beyond the baseline (validated 0-65535 integer + deduped against baseline). **v2 per-SG cardinality cap via `_USER_GROUP_DISPLAY_CAP = 10`** with rollup trailer (`...and N more`) defends against finding-size DoS on 1000+ SG accounts. **`UserIdGroupPairs` (SG-as-source) rules** surfaced as INFO + evidenceGap + walkthroughRequired per R-HIGH-1 fold — v1 only analyzes CIDR-source rules; transitive SG→SG chain reachability deferred to v3 (EE-RT.16 v3). 10 new soc2.json titlePattern entries across v1 + v2 (6 CC6.6 + 1 CC6.2 from v1; 1 PASS-tier fix + 2 cardinality-cap trailers from v2). Full institutional contract applied day-1. **7 same-session v2 reviewer folds including 2 CONVERGENT-CRITICAL findings** (C1 pre-existing v1 PASS-tier titlePattern bug; C2 cardinality-cap-trailer titlePatterns silently dropped at framework-engine harvest pre-fold). Smoke-validated against `test-infra-builder` paired fixtures (`nsauditor-secure-sg` + `nsauditor-exposed-sg`) in account 522412052794. **CC6.6 / CC6.2**. |
-| **1190** | **AWS SES Email Integrity Auditor** (NEW EE 0.4.7; **EXTENDED EE 0.5.0 v2** — dims 1 + 2 + 4 grown in scope: DKIM CNAME DNS resolution + DMARC TXT record parser + SES classic API parity; first plugin in EE to depend on `node:dns/promises` for live DNS cross-reference) | Enterprise | Audits AWS SES + SESv2 email-sending substrate against **6 SOC 2 evidence dimensions** spanning confidentiality + email-integrity. Closes the next-highest-priority gap from the AWS SOC 2 audit-canonical compliance checklist after Redis closed in EE 0.4.6. **DKIM enablement + signing status** (CC6.1 / Privacy — `DkimAttributes.SigningEnabled` + 5-enum Status classifier: SUCCESS PASS / PENDING-TEMPORARY_FAILURE-NOT_STARTED INFO+walkthroughRequired transient / FAILED MEDIUM on DNS drift / unknown LOW+evidenceGap per `conservative_classifier_principle`; HIGH on SigningEnabled=false because outbound mail unsigned defeats SPF+DKIM+DMARC trust chain). **Custom MailFrom domain alignment** (Privacy substrate — `MailFromAttributes.MailFromDomain` + `MailFromDomainStatus`; INFO + walkthroughRequired on default amazonses.com because DMARC strict alignment impossible without custom MailFrom subdomain; PASS on custom + Status=SUCCESS). **Configuration set TLS enforcement** (C1.1 transit — `DeliveryOptions.TlsPolicy`; REQUIRE PASS / OPTIONAL HIGH opens SMTP-downgrade-attack window where network-layer adversary can strip STARTTLS from EHLO response forcing cleartext delivery of message body + headers; **distinct LOW + `tlsPolicyType` evidence branch** per R-MEDIUM-7 reviewer-fold catches non-string SDK-contract violations separately from missing-field unverifiable — pre-fold both flowed through identical narrative with empty quotes). **Identity sending authorization policy permissive principals** (CC6.6 — JSON-parsed IAM policy with **multi-class wildcard detector** covering bare `"*"` + `{AWS:"*"}` + `{Service:"*"}` + `{Federated:"*"}` + `{CanonicalUser:"*"}` + array-form `[*]` per R-HIGH-4 reviewer-fold walking every Principal class value; **distinct HIGH `ses-sending-auth-notprincipal-allow`** per R-CRITICAL-1 reviewer-fold catches NotPrincipal+Effect=Allow wildcard-EQUIVALENT class (universal grant minus exclusion list — pre-fold silently classified as bounded = false-CLEAN; matches plugins 1070 + 1150 NotPrincipal+Allow discipline); **LOW + evidenceGap `ses-sending-auth-malformed-statement`** per R-HIGH-2 reviewer-fold surfaces Effect-missing send-action statements that pre-fold were silently dropped). **Dedicated IP pool sending posture** (CC7.1 substrate, account-level — `ListDedicatedIpPools`; INFO + walkthroughRequired on configured pools / INFO on shared-pool default). **Suppression list state** (CC7.1 deliverability substrate, account-level — `ListSuppressedDestinations`; **ZDE invariant: NEVER reads suppressed-destination email addresses** — count + reason only; verified at run() envelope boundary via sentinel-string assertion per R-LOW-8 reviewer-fold). **Dual API surface discipline:** v1 uses SESv2 only (canonical modern API surface covers all 6 dimensions); `@aws-sdk/client-ses` declared in optionalDependencies for v2+ cross-API parity (per the dual-API discipline established in plugin 1180) — `_loadSesClassicSdk` dead-code load-check REMOVED per R-MEDIUM-6 reviewer-fold (false-degraded risk: pre-fold a missing classic SDK in production forced run() into "Plugin skipped" path even though v1 never exercises any classic export). 8 new soc2.json titlePattern entries (3 CC6.1 + 3 CC6.6 + 2 C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). **11 same-session reviewer folds applied** — ties the single-cycle reviewer-fold record (independent `general-purpose-agent` review yielded 12 findings; 11 folded same-session, 1 deferred to cross-plugin Thread H sweep). **Fourth EE plugin to ship without smoke-time SDK hotfix** (`@aws-sdk/client-ses` + `@aws-sdk/client-sesv2` both preemptively added to optionalDependencies). **No real-AWS smoke against violation-tier fixtures** — test-infra-builder has NO SES paired fixtures yet (full-stack fixtures deferred to EE-RT.18 v2 alongside DKIM CNAME DNS resolution + DMARC TXT record parsing). Empty-account smoke baseline against 522412052794 DID succeed end-to-end: plugin loads via CE→EE binding, all 4 SESv2 API enumerations succeed, baseline 2 INFO findings emit correctly, durationMs=842, ZDE invariant preserved. **CC6.1 / CC6.6 / C1.1 / CC7.1 (substrate) / Privacy (substrate)**. |
-| **1180** | **AWS ElastiCache Redis Auditor** (EE 0.4.6 v1; **EXTENDED in EE 0.4.9 v2** — dims 2 + 6 grown in scope: kms:DescribeKey promotion + subnet route-table verifier; closes both v1 deferred items R-MEDIUM-3 + R-LOW-2) | Enterprise | Audits AWS ElastiCache Redis clusters against **6 SOC 2 substrate-evidence dimensions** spanning confidentiality + availability + segmentation. Closes the highest-priority gap from the AWS SOC 2 audit-canonical compliance checklist. **Transit encryption** (C1.1 PASS/HIGH — `TransitEncryptionEnabled=true` wraps RESP in TLS for client→cluster + primary→replica connections; HIGH on disabled — cleartext RESP on wire + AUTH tokens flow cleartext; cannot be toggled in place, requires snapshot+restore). **At-rest encryption with KMS key custody** (C1.1 four-tier ladder — HIGH disabled → MEDIUM AWS-owned-default (encrypted but no customer KmsKeyId) → MEDIUM `alias/aws/elasticache` (AWS-managed alias via `_AWS_MANAGED_ELASTICACHE_ALIAS_RE`) → PASS customer-managed CMK + LOW+evidenceGap on `:key/UUID` ARN form per `conservative_classifier_principle`). **Redis AUTH / IAM-auth user groups** (CC6.1 + CC6.2 — PASS on UserGroupIds configured (Redis 7+ ACL/IAM-auth user groups replace long-lived AUTH passwords); MEDIUM on no-authentication (cluster relies solely on SG perimeter — cross-plugin sister with plugin 1170 SG-perimeter audit); UserGroupIds cardinality cap 10 + "...and N more" overflow per R-MEDIUM-1 fold). **Multi-AZ deployment** (A1.2 availability — HIGH on `MultiAZ=disabled` for replication groups; INFO + standalone-not-applicable on single-node CacheClusters; INFO + evidenceGap on transient states `enabling` / `disabling` per `conservative_classifier_principle`). **SnapshotRetentionLimit cadence** (A1.2 — 0 = HIGH (no snapshots), 1-6 days = MEDIUM (below 7-day baseline), ≥7 days = PASS; operator-tunable via `opts.snapshotRetentionPassMinDays` clamped 1..35). **Subnet placement** (CC6.6 perimeter — INFO + walkthroughRequired on `default` subnet group per `conservative_classifier_principle` — operator may have private subnets named "default"). **Dual API enumeration with inter-API dedup**: `DescribeReplicationGroups` + `DescribeCacheClusters` covers both replication-group and standalone-CacheCluster surfaces; CacheClusters with `ReplicationGroupId` set are skipped (member-of-replication-group rule) to avoid double-emission. `_ELASTICACHE_SUPPORTED_ENGINES = Object.freeze(new Set(["redis"]))` — Memcached is out-of-scope by design (no native AUTH; no transit encryption substrate). 16 new soc2.json titlePattern entries (4 CC6.1 + 1 CC6.6 + 5 A1.2 + 8 C1.1). Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID export + Thread H wrap + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 3 same-session reviewer folds applied (R-MEDIUM-1 UserGroupIds cardinality cap canonical-parity, R-LOW-1 transient Multi-AZ state INFO + evidenceGap, R-LOW-2 inter-API dedup test pin). **Third EE plugin to ship without smoke-time SDK hotfix** (`@aws-sdk/client-elasticache` preemptively added to optionalDependencies). Smoke-validated against `test-infra-builder` paired fixtures (`redis-secure-cache` + `redis-leaky-cache`) in account 522412052794. **CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1**. |
-| **1200** | **AWS Inspector2 / GuardDuty Enablement Auditor** (**NEW EE 0.6.1** — first AWS-managed-threat-detection substrate audit; second multi-service plugin in EE after plugin 1150 SQS+SNS) | Enterprise | Audits AWS GuardDuty + AWS Inspector2 enablement state — the **foundation-layer institutional evidence for CC7.1 detection procedures + CC7.2 monitoring** (an audit pack without managed-threat-detection evidence has no AWS-native anomaly-detection or CVE-detection stream). **4 active SOC 2 dimensions** (dim 5 org-scope deferred to v2 per EE-RT.20.1): **Dim 1 — GuardDuty Detector enablement per region** (CC7.1 — `guardduty:ListDetectors`; zero detectors = HIGH `gd-not-enabled` institutional silent-blind class — GuardDuty would catch reconnaissance / credential exfiltration / crypto-mining / malicious-IP communication). **Dim 2 — GuardDuty protection-feature coverage** (CC7.1 evidence depth — per-detector `guardduty:GetDetector`; institutional baseline S3_DATA_EVENTS / EKS_AUDIT_LOGS / EBS_MALWARE_PROTECTION / **RDS_LOGIN_EVENTS (R1-HIGH-3 fold)** / LAMBDA_NETWORK_LOGS / RUNTIME_MONITORING; modern Features[] + legacy DataSources fallback both supported with shared case-insensitive `_statusEnabled` predicate per `[[aws_string_case_normalization]]` R1-CRITICAL-2 fold). **Dim 3 — Inspector2 enablement** (CC7.1 + CC7.2 — `inspector2:BatchGetAccountStatus`; DISABLED/SUSPENDED = HIGH silent-blind for CVE coverage on EC2/ECR/Lambda; transient = INFO; unknown enum = LOW + evidenceGap per `[[conservative_classifier_principle]]`). **Dim 4 — Inspector2 scan-target coverage** (CC7.1 zero / CC7.2 partial — institutional baseline {EC2, ECR, Lambda}; zero resource types active = HIGH `inspector2-coverage-zero` silent-blind class; partial = MEDIUM with explicit `disabledResources` list). **6 same-session R1 reviewer folds** (network-security + Explore in parallel; 2 R-CRITICAL + 3 R-HIGH + 1 institutional-discipline): **R1-CRITICAL-1 soc2.json titlePattern misalignment closure** — 4 patterns would have silently failed CC7.1/CC7.2 compliance routing; all re-anchored to actual emission strings. **R1-CRITICAL-1 AccessDenied distinct findings** — distinct `_CAT_GD_ACCESSDENIED` / `_CAT_INS_ACCESSDENIED` categories so auditor walkthrough knows the cause is auditor-IAM gap not service absence. **R1-CRITICAL-2 legacy DataSources case normalization** via shared `_statusEnabled` predicate. **R1-HIGH-2 SUSPENDED/DISABLED Detector silent-blind closure** — Status guard added → HIGH `_CAT_GD_DETECTOR_NOT_ENABLED`. **R1-HIGH-3/4 dead-code drift closures**. **4 R2 reviewer-deferred** (queued in EE-RT.20.1): all-regions enumeration / FindingPublishingFrequency check / alerting-destination check / BatchGetAccountStatus contract verification. **No new SDK dependencies** — `@aws-sdk/client-guardduty` + `@aws-sdk/client-inspector2` added to optionalDependencies. 7 new soc2.json titlePattern entries (4 CC7.1 + 3 CC7.2) — all anchored to actual plugin emission strings after R1-CRITICAL-1 fold. Full institutional contract applied day-1 (EE-RT.13 PLUGIN_ID + Thread H wrap on BOTH GuardDuty + Inspector2 clients + ZDE sanitizer + conservative classifier + EE-RT.12.25 v1 run() scaffold). 48 plugin tests + 4 R1-fold regression pins (52 total). Synthetic-mock validation only — no GuardDuty/Inspector2 paired fixtures yet in test-infra-builder. **CC7.1 / CC7.2**. |
-| — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 control mapping (10 covered + 4 partial controls post-EE 0.3.9 / 0.4.0), chain-of-custody, RFC 3161 timestamps, suppression workflow |
-| — | SLA & MTTR Tracking | Enterprise | Per-severity SLA targets, compensating-control flow, finding lifecycle |
-| — | Recurring-Scan Attestation | Enterprise | Multi-scan chronological matrix, cadence gap detection, scope drift (CC8.1) |
-| — | GRC Platform Connector | Enterprise | Native API push to Vanta with retry/backoff, idempotency, rate-limit handling |
-| — | WORM Evidence Storage | Enterprise | S3 Object Lock COMPLIANCE-mode, resource redaction, SHA-256 manifest |
-| — | Tabletop Simulation | Enterprise | Probe-event manifest + SIEM detection correlation, configurable coverage bands |
+| 1020 | AWS S3 Security | Enterprise | Bucket hardening: public-access block, encryption at rest, versioning, Object Lock COMPLIANCE-mode, MFA Delete, access logging. **CC6.1 / C1.1 / C1.2** |
+| 1021 | GCP Cloud Scanner | Enterprise | Firewall rules + IAM bindings + Storage bucket public-access. **CC6.1 / CC6.6 / C1.1** |
+| 1022 | Azure Cloud Scanner | Enterprise | NSG rules + RBAC role assignments + Storage account hardening. **CC6.1 / CC6.6 / C1.1** |
+| 1023 | Zero Trust Checker | Enterprise | Segmentation, encryption, identity, lateral-movement scoring across the network surface. **CC6.1 / CC6.6** |
+| 1030 | AWS IAM Deep Auditor | Enterprise | Shadow-admin path detection via BFS over PassRole / AssumeRole / federated trust. Restrictive-Condition allowlist for Auth0 / Okta / Cognito OIDC patterns. **CC6.1** |
+| 1040 | AWS CloudTrail Operational Integrity | Enterprise | Trail health + CloudWatch alarm coverage against CIS AWS Benchmark §3.1–3.14 + AWS Config + cross-account S3 trail-destination WORM verification (SEC 17a-4 / FINRA 4511). **CC7.2 / CC7.3** |
+| 1050 | AWS API Gateway Assurance | Enterprise | Per-route authz classifier (`NONE`=CRITICAL), custom-domain TLS policy, stage-level access logging + WAF, public-endpoint exposure. Entry-point evidence for serverless deployments. **CC6.1 / CC6.6 / CC6.7 / CC7.1 / A1.2** |
+| 1060 | AWS DynamoDB Audit Integrity | Enterprise | First "audit-the-auditor" plugin. PITR + deletion protection + KMS-CMK custody + resource-policy presence + CloudTrail data-event cross-reference. **CC6.6 / CC7.1 / C1.1 / PI1.5** |
+| 1070 | AWS KMS Auditor | Enterprise | Per-key rotation + wildcard-Principal classifier across 5 severity tiers (covers `Principal.AWS` / Federated / Service / CanonicalUser + NotPrincipal-Allow + NotAction-Allow + glob actions). **CC6.3 / C1.1** |
+| 1080 | AWS Lambda Security | Enterprise | Runtime EOL detection (CRITICAL on `nodejs16.x` / `python3.7` etc.), public function URLs, resource-policy wildcards, env-var secret-name detection (ZDE-safe), VPC config, KMS custody, DLQ. **CC6.1 / CC6.6 / CC7.1 / C1.1** |
+| 1090 | AWS Secrets Manager + SSM Parameter Store | Enterprise | Rotation cadence + KMS-CMK custody + SecureString classification + secret-name detection. **ZDE-critical**: never calls `GetSecretValue` / `GetParameter` — metadata only. Verb-prefix denylist blocks `Get*` / `Retrieve*` / `Read*` at the SDK boundary. **CC6.1 / CC6.6 / C1.1** |
+| 1100 | AWS CodePipeline + CodeBuild | Enterprise | Source-stage encryption, `privilegedMode` detection, buildspec drift, secrets-via-env vs Secrets-Manager, IAM wildcard-Action, artifact-store encryption, stale-execution detection. **CC6.1 / CC7.1 / CC8.1 / C1.1** |
+| 1110 | IAM Effective Decrypt-Path Auditor | Enterprise | Cross-plugin reconciler — walks IAM policies for `kms:Decrypt` / `ReEncrypt*` / `GenerateDataKey` grants and cross-references against KMS key policies to compute the effective decrypt path. Closes the NotAction-implicit-decrypt false-PASS class. **CC6.1 / CC6.6 / C1.1 / C1.2** |
+| 1120 | AWS S3 Lifecycle + Cross-Region Replication | Enterprise | Lifecycle policy enumeration + cross-region replication topology. Cross-region destination-bucket reachability check closes silent-PASS where replication FAILED but emitted clean. **C1.1 / C1.2 / A1.2** |
+| 1130 | AWS Backup Auditor | Enterprise | The flagship plugin — 12-dimension air-gapped vault attestation arc for `LogicallyAirGappedBackupVault` resources. Audits Plans + Vaults + Recovery Points + Frameworks + Restore Testing + Legal Holds + vault Access Policy. SEC 17a-4 / FINRA 4511 ransomware-defense substrate. **CC6.3 / CC6.6 / CC7.1 / CC8.1 / C1.1 / C1.2 / A1.2** |
+| 1140 | AWS RDS Auditor | Enterprise | 10 dimensions: Multi-AZ, storage encryption + KMS custody, parameter-group SSL, backup retention, public accessibility, IAM database auth, snapshot encryption, **pgAudit + SPL cross-check**, CloudWatch Logs exports (engine-dispatched), log retention. **A1.2 / CC6.1 / CC6.6 / C1.1 / CC7.2 / CC7.3** |
+| 1150 | AWS SQS/SNS Auditor | Enterprise | 7 dimensions across both services: encryption at rest + KMS custody, transit-encryption policy, topic-policy wildcards (CRITICAL on unconditional + NotPrincipal-Allow), DLQ presence, CloudWatch alarm coverage on `ApproximateAgeOfOldestMessage` + `NumberOfNotificationsFailed`. **C1.1 / CC6.6 / A1.2 / CC7.1 / CC7.2** |
+| 1160 | AWS VPC Endpoints / PrivateLink | Enterprise | Endpoint-policy wildcards (CRITICAL on PrivateLink-breaking unconditional), PrivateDNS enabled (silent-bypass class), endpoint state (`failed` = silent failure), type substrate disclosure. **CC6.6 / A1.2 / CC7.2** |
+| 1170 | AWS EC2 SG Perimeter | Enterprise | RESTRICTED_PORTS (23 ports per CIS AWS Foundations v3.0) wildcard ingress + IPv6 ::/0 + all-protocol-from-wildcard + orphan SG detection. **SG→SG transitive chain reachability**: BFS from public-CIDR roots through `UserIdGroupPairs` — 2-hop = HIGH, 3+ hop = CRITICAL. Catches the ALB → app → database exposure that per-SG audits silently miss. **CC6.6 / CC6.2** |
+| 1180 | AWS ElastiCache Redis | Enterprise | 6 dimensions: transit encryption, at-rest + KMS custody (four-tier ladder), Redis AUTH / IAM user groups (Redis 7+ ACL), Multi-AZ, snapshot retention cadence, subnet placement. Cross-plugin sister to plugin 1170 for cache-tier perimeter. **CC6.1 / CC6.2 / CC6.6 / A1.2 / C1.1** |
+| 1190 | AWS SES Email Integrity | Enterprise | 6 dimensions: DKIM enablement + CNAME DNS resolution + key-fingerprint pin, DMARC TXT parsing + alignment classifier, custom MailFrom alignment, config-set TLS enforcement, sending-auth policy wildcards, dedicated IP pool, suppression list (count-only — ZDE invariant: never reads addresses). **CC6.1 / CC6.6 / C1.1 / CC7.1 / Privacy** |
+| 1200 | AWS Inspector2 / GuardDuty Enablement | Enterprise | 4 dimensions across all opted-in regions (17+ incl. GovCloud / ISO): GuardDuty Detector + protection features (S3 / EKS / EBS-malware / RDS-login / Lambda / RuntimeMonitoring), Inspector2 enablement, scan-target coverage. Plus alerting-destination dim (EventBridge or SecurityHub) and per-target liveness probes for Lambda / SNS / SQS / IAM / API destination / CloudWatch Logs. **CC7.1 / CC7.2** |
+| — | SOC 2 Compliance Engine | Enterprise | AICPA TSC 2017 mapping (10 covered + 4 partial controls), chain-of-custody, RFC 3161 timestamps, suppression workflow with Ed25519 signing. |
+| — | SLA & MTTR Tracking | Enterprise | Per-severity SLA targets, compensating-control flow, finding lifecycle, Type II rolling-quarter cadence. |
+| — | Recurring-Scan Attestation | Enterprise | Multi-scan chronological matrix, cadence gap detection, scope-drift surface (CC8.1). |
+| — | GRC Platform Connector | Enterprise | Native API push to Vanta / Drata / Secureframe with retry/backoff, idempotency, rate-limit handling, per-tenant token rotation. |
+| — | WORM Evidence Storage | Enterprise | S3 Object Lock COMPLIANCE-mode + resource redaction + SHA-256 manifest. SEC 17a-4 / FINRA 4511 retention-compatible. |
+| — | Tabletop Simulation | Enterprise | Probe-event manifest + SIEM detection correlation, configurable coverage bands (Type II / High-Assurance presets). |
 
 **Running EE plugins** (after `nsauditor-ai license install <key>`):
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.61",
+  "version": "0.1.62",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,