A clean, linear getting-started path for new NSAuditor AI Enterprise customers:
install → activate → configure → scan → read the results.
Everything runs on your machine — no data leaves your network. This guide reflects the
current shipped product, EE 0.32.3 — the RDS auditor now audits cluster-level SSL enforcement, closing a cleartext false-negative on instance-less Aurora Serverless v1 clusters whose cluster parameter group left SSL/TLS off; a set-but-not-yet-applied (pending-reboot) SSL/pgAudit parameter is no longer affirmed as effective; and the CE CLI now fails fast on a bad GRC configuration at scan startup. Matrix-neutral — no new framework or plugins (still 28 EE plugins), all seven coverage matrices unchanged, including
--aws-region
multi-region scoping and the Claude Desktop / MCP workflow.
After buying NSAuditor AI Enterprise from nsauditor.com/ai/enterprise, your confirmation email contains two things you'll need below:
• your Enterprise license key — enterprise_eyJhbGciOiJFUzI1NiIs...
• your npm access token — npm_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
(read-only; @nsasoft/nsauditor-ai-ee is a private, restricted npm package).
If you subscribed via the
AWS Marketplace listing,
your delivery channel is the Docker container image, not npm — your license email contains the
docker login / docker pull / docker run commands instead of an npm token,
and the image already bundles the full platform (CE + Enterprise package).
Skip steps 0–3 and 5 below — run the container with your key instead:
docker run --rm -e NSAUDITOR_LICENSE_KEY="enterprise_eyJ..." <image> license --status.
Steps 4 (cloud credentials — pass them as -e vars or a mounted --env file),
6–7 (your first scan and --aws-region scoping), and 9 (reading the results) apply identically
inside the container. Billing, renewal, and cancellation for Marketplace orders are managed in your
AWS account (see the EULA's AWS Marketplace Addendum) — your license key still verifies fully offline.
NSAuditor AI runs on Node.js 20 LTS or newer. Download
the installer from the official Node.js Downloads
page, choose the LTS build (not "Current" — LTS is the
stable line), and run the installer that matches your OS (Windows .msi / macOS
.pkg).
$ node --version # v20.x or newer $ npm --version
@nsasoft/nsauditor-ai-ee is a private (restricted)
package. Configure the read-token from your license email so npm can download it.
# Global: set the auth token for the npm registry $ npm config set //registry.npmjs.org/:_authToken npm_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Or, scoped to your home ~/.npmrc $ echo "//registry.npmjs.org/:_authToken=npm_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" >> ~/.npmrc
Install all three packages: the free Community Edition runtime, the agent skill (for Claude Desktop / Claude Code), and the Enterprise package — your 28 cloud plugins and seven compliance frameworks.
$ npm install -g nsauditor-ai@latest \ nsauditor-ai-agent-skill@latest \ @nsasoft/nsauditor-ai-ee@latest
One command — no shell-rc edits. The CLI verifies the JWT signature before
persisting, and stores the key in the macOS Keychain (or ~/.nsauditor/.env mode
0600 on Linux/Windows).
$ nsauditor-ai license install enterprise_eyJhbGciOiJFUzI1NiIs... ✓ Enterprise license installed Stored at: macOS Keychain (service=nsauditor-ai) Org: you@example.com Seats: 5 Expires: 2027-04-04T...
An environment variable also works and takes highest priority in the multi-source loader:
export NSAUDITOR_LICENSE_KEY=enterprise_eyJ...
If you ever hit a license_id_mismatch on macOS, clear both
~/.nsauditor/license-state.json and the Keychain entry
NSAUDITOR_LICENSE_ID (Keychain wins on read). On Linux/Windows it is file-only.
Create a dotenv file with your AI provider key and the cloud credentials for the account(s)
you want to audit. Everything stays on your machine — nothing is sent to NSAuditor. Keep
one .env per account (e.g. ~/envs/dev.env,
~/envs/prod.env) and select it per scan with --env (Step 6).
# ── AI provider (used for the optional AI analysis layer) ── AI_ENABLED=true AI_PROVIDER=claude # openai | claude | ollama ANTHROPIC_API_KEY=sk-ant-... # or keychain:ANTHROPIC_API_KEY on macOS — your key, stays local ANTHROPIC_MODEL=claude-sonnet-4-6 # ── Which cloud(s) this file audits ── CLOUD_PROVIDER=aws,gcp,azure # ── AWS ── AWS_ACCOUNT_ID= AWS_ACCESS_KEY_ID= AWS_SECRET_ACCESS_KEY= AWS_DEFAULT_REGION=us-east-1 # ── Azure ── AZURE_CLIENT_ID= AZURE_CLIENT_SECRET= AZURE_TENANT_ID= AZURE_SUBSCRIPTION_ID= # ── GCP (Application Default Credentials) ── GOOGLE_CLOUD_NUMBER= GOOGLE_CLOUD_PROJECT_ID= GOOGLE_APPLICATION_CREDENTIALS=/Users/myuser/.config/gcloud/application_default_credentials.json GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=your@project-id
NSAuditor AI performs read-only auditing — it reads configuration and metadata only and never needs create, write, modify, or delete permissions. Always supply read-only, least-privilege credentials for the account(s) you audit:
ReadOnlyAccess or SecurityAudit managed policyReader roleroles/viewerRead-only scoping guarantees an audit cannot change your environment. Supplying credentials with write or other state-changing permissions is unnecessary and is entirely at your own risk. You are responsible for provisioning, scoping, rotating, and revoking these credentials — see EULA §5.5.
$ nsauditor-ai license --status ✓ Enterprise license active | Org: you@example.com | Seats: 5 | Expires: 2027-04-04
The headline use case is a cloud audit: point NSAuditor at a cloud account and get one evidence pack mapped across the compliance frameworks you ask for.
# Scan ALL THREE clouds in one run — comma-separated sentinels (CE 0.2.17+). # --plugins all auto-scopes each cloud to only its plugins; one out/ subfolder per cloud. $ nsauditor-ai scan --host aws,gcp,azure --env ~/envs/clouds.env --plugins all --compliance all --out out # …or one cloud at a time, one dotenv file per account (credentials load for THIS scan only) $ nsauditor-ai scan --host aws --env ~/envs/dev.env --plugins all --compliance soc2 --out out/aws-dev $ nsauditor-ai scan --host aws --env ~/envs/prod.env --plugins all --compliance soc2 --out out/aws-prod # Or a named profile from ~/.aws/credentials (no .env needed) $ nsauditor-ai scan --host aws --aws-profile prod --plugins all --compliance soc2 --out out/aws-prod # GCP / Azure per-account via --env (key-file path / service-principal vars live in the file) $ nsauditor-ai scan --host gcp --env ~/envs/gcp-prod.env --plugins 1021 --compliance soc2,cis-v8 --out out/gcp-prod $ nsauditor-ai scan --host azure --env ~/envs/azure-prod.env --plugins 1022 --compliance soc2 --out out/azure-prod
--host aws,gcp,azure scans one or more clouds in a single run (comma-separated; --host aws for just one). With --plugins all each cloud auto-scopes to only its plugins (other clouds + non-cloud plugins are skipped and logged). Don't write aws|gcp|azure with pipe characters — your shell treats | as a pipe.--compliance takes a CSV of any of the seven frameworks: soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8,gdpr (gdpr emits the GDPR Article 32 Security-of-Processing infrastructure substrate — Art. 32 only, not GDPR compliance).COMPLIANCE_GRC_PROVIDER=vanta (or drata / secureframe) + COMPLIANCE_GRC_TOKEN and the scan maps its findings to your Vanta, Drata, or Secureframe workspace and pushes them at scan time — opt-in, early-access, Zero-Data-Exfiltration by default, token never serialized. See the GRC Connectors guide for the full setup.--env file is a hard error (fail-fast, never a silent skip).
--aws-region
By default an AWS scan covers a single region (AWS_REGION,
else us-east-1). The --aws-region <one|csv|all> flag controls
which regions the regional auditors cover — and each now audits
every in-scope region, with genuine per-region fan-out (security
groups, EC2, RDS, KMS, Lambda, Secrets Manager, DynamoDB, CodePipeline/CodeBuild, Backup, SQS/SNS,
VPC endpoints, ElastiCache, SES, Inspector/GuardDuty, and CloudTrail).
# A single region $ nsauditor-ai scan --host aws --plugins all --compliance soc2 --aws-region us-east-1 # A comma-separated list of regions $ nsauditor-ai scan --host aws --plugins all --compliance soc2 \ --aws-region us-east-1,eu-west-1,ap-southeast-2 # Every region enabled on the account (DescribeRegions; static-list fallback on AccessDenied) $ nsauditor-ai scan --host aws --plugins all --compliance soc2 --aws-region all
What a scoped run looks like, end to end:
$ nsauditor-ai scan --host aws --plugins all --compliance soc2 \ --aws-region us-east-1,eu-west-1,ap-southeast-2 --out out/aws-prod [region] scope = flag-list · 3 regions requested → resolving… [region] scanning us-east-1, eu-west-1, ap-southeast-2 (regional plugins fan out per-region) [plugin] AWS EC2 SG Perimeter Auditor (1170) ......... 3 regions · 5 findings [plugin] AWS RDS Auditor (1140) ...................... 3 regions · 2 findings [plugin] AWS IAM Deep Auditor (1030) ................. global · audited once [plugin] AWS S3 Security Auditor (1020) .............. per-bucket region resolved · 6 findings ✓ scanScope: regionsScanned=[us-east-1, eu-west-1, ap-southeast-2] regionsWithError=[]
--aws-region flag › AWS_REGION (shell / --env file) › single-region default.
AWS_REGION--aws-region all for full coverage.
NSA_AWS_REGION_ALLOW_UNKNOWN=1 to permit a brand-new region); an AWS_REGION-derived value warns and proceeds.
--aws-region. The S3 auditors resolve each bucket's own region and skip + disclose buckets outside the scoped set — closing latent cross-region false-cleans.
> Incomplete region coverage — 16 enabled region(s) not scanned (eu-west-1, ap-south-1, …). Re-run with --aws-region all (or set AWS_REGION) for full coverage.
Run audits conversationally from Claude Desktop — "Audit my AWS account" — via the MCP server bundled with the package.
In Claude Desktop go to Customize → Skills, click +,
choose Create skill → Upload a skill, and upload
SKILL.md from the @nsasoft/nsauditor-ai-ee package
(SKILL.md on GitHub).
macOS example, using Keychain references:
NSA_ENV_FILE=~/envs/dev.env MCP_TIMEOUT=180000 AI_PROVIDER=claude ANTHROPIC_API_KEY=keychain:ANTHROPIC_API_KEY NSA_ALLOW_ALL_HOSTS=1 PLUGIN_TIMEOUT_MS=90000 CLOUD_PLUGIN_TIMEOUT_MS=45000 NSA_MCP_AUTH_KEY=keychain:NSA_MCP_AUTH_KEY NSAUDITOR_LICENSE_KEY=keychain:NSAUDITOR_LICENSE_KEY
Claude Desktop enforces a hard ~60s per-tool-call limit that MCP_TIMEOUT
does not extend (that knob only governs server startup). Keep
CLOUD_PLUGIN_TIMEOUT_MS under ~60s (e.g. 45000) so a slow
plugin returns partial-with-disclosure rather than a hard timeout.
Say "Audit my AWS account" (one cloud) or "Audit my AWS and Azure accounts"
(several). For region scoping, the MCP scan_cloud tool takes the same scope as a
regions argument:
regions → audits only the server-configured AWS_REGION (one region; a single tool-call stays within Desktop's timeout). This is the default for a plain "audit my AWS account".["us-east-1","eu-west-1"]).["all"] call that could time out. You do not need to raise any timeout for this.
--out directory, one timestamped folder per scan (e.g. aws_20260524_091331/), with the per-framework reports plus RFC 3161 trusted timestamps and SHA-256 chain-of-custody sidecars.
CRITICAL / HIGH / MEDIUM / LOW / INFO; the summary rolls them up per provider.
scanScope block (and the incomplete-coverage advisory) to confirm which regions were actually scanned. Don't infer "all regions" from GuardDuty/Inspector findings — those enumerate regions internally regardless of scope.