AWS Security Hub now offers Network Scanning to identify publicly reachable resources
Today, AWS Security Hub introduces Network Scanning, a capability that identifies resources in your environment that are reachable from the public internet. Network Scanning probes your resources from the internet to detect actual reachability, not just what could be reachable based on security group rules and route tables. It discovers public IP addresses, virtual machines, and load balancers across your AWS and Azure environments, identifies reachable ports, and determines what services are running behind them. This complements Security Hub’s existing network reachability findings, which identify configurations that could make a resource reachable from the internet. Network Scanning confirms actual reachability from the internet. Each reachable port generates a Security Hub finding with evidence of the port and service discovered. Security Hub Exposures then automatically correlates these findings with other findings and resource configurations to determine broader risk.
Existing customers can enable Network Scanning in individual accounts and regions, or across an organization via a configuration policy. For new Security Hub customers, Network Scanning is on by default. Network Scanning is included with Security Hub Essentials at no additional cost in all AWS commercial Regions that support Security Hub. To learn more, see the AWS Security Hub User Guide and the AWS Security Hub product page. For the full list of Regions, see the AWS Regional Services List.