Security Hub Network Scanning Confirms Internet Reachability
Security Hub's new network scanning capability moves beyond configuration checks to probe actual internet reachability of your resources.
Editorial summary and commentary based on the original from AWS What's New. Read the original
Network Scanning confirms actual reachability from the internet, not just potential exposure.
What changed
- AWS Security Hub now includes a Network Scanning capability.
- This feature probes resources from the public internet to verify actual reachability.
- It discovers public IPs, VMs, and load balancers across AWS and Azure environments, identifying reachable ports and services.
- Each confirmed reachable port generates a Security Hub finding.
Why it matters
This capability addresses a long-standing gap where security configurations (like security groups or route tables) might indicate a resource is exposed, but actual internet probing would reveal it is not. The honest version: Security Hub's existing network reachability findings identify potential exposure based on configuration. Network Scanning moves beyond this by actively probing from the internet to confirm actual exposure. This provides a more definitive picture of your attack surface, particularly for hybrid or multi-cloud environments where configuration drift can be harder to track. It pairs well with AWS Network Access Analyzer for a more comprehensive view of network paths.
The catch
While it probes across AWS and Azure, the findings are generated within Security Hub, implying a dependency on Security Hub's presence in the target cloud. The announcement does not specify the probing frequency or the exact methodology used, leaving room for interpretation on how
Source (AWS What's New): AWS Security Hub now offers Network Scanning to identify publicly reachable resources