aws AWS What's New ·

AWS Security Hub adds Network Scanning for public resource reachability

securityawsazureengineer
feature

AWS Security Hub has introduced Network Scanning to detect resources, including VMs and load balancers, that are reachable from the public internet. This new capability actively probes resources to confirm actual reachability, unlike previous configuration-based checks. The feature generates findings for each reachable port and service, correlating them with existing data to assess broader risk across AWS and Azure environments.

  • Network Scanning identifies publicly reachable resources
  • Confirms actual reachability for security findings
  • Integrates with Security Hub Exposures for risk assessment
Features (1)
  • Network Scanning identifies publicly reachable resources

    AWS Security Hub now includes Network Scanning, which probes resources from the internet to identify actual reachability. This capability discovers public IPs, VMs, and load balancers across AWS and Azure, determines reachable ports, and identifies running services.

Enhancements (2)
  • Confirms actual reachability for security findings

    Network Scanning confirms actual reachability from the internet, providing a more accurate picture than configuration-based checks alone. Each reachable port generates a Security Hub finding with evidence of the port and service discovered.

  • Integrates with Security Hub Exposures for risk assessment

    The generated findings are automatically correlated by Security Hub Exposures with other findings and resource configurations. This integration helps determine broader risk associated with publicly reachable resources.

Read the original announcement →

https://aws.amazon.com/about-aws/whats-new/2026/07/aws-security-hub-network-scanning/