AWS Security Hub adds Network Scanning for public resource reachability
AWS Security Hub has introduced Network Scanning to detect resources, including VMs and load balancers, that are reachable from the public internet. This new capability actively probes resources to confirm actual reachability, unlike previous configuration-based checks. The feature generates findings for each reachable port and service, correlating them with existing data to assess broader risk across AWS and Azure environments.
- →Network Scanning identifies publicly reachable resources
- →Confirms actual reachability for security findings
- →Integrates with Security Hub Exposures for risk assessment
Features (1) ›
- Network Scanning identifies publicly reachable resources
AWS Security Hub now includes Network Scanning, which probes resources from the internet to identify actual reachability. This capability discovers public IPs, VMs, and load balancers across AWS and Azure, determines reachable ports, and identifies running services.
Enhancements (2) ›
- Confirms actual reachability for security findings
Network Scanning confirms actual reachability from the internet, providing a more accurate picture than configuration-based checks alone. Each reachable port generates a Security Hub finding with evidence of the port and service discovered.
- Integrates with Security Hub Exposures for risk assessment
The generated findings are automatically correlated by Security Hub Exposures with other findings and resource configurations. This integration helps determine broader risk associated with publicly reachable resources.
https://aws.amazon.com/about-aws/whats-new/2026/07/aws-security-hub-network-scanning/