🟡 Medium  |  Source: AWS What’s New


AWS Security Hub has launched Network Scanning, a capability that actively probes your AWS and Azure resources from the internet to confirm genuine public reachability — going beyond theoretical reachability based on firewall rules alone. It identifies exposed IP addresses, virtual machines, load balancers, open ports, and running services, generating findings that Security Hub Exposures then correlates with other risk signals. This gives security teams confirmed attack surface visibility rather than relying solely on configuration analysis.

Security Architect’s Take: Enable Network Scanning in Security Hub and integrate its findings into your existing triage workflow — prioritise remediation of any confirmed internet-reachable ports that host unexpected or unintended services. Cross-reference results against your asset inventory to identify shadow infrastructure or misconfigured resources that configuration-based tools may have missed.

Original advisory: AWS Security Hub now offers Network Scanning to identify publicly reachable resources