I tried automatically detecting AI assets with the new AWS Security Hub feature "AI Inventory"

I tried automatically detecting AI assets with the new AWS Security Hub feature "AI Inventory"

I validated the "AI Inventory" added to AWS Security Hub. AI Inventory is a feature that catalogs managed, self-hosted, and externally AI-dependent AI assets based on information from AWS Config, Amazon Inspector, and Amazon GuardDuty. This article introduces how to check using CLI/API, using Bedrock inference profiles confirmed in a Security Hub v2 environment as examples.
2026.07.15

This page has been translated by machine translation. View original

Introduction

On July 14, 2026, an AI inventory feature was added to AWS Security Hub.

https://aws.amazon.com/about-aws/whats-new/2026/07/aws-security-hub-ai/

As AI workload usage spreads across organizations, it becomes difficult to track where and which AI services and models are being used.

The AI inventory is a feature responsible for visualizing these AI assets. It is included in Security Hub Essentials, and in environments where Security Hub v2 is enabled, it can be used without additional configuration and at no additional cost. AI assets are automatically cataloged using the following three detection methods.

Detection Method Source Example AI Assets
Managed AWS Config Bedrock, Bedrock AgentCore, SageMaker
Self-hosted Inspector SBOM AI frameworks on EC2/containers
External AI dependency GuardDuty DNS Communication to external AI APIs (OpenAI, etc.)

This article verifies "what can be seen without additional configuration" in an actual environment. It focuses on confirming managed detection results and also organizes how to access them via CLI/API.

Verification Details

Verification Environment

  • Security Hub v2 enabled (activation date: 2026-07-07; Security Hub v1 has been enabled since 2023-01-12)
  • AWS Config enabled (recording: true)
  • Amazon Bedrock in use (via SageMaker Unified Studio)
  • Amazon Inspector: ECR scanning only enabled (EC2 scanning disabled)
  • Amazon GuardDuty enabled (DNS logging enabled, AI Protection disabled)

The region is ap-northeast-1. This article is based entirely on CLI/API output and does not include console screenshots. The commands below are executed against the same region.

AI Inventory Overview

First, I used get-resources-statistics-v2 to check how Security Hub v2 classifies resources into categories.

aws securityhub get-resources-statistics-v2 \
  --group-by-rules '[{"GroupByField": "ResourceCategory"}]' \
  --region ap-northeast-1

The results were as follows.

Category Number of Resources
Identity, Network, Compute, Storage, etc. (omitted)
AI/ML 11

11 resources were automatically classified into the AI/ML category. This category can also be confirmed by applying the ResourceCategory=AI/ML filter on the Resources screen in the console.

Detection of Managed AI Services

I checked what resource types make up the 11 items in the AI/ML category.

aws securityhub get-resources-statistics-v2 \
  --group-by-rules '[{
    "Filters": {
      "CompositeFilters": [{
        "StringFilters": [{
          "FieldName": "ResourceCategory",
          "Filter": {"Comparison": "EQUALS", "Value": "AI/ML"}
        }]
      }]
    },
    "GroupByField": "ResourceType"
  }]' \
  --region ap-northeast-1

It consisted of two resource types.

Resource Type Count
AWS::Bedrock::ApplicationInferenceProfile 10
AWS::OpenSearchServerless::SecurityPolicy 1

The 10 AWS::Bedrock::ApplicationInferenceProfile resources were inference profiles automatically created by SageMaker Unified Studio. The models used by each profile are as follows. 4 of the 10 are cross-region profiles, making multi-region inference configurations visible as well.

# Model Used
1 anthropic.claude-sonnet-4-20250514-v1:0 (cross-region x8)
2 amazon.titan-text-express-v1
3 amazon.titan-embed-text-v2:0
4 amazon.titan-embed-text-v1
5 amazon.rerank-v1:0
6 amazon.nova-reel-v1:0
7 amazon.nova-pro-v1:0 (cross-region x6)
8 amazon.nova-micro-v1:0 (cross-region x6)
9 amazon.nova-lite-v1:0 (cross-region x6)
10 amazon.nova-canvas-v1:0

The remaining 1 item was AWS::OpenSearchServerless::SecurityPolicy. This is the security policy for OpenSearch Serverless used by Bedrock IDE. In this environment, not only direct inference and training resources, but also security policies for infrastructure related to AI workloads were included in the AI/ML category.

These managed resources are automatically detected via AWS Config. In fact, tracking the trend of AI/ML resource counts showed that resources were backfilled the day after Security Hub v2 was enabled. The trend was retrieved using get-resources-trends-v2.

aws securityhub get-resources-trends-v2 \
  --start-time "2026-07-07T00:00:00Z" \
  --end-time "2026-07-14T23:59:59Z" \
  --filters '{
    "CompositeFilters": [{
      "StringFilters": [{
        "FieldName": "resource_category",
        "Filter": {"Comparison": "EQUALS", "Value": "AI/ML"}
      }]
    }]
  }' \
  --region ap-northeast-1
Date AI/ML Resource Count
2026-07-07 0
2026-07-08 11
2026-07-09–14 11 (stable)

On the day of activation (7/7) there were 0 items, but on the following day (7/8) 11 items were registered all at once and remained stable thereafter. In this environment, we were able to confirm the behavior where resources already recorded in Config at the time of Security Hub v2 activation were automatically cataloged the next day.

Each resource contains the following information accessible via get-resources-v2.

Field Content
ResourceId ARN
ResourceCategory AI/ML
ResourceType AWS::Bedrock::ApplicationInferenceProfile, etc.
ResourceName Resource name
ResourceCreationTimeDt Resource creation date and time
ResourceDetailCaptureTimeDt Config retrieval date and time
FindingsSummary Related Findings (currently an empty array)
ResourceTags Tag information
ResourceConfig AWS Config configuration information

Detection of Self-Hosted AI Workloads

The self-hosted method detects AI frameworks on EC2 instances or container images. It uses SBOM (Software Bill of Materials) generated by Amazon Inspector as its source.

In this environment, no resources were detected using this method. The images subject to ECR scanning did not contain any AI frameworks. Additionally, since EC2 scanning is disabled, workloads on EC2 were outside the scope of this verification.

Detection of External AI Dependencies

External AI dependencies use Amazon GuardDuty DNS telemetry as the source to detect communications to external AI APIs such as OpenAI.

In this environment, no resources were detected using this method either. Although GuardDuty DNS logging is enabled, no communications from EC2 to external AI APIs actually occurred. Note that GuardDuty AI Protection (a threat detection feature for AI workloads) is disabled in this environment and is planned for verification in a future article.

AI Security Best Practices Standard

Along with the AI inventory, a new security standard called AI Security Best Practices has been added.

{
    "StandardsArn": "arn:aws:securityhub:::standards/ai-security-best-practices/v/1.0.0",
    "Name": "AI Security Best Practices v1.0.0",
    "EnabledByDefault": false
}

This standard consists of 31 controls (8 for Bedrock, 23 for SageMaker). Since EnabledByDefault is false, explicit activation is required to use it.

As a HIGH severity control, on the Bedrock side there is BedrockAgentCore.1 (configure AgentCore runtime in VPC network mode). This control is also included in FSBP (AWS Foundational Security Best Practices), so it is evaluated via FSBP even without enabling AI Security Best Practices. On the SageMaker side, SageMaker.1 (disable direct internet access for notebooks) and others apply.

Bedrock-related controls (8 items)

ID Title Severity
Bedrock.1 KMS encryption for data sources MEDIUM
BedrockAgentCore.1 VPC network mode for runtime HIGH
BedrockAgentCore.2 Inbound authentication for gateway HIGH
BedrockAgentCore.3 KMS encryption for memory MEDIUM
BedrockAgentCore.4 KMS encryption for gateway MEDIUM
BedrockAgentCore.5 Network mode for custom browser HIGH
BedrockAgentCore.6 Session recording for custom browser MEDIUM
BedrockAgentCore.7 VPC configuration for code interpreter HIGH
SageMaker-related controls (23 items)
ID Title Severity
SageMaker.1 Notebook internet access HIGH
SageMaker.2 Notebook custom VPC HIGH
SageMaker.3 Notebook root access HIGH
SageMaker.4 Endpoint initial instance count MEDIUM
SageMaker.5 Model network isolation MEDIUM
SageMaker.8 Notebook supported platform MEDIUM
SageMaker.9 Data quality job inter-container encryption MEDIUM
SageMaker.10 Explainability job inter-container encryption MEDIUM
SageMaker.11 Data quality job network isolation MEDIUM
SageMaker.12 Model bias job network isolation MEDIUM
SageMaker.13 Model quality job inter-container encryption MEDIUM
SageMaker.14 Monitoring schedule network isolation MEDIUM
SageMaker.15 Model bias job inter-container encryption MEDIUM
SageMaker.16 Model VPC private registry MEDIUM
SageMaker.17 Feature Group offline store encryption MEDIUM
SageMaker.18 Feature Group online store encryption MEDIUM
SageMaker.19 Multi-container pipeline VPC registry MEDIUM
SageMaker.20 Explainability job network isolation HIGH
SageMaker.21 Notebook KMS encryption MEDIUM
SageMaker.22 Monitoring inter-container encryption MEDIUM
SageMaker.23 Inference experiment storage encryption MEDIUM
SageMaker.24 Inference experiment data encryption MEDIUM
SageMaker.25 Model quality job network isolation HIGH

CLI/API Access

Throughout the verification, no AI inventory-specific operations were found in the Security Hub CLI/API. Access is achieved by combining get-resources-v2 with a ResourceCategory=AI/ML filter.

aws securityhub get-resources-v2 \
  --filters '{
    "CompositeFilters": [{
      "StringFilters": [{
        "FieldName": "ResourceCategory",
        "Filter": {"Comparison": "EQUALS", "Value": "AI/ML"}
      }]
    }]
  }' \
  --region ap-northeast-1

Finding Association

The FindingsSummary field of each resource links related Findings, allowing both AI asset inventory and security evaluation to be reviewed on the same Security Hub.

In this environment, the FindingsSummary for all AI/ML resources was an empty array. No situation was confirmed where a Finding was linked to a resource registered in the AI inventory. This is likely because the AI Security Best Practices standard has not been enabled, and because no controls targeting ApplicationInferenceProfile could be confirmed at this time.

There was, however, one Finding related to Bedrock. It was a Finding for BedrockAgentCore.1 (a control included in both the FSBP and AI Security Best Practices standards), targeting a resource of type AWS::BedrockAgentCore::Runtime. However, this resource type is not registered in the AI inventory.

The prerequisites and results for this environment across the three detection methods are summarized below.

Detection Method Source Prerequisites Result in This Environment
Managed AWS Config Config enabled + AI/ML services in use ✅ 11 items detected
Self-hosted Inspector SBOM Inspector EC2/ECR scanning enabled + AI framework present ⚠️ Not applicable (none detected in ECR targets, EC2 not verified)
External AI dependency GuardDuty DNS GuardDuty enabled + EC2-to-external-AI-API communication present ⚠️ Not applicable (no such communication)

Summary

I verified the AI inventory in AWS Security Hub and confirmed that in environments where Security Hub v2 is enabled, AI assets are cataloged without additional configuration or cost. In this environment, 11 items including Bedrock inference profiles were registered via AWS Config the day after activation. No AI frameworks were detected from the images subject to ECR scanning, and EC2 was not verified. Additionally, since there was no relevant communication to external AI APIs, no external AI dependencies were detected either. In the next article, I will verify threat detection for AI workloads using GuardDuty AI Protection.

https://dev.classmethod.jp/articles/guardduty-ai-protection-enable-and-verify/

Share this article

AWSのお困り事はクラスメソッドへ