I tried automatically detecting AI assets with the new AWS Security Hub feature "AI Inventory"
This page has been translated by machine translation. View original
Introduction
On July 14, 2026, an AI inventory feature was added to AWS Security Hub.
As AI workload usage spreads across organizations, it becomes difficult to track where and which AI services and models are being used.
The AI inventory is a feature responsible for visualizing these AI assets. It is included in Security Hub Essentials, and in environments where Security Hub v2 is enabled, it can be used without additional configuration and at no additional cost. AI assets are automatically cataloged using the following three detection methods.
| Detection Method | Source | Example AI Assets |
|---|---|---|
| Managed | AWS Config | Bedrock, Bedrock AgentCore, SageMaker |
| Self-hosted | Inspector SBOM | AI frameworks on EC2/containers |
| External AI dependency | GuardDuty DNS | Communication to external AI APIs (OpenAI, etc.) |
This article verifies "what can be seen without additional configuration" in an actual environment. It focuses on confirming managed detection results and also organizes how to access them via CLI/API.
Verification Details
Verification Environment
- Security Hub v2 enabled (activation date: 2026-07-07; Security Hub v1 has been enabled since 2023-01-12)
- AWS Config enabled (recording: true)
- Amazon Bedrock in use (via SageMaker Unified Studio)
- Amazon Inspector: ECR scanning only enabled (EC2 scanning disabled)
- Amazon GuardDuty enabled (DNS logging enabled, AI Protection disabled)
The region is ap-northeast-1. This article is based entirely on CLI/API output and does not include console screenshots. The commands below are executed against the same region.
AI Inventory Overview
First, I used get-resources-statistics-v2 to check how Security Hub v2 classifies resources into categories.
aws securityhub get-resources-statistics-v2 \
--group-by-rules '[{"GroupByField": "ResourceCategory"}]' \
--region ap-northeast-1
The results were as follows.
| Category | Number of Resources |
|---|---|
| Identity, Network, Compute, Storage, etc. | (omitted) |
| AI/ML | 11 |
11 resources were automatically classified into the AI/ML category. This category can also be confirmed by applying the ResourceCategory=AI/ML filter on the Resources screen in the console.
Detection of Managed AI Services
I checked what resource types make up the 11 items in the AI/ML category.
aws securityhub get-resources-statistics-v2 \
--group-by-rules '[{
"Filters": {
"CompositeFilters": [{
"StringFilters": [{
"FieldName": "ResourceCategory",
"Filter": {"Comparison": "EQUALS", "Value": "AI/ML"}
}]
}]
},
"GroupByField": "ResourceType"
}]' \
--region ap-northeast-1
It consisted of two resource types.
| Resource Type | Count |
|---|---|
| AWS::Bedrock::ApplicationInferenceProfile | 10 |
| AWS::OpenSearchServerless::SecurityPolicy | 1 |
The 10 AWS::Bedrock::ApplicationInferenceProfile resources were inference profiles automatically created by SageMaker Unified Studio. The models used by each profile are as follows. 4 of the 10 are cross-region profiles, making multi-region inference configurations visible as well.
| # | Model Used |
|---|---|
| 1 | anthropic.claude-sonnet-4-20250514-v1:0 (cross-region x8) |
| 2 | amazon.titan-text-express-v1 |
| 3 | amazon.titan-embed-text-v2:0 |
| 4 | amazon.titan-embed-text-v1 |
| 5 | amazon.rerank-v1:0 |
| 6 | amazon.nova-reel-v1:0 |
| 7 | amazon.nova-pro-v1:0 (cross-region x6) |
| 8 | amazon.nova-micro-v1:0 (cross-region x6) |
| 9 | amazon.nova-lite-v1:0 (cross-region x6) |
| 10 | amazon.nova-canvas-v1:0 |
The remaining 1 item was AWS::OpenSearchServerless::SecurityPolicy. This is the security policy for OpenSearch Serverless used by Bedrock IDE. In this environment, not only direct inference and training resources, but also security policies for infrastructure related to AI workloads were included in the AI/ML category.
These managed resources are automatically detected via AWS Config. In fact, tracking the trend of AI/ML resource counts showed that resources were backfilled the day after Security Hub v2 was enabled. The trend was retrieved using get-resources-trends-v2.
aws securityhub get-resources-trends-v2 \
--start-time "2026-07-07T00:00:00Z" \
--end-time "2026-07-14T23:59:59Z" \
--filters '{
"CompositeFilters": [{
"StringFilters": [{
"FieldName": "resource_category",
"Filter": {"Comparison": "EQUALS", "Value": "AI/ML"}
}]
}]
}' \
--region ap-northeast-1
| Date | AI/ML Resource Count |
|---|---|
| 2026-07-07 | 0 |
| 2026-07-08 | 11 |
| 2026-07-09–14 | 11 (stable) |
On the day of activation (7/7) there were 0 items, but on the following day (7/8) 11 items were registered all at once and remained stable thereafter. In this environment, we were able to confirm the behavior where resources already recorded in Config at the time of Security Hub v2 activation were automatically cataloged the next day.
Each resource contains the following information accessible via get-resources-v2.
| Field | Content |
|---|---|
| ResourceId | ARN |
| ResourceCategory | AI/ML |
| ResourceType | AWS::Bedrock::ApplicationInferenceProfile, etc. |
| ResourceName | Resource name |
| ResourceCreationTimeDt | Resource creation date and time |
| ResourceDetailCaptureTimeDt | Config retrieval date and time |
| FindingsSummary | Related Findings (currently an empty array) |
| ResourceTags | Tag information |
| ResourceConfig | AWS Config configuration information |
Detection of Self-Hosted AI Workloads
The self-hosted method detects AI frameworks on EC2 instances or container images. It uses SBOM (Software Bill of Materials) generated by Amazon Inspector as its source.
In this environment, no resources were detected using this method. The images subject to ECR scanning did not contain any AI frameworks. Additionally, since EC2 scanning is disabled, workloads on EC2 were outside the scope of this verification.
Detection of External AI Dependencies
External AI dependencies use Amazon GuardDuty DNS telemetry as the source to detect communications to external AI APIs such as OpenAI.
In this environment, no resources were detected using this method either. Although GuardDuty DNS logging is enabled, no communications from EC2 to external AI APIs actually occurred. Note that GuardDuty AI Protection (a threat detection feature for AI workloads) is disabled in this environment and is planned for verification in a future article.
AI Security Best Practices Standard
Along with the AI inventory, a new security standard called AI Security Best Practices has been added.
{
"StandardsArn": "arn:aws:securityhub:::standards/ai-security-best-practices/v/1.0.0",
"Name": "AI Security Best Practices v1.0.0",
"EnabledByDefault": false
}
This standard consists of 31 controls (8 for Bedrock, 23 for SageMaker). Since EnabledByDefault is false, explicit activation is required to use it.
As a HIGH severity control, on the Bedrock side there is BedrockAgentCore.1 (configure AgentCore runtime in VPC network mode). This control is also included in FSBP (AWS Foundational Security Best Practices), so it is evaluated via FSBP even without enabling AI Security Best Practices. On the SageMaker side, SageMaker.1 (disable direct internet access for notebooks) and others apply.
Bedrock-related controls (8 items)
| ID | Title | Severity |
|---|---|---|
| Bedrock.1 | KMS encryption for data sources | MEDIUM |
| BedrockAgentCore.1 | VPC network mode for runtime | HIGH |
| BedrockAgentCore.2 | Inbound authentication for gateway | HIGH |
| BedrockAgentCore.3 | KMS encryption for memory | MEDIUM |
| BedrockAgentCore.4 | KMS encryption for gateway | MEDIUM |
| BedrockAgentCore.5 | Network mode for custom browser | HIGH |
| BedrockAgentCore.6 | Session recording for custom browser | MEDIUM |
| BedrockAgentCore.7 | VPC configuration for code interpreter | HIGH |
SageMaker-related controls (23 items)
| ID | Title | Severity |
|---|---|---|
| SageMaker.1 | Notebook internet access | HIGH |
| SageMaker.2 | Notebook custom VPC | HIGH |
| SageMaker.3 | Notebook root access | HIGH |
| SageMaker.4 | Endpoint initial instance count | MEDIUM |
| SageMaker.5 | Model network isolation | MEDIUM |
| SageMaker.8 | Notebook supported platform | MEDIUM |
| SageMaker.9 | Data quality job inter-container encryption | MEDIUM |
| SageMaker.10 | Explainability job inter-container encryption | MEDIUM |
| SageMaker.11 | Data quality job network isolation | MEDIUM |
| SageMaker.12 | Model bias job network isolation | MEDIUM |
| SageMaker.13 | Model quality job inter-container encryption | MEDIUM |
| SageMaker.14 | Monitoring schedule network isolation | MEDIUM |
| SageMaker.15 | Model bias job inter-container encryption | MEDIUM |
| SageMaker.16 | Model VPC private registry | MEDIUM |
| SageMaker.17 | Feature Group offline store encryption | MEDIUM |
| SageMaker.18 | Feature Group online store encryption | MEDIUM |
| SageMaker.19 | Multi-container pipeline VPC registry | MEDIUM |
| SageMaker.20 | Explainability job network isolation | HIGH |
| SageMaker.21 | Notebook KMS encryption | MEDIUM |
| SageMaker.22 | Monitoring inter-container encryption | MEDIUM |
| SageMaker.23 | Inference experiment storage encryption | MEDIUM |
| SageMaker.24 | Inference experiment data encryption | MEDIUM |
| SageMaker.25 | Model quality job network isolation | HIGH |
CLI/API Access
Throughout the verification, no AI inventory-specific operations were found in the Security Hub CLI/API. Access is achieved by combining get-resources-v2 with a ResourceCategory=AI/ML filter.
aws securityhub get-resources-v2 \
--filters '{
"CompositeFilters": [{
"StringFilters": [{
"FieldName": "ResourceCategory",
"Filter": {"Comparison": "EQUALS", "Value": "AI/ML"}
}]
}]
}' \
--region ap-northeast-1
Finding Association
The FindingsSummary field of each resource links related Findings, allowing both AI asset inventory and security evaluation to be reviewed on the same Security Hub.
In this environment, the FindingsSummary for all AI/ML resources was an empty array. No situation was confirmed where a Finding was linked to a resource registered in the AI inventory. This is likely because the AI Security Best Practices standard has not been enabled, and because no controls targeting ApplicationInferenceProfile could be confirmed at this time.
There was, however, one Finding related to Bedrock. It was a Finding for BedrockAgentCore.1 (a control included in both the FSBP and AI Security Best Practices standards), targeting a resource of type AWS::BedrockAgentCore::Runtime. However, this resource type is not registered in the AI inventory.
The prerequisites and results for this environment across the three detection methods are summarized below.
| Detection Method | Source | Prerequisites | Result in This Environment |
|---|---|---|---|
| Managed | AWS Config | Config enabled + AI/ML services in use | ✅ 11 items detected |
| Self-hosted | Inspector SBOM | Inspector EC2/ECR scanning enabled + AI framework present | ⚠️ Not applicable (none detected in ECR targets, EC2 not verified) |
| External AI dependency | GuardDuty DNS | GuardDuty enabled + EC2-to-external-AI-API communication present | ⚠️ Not applicable (no such communication) |
Summary
I verified the AI inventory in AWS Security Hub and confirmed that in environments where Security Hub v2 is enabled, AI assets are cataloged without additional configuration or cost. In this environment, 11 items including Bedrock inference profiles were registered via AWS Config the day after activation. No AI frameworks were detected from the images subject to ECR scanning, and EC2 was not verified. Additionally, since there was no relevant communication to external AI APIs, no external AI dependencies were detected either. In the next article, I will verify threat detection for AI workloads using GuardDuty AI Protection.
