I tried detecting actually reachable ports from the internet using the new AWS Security Hub feature "Network Scanning"

I tried detecting actually reachable ports from the internet using the new AWS Security Hub feature "Network Scanning"

AWS Security Hub has added a Network Scanning feature. Unlike the static analysis of conventional security group configurations, it actually sends probes to verify port reachability. We validated the activation procedure, the Finding structure in OCSF format, and the granularity of scan targets.
2026.07.10

This page has been translated by machine translation. View original

Introduction

On July 9, 2026, Network Scanning (network reachability scanning) functionality was added to AWS Security Hub.

https://aws.amazon.com/about-aws/whats-new/2026/07/aws-security-hub-network-scanning/

Until now, Security Hub performed control plane analysis to determine "whether something is exposed to the internet based on configuration" by analyzing settings such as security groups. The newly added Network Scanning actually sends probes from the internet side to verify port responses. For ports that respond with TLS, the handshake and certificate information are also retrieved.

Perspective Conventional (Control Plane Analysis) New Feature (Network Scanning)
Detection Method Statically analyzes rules such as security groups Actually sends probes and verifies responses (performs TLS handshake when TLS response is received)
Detection Target Ports open to the internet based on configuration Ports actually reachable from the internet
Evidence Configuration values (SG rules, etc.) Port responses, TLS certificate information, service detection
False Positives May be detected if open based on configuration, even if actually blocked by OS-side firewall or filters along the route Detected when a response to the probe is confirmed at the time of scanning
Finding Format ASFF (get-findings) OCSF (get-findings-v2)

This article covers the procedure for enabling Network Scanning, the structure of Findings (in OCSF format), and the granularity of scan targets. The target of verification is an EC2 instance exposing port 443 with a public IP.

Verification Details

Verification Environment

  • Region: ap-northeast-1
  • EC2: t3.nano (Amazon Linux 2023)
  • Elastic IP: xxx.xxx.xxx.xxx attached
  • Security Group: TCP 443 allowed to 0.0.0.0/0
  • Nginx 1.30.2 + TLS 1.3 (ECDSA certificate issued by AWS Certificate Manager's ACME-compatible endpoint)
  • Security Hub: Essentials plan

Please refer to the following article for the certificate issuance procedure.

https://dev.classmethod.jp/articles/acm-acme-endpoint-certbot-ec2-nginx-apache/

Enabling Network Scanning

Enable network reachability scanning from "Settings" > "General" in the Security Hub console.

Network Scanning section on the Settings screen

Enable confirmation dialog

Status after enabling

After enabling, Findings were generated within a few minutes in this verification.

Checking Findings

On the "All findings" screen, you can view Findings from Network Scanning by filtering the type to "Network Scanning/Network Reachability".

Network Scan Finding list

A Finding has been generated for internet reachability of port 443 for the verification EIP.

Finding Details — EIP

The Finding contains the following information.

  • Port scan results: 443/tcp is Open
  • Service estimation result: smb (described later)
  • TLS evidence: TLSv1.3, issuer CN=Amazon ECDSA 256 S07,O=Amazon,C=US, certificate expiration date
  • Resource: AWS::EC2::EIP eipalloc-0xxxxxxxxxxxxxxxxxxxxx

Checking with CLI

Network Scanning Findings cannot be retrieved with the conventional get-findings API (ASFF format). You need to use the new get-findings-v2 API (OCSF format).

aws securityhub get-findings-v2 --region ap-northeast-1 --max-results 5
get-findings-v2 output (excerpt)
{
    "class_name": "Network Scan Finding",
    "class_uid": 99802002,
    "finding_info": {
        "created_time_dt": "2026-07-09T16:08:14.293Z",
        "desc": "Security Hub Network Scanning detected an open port reachable from the internet: xxx.xxx.xxx.xxx:443/tcp (smb) on AWS::EC2::EIP eipalloc-0xxxxxxxxxxxxxxxxxxxxx.",
        "title": "xxx.xxx.xxx.xxx:443 is reachable from the internet (securityhub-network-scan-test)",
        "types": [
            "Network Scanning/Network Reachability"
        ],
        "uid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    },
    "port_scan_result_list": [
        {
            "port_info": {
                "port": 443,
                "protocol_name": "tcp",
                "protocol_num": 6
            },
            "status": "Open",
            "svc_name": "smb",
            "tls": {
                "certificate": {
                    "expiration_time_dt": "2026-08-21T05:39:09.000Z",
                    "is_self_signed": false,
                    "issuer": "CN=Amazon ECDSA 256 S07,O=Amazon,C=US",
                    "serial_number": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                },
                "handshake_dur": 8,
                "version": "TLSv1.3"
            }
        }
    ],
    "resources": [
        {
            "ip": "xxx.xxx.xxx.xxx",
            "name": "securityhub-network-scan-test",
            "type": "AWS::EC2::EIP",
            "uid": "eipalloc-0xxxxxxxxxxxxxxxxxxxxx"
        }
    ],
    "severity": "Medium",
    "severity_id": 3
}

In OCSF format Findings, port scan results are structured in port_scan_result_list. A notable feature is that it includes TLS handshake time (handshake_dur, in milliseconds) and certificate information.

Finding JSON display (console)

Scan Targets and Detection Units

In this verification, the Finding resource was generated per public IP address unit, not per EC2 instance. In addition to the verification EIP, Findings for public endpoints associated with ELBs within the same account were also confirmed.

Finding — ELB detection

Notes

  • Finding Format: Network Scanning Findings can only be retrieved via get-findings-v2 (OCSF format). They will not appear in the conventional get-findings (ASFF format). Please be aware of this when referencing via CLI or API.
  • Scan Frequency: According to the documentation, the initial scan is performed within up to 24 hours after enabling. If new resource creation or configuration changes are detected, scanning may be prioritized.
  • Exclusion Method: According to the documentation, you can exclude resources from scanning by adding the SecurityHubNetworkScanExclusion tag to the target resource. Please follow the documentation for conditions such as tag values (this article does not verify exclusion behavior).
  • Cost: Included in Security Hub Findings billing. There is no additional charge for Network Scanning alone.

Summary

We enabled AWS Security Hub's Network Scanning and confirmed that 443/tcp reachable from the internet is detected as a Finding.

Network Scanning not only checks configuration values such as security groups, but actually sends probes from the internet side to verify port responses. In this verification, in addition to open ports, information such as the TLS version, certificate issuer, and expiration date was also included in the OCSF format Findings.

When checking via CLI or API, you need to use get-findings-v2 instead of the conventional get-findings. Also, since service name estimation results may not match the actual service, it seems best to treat them as reference values.

Since you can check ports that are actually responding from the outside on Security Hub, I felt this is a useful feature for understanding external exposure and discovering unintentionally exposed ports.

Share this article

AWSのお困り事はクラスメソッドへ