Supported trait types in Security Hub

Amazon Security Hub generates an exposure finding when Amazon Security Hub CSPM control findings and findings generated by other supported Amazon Web Services services, such as Amazon Inspector, contain exposure traits for a resource. The following table provides information about the supported trait types.

Trait type	Description	Source	Impacted resources
Assumability	Indicates a resource with vended Amazon Identity and Access Management permissions	Resource configuration from Amazon Config	Amazon resources with associated Amazon Identity and Access Management roles
Misconfiguration	Indicates a misconfigured resource	Amazon Security Hub CSPM control findings, Amazon GuardDuty threat findings, and information about resource confirmation in Amazon Config.	All resource types
Reachability	Indicates open network paths to a resource	Amazon Security Hub CSPM control findings, Amazon GuardDuty threat findings, and Amazon Inspector network reachability findings.	Amazon EC2 instances, Amazon EKS clusters, Lambda functions, and Amazon S3 buckets
Sensitive Data	Indicates that a resource contains sensitive data	Macie sensitive data findings	Amazon S3 buckets
Vulnerability	Indicates that a resource has a weakness which could be exploited by a threat source.	Amazon Inspector package vulnerability findings and Amazon GuardDuty Amazon EC2 Malware findings.	Amazon EC2 instances, Amazon ECS services, Amazon EKS clusters, and Lambda functions

Each trait can be associated with multiple titles that provide details about the exposure affecting the resource. For example, you might see an Exploit Available title for the Vulnerability trait in the details for an EC2 exposure finding.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Supported resources

Generating exposure findings