Supported trait types in Security Hub
Amazon Security Hub generates an exposure finding when Amazon Security Hub CSPM control findings and findings generated by other supported Amazon Web Services services, such as Amazon Inspector, contain exposure traits for a resource. The following table provides information about the supported trait types.
| Trait type | Description | Source | Impacted resources |
|---|---|---|---|
|
Assumability |
Indicates a resource with vended Amazon Identity and Access Management permissions |
Resource configuration from Amazon Config |
Amazon resources with associated Amazon Identity and Access Management roles |
|
Impact |
Indicates the potential blast radius if the resource is compromised, based on the effective permissions of associated Amazon Identity and Access Management principals, including the ability to create and modify resources |
Effective permissions analysis of associated Amazon Identity and Access Management principals |
Amazon resources with associated Amazon Identity and Access Management identities |
|
Misconfiguration |
Indicates a misconfigured resource |
Amazon Security Hub CSPM control findings, Amazon GuardDuty threat findings, and information about resource confirmation in Amazon Config. |
All resource types |
|
Reachability |
Indicates open network paths to a resource |
Amazon Security Hub CSPM control findings, Amazon GuardDuty threat findings, and Amazon Inspector network reachability findings. |
Amazon EC2 instances, Amazon EKS clusters, Lambda functions, and Amazon S3 buckets |
|
Sensitive Data |
Indicates that a resource contains sensitive data |
Macie sensitive data findings |
Amazon S3 buckets |
|
Vulnerability |
Indicates that a resource has a weakness which could be exploited by a threat source. |
Amazon Inspector package vulnerability findings and Amazon GuardDuty Amazon EC2 Malware findings. |
Amazon EC2 instances, Amazon ECS services, Amazon EKS clusters, and Lambda functions |
Each trait can be associated with multiple titles that provide details about the exposure affecting the resource. For example, you might see an Exploit Available title for the Vulnerability trait in the details for an EC2 exposure finding.
Impact and effective permissions
The Impact trait describes the potential blast radius of an exposure — the downstream resources an attacker could reach and compromise if the primary resource in the exposure finding is compromised. To determine impact, Security Hub analyzes the effective permissions of the Amazon Identity and Access Management (IAM) principals associated with the resource.
Effective permissions are the permissions a principal actually has after Security Hub evaluates its identity-based policies together with the resource-based policies of the resources it can access. Because effective permissions account for both what a principal is granted and what target resources allow, they more accurately reflect the actions a principal can perform than the identity-based policies alone.
Using effective permissions, Security Hub traces the privilege escalation paths from the primary resource to other resources in your environment. Each path is a chain of resources connected by the permissions that allow an attacker to move from one resource to the next. When Security Hub identifies a concrete path to an existing resource, it surfaces that path as part of the Impact trait. Impact also accounts for permissions beyond these paths, such as the ability to invoke Amazon Web Services services that can create or modify other resources. You can review these paths in the potential attack path graph and reduce your blast radius by removing unnecessary permissions. For more information, see Viewing exposures in Security Hub with the potential attack path graph.