Supported trait types in Security Hub

AWS Security Hub generates an exposure finding when AWS Security Hub CSPM control findings and findings generated by other supported AWS services, such as Amazon Inspector, contain exposure traits for a resource. The following table provides information about the supported trait types.

Trait type	Description	Source	Impacted resources
Assumability	Indicates a resource with vended AWS Identity and Access Management permissions	Resource configuration from AWS Config	AWS resources with associated AWS Identity and Access Management roles
Misconfiguration	Indicates a misconfigured resource	AWS Security Hub CSPM control findings, Amazon GuardDuty threat findings, and information about resource confirmation in AWS Config.	All resource types
Reachability	Indicates open network paths to a resource	AWS Security Hub CSPM control findings, Amazon GuardDuty threat findings, and Amazon Inspector network reachability findings.	Amazon EC2 instances, Amazon EKS clusters, Lambda functions, and Amazon S3 buckets
Sensitive Data	Indicates that a resource contains sensitive data	Macie sensitive data findings	Amazon S3 buckets
Vulnerability	Indicates that a resource has a weakness which could be exploited by a threat source.	Amazon Inspector package vulnerability findings and Amazon GuardDuty Amazon EC2 Malware findings.	Amazon EC2 instances, Amazon ECS services, Amazon EKS clusters, and Lambda functions

Each trait can be associated with multiple titles that provide details about the exposure affecting the resource. For example, you might see an Exploit Available title for the Vulnerability trait in the details for an EC2 exposure finding.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Supported resources

Generating exposure findings