regscale-cli 6.21.0.0__py3-none-any.whl → 6.21.1.0__py3-none-any.whl

regscale/integrations/commercial/aws/scanner.py

@@ -24,9 +24,11 @@ from .inventory import AWSInventoryCollector
 
 logger = logging.getLogger("regscale")
 
-# Constants for file paths
+# Constants for file paths:
 INVENTORY_FILE_PATH = os.path.join("artifacts", "aws", "inventory.json")
+FINDINGS_FILE_PATH = os.path.join("artifacts", "aws", "findings.json")
 CACHE_TTL_SECONDS = 8 * 60 * 60  # 8 hours in seconds
+EC_INSTANCES = "EC2 Instances"
 
 
 class AWSInventoryIntegration(ScannerIntegration):
@@ -56,6 +58,8 @@ class AWSInventoryIntegration(ScannerIntegration):
         """
         super().__init__(plan_id=plan_id, kwargs=kwargs)
         self.collector: Optional[AWSInventoryCollector] = None
+        self.discovered_assets: List[IntegrationAsset] = []
+        self.processed_asset_identifiers: set = set()  # Track processed assets to avoid duplicates
 
     def authenticate(
         self,
@@ -199,7 +203,6 @@ class AWSInventoryIntegration(ScannerIntegration):
         :yield: Iterator[IntegrationAsset]
         """
         inventory = self.fetch_aws_data_if_needed(region, aws_access_key_id, aws_secret_access_key, aws_session_token)
-
         # Process each asset type using the corresponding parser
         asset_configs = self.get_asset_configs()
 
@@ -256,13 +259,13 @@ class AWSInventoryIntegration(ScannerIntegration):
             asset_type = regscale_models.AssetType.VM
             asset_category = regscale_models.AssetCategory.Hardware
             component_type = regscale_models.ComponentType.Hardware
-            component_names = ["EC2 Instances"]
+            component_names = [EC_INSTANCES]
         else:
             operating_system = regscale_models.AssetOperatingSystem.Linux
             asset_type = regscale_models.AssetType.VM
             asset_category = regscale_models.AssetCategory.Hardware
             component_type = regscale_models.ComponentType.Hardware
-            component_names = ["EC2 Instances"]
+            component_names = [EC_INSTANCES]
 
         os_version = image_info.get("Description", "")
 
@@ -692,8 +695,8 @@ Description: {description if isinstance(description, str) else ''}"""
 
     def fetch_findings(self, *args, **kwargs) -> Iterator[IntegrationFinding]:
         """
-        Fetch security findings.
-        Currently, we're only doing inventory collection.
+        Fetch security findings from AWS Security Hub.
+        Also discovers assets from the finding resources during processing.
 
         :yield: Iterator[IntegrationFinding]
         """
@@ -703,7 +706,7 @@ Description: {description if isinstance(description, str) else ''}"""
 
         aws_secret_key_id = kwargs.get("aws_access_key_id") or os.getenv("AWS_ACCESS_KEY_ID")
         aws_secret_access_key = kwargs.get("aws_secret_access_key") or os.getenv("AWS_SECRET_ACCESS_KEY")
-        region = kwargs.get("region")
+        region = kwargs.get("region") or os.getenv("AWS_REGION", "us-east-1")
         if not aws_secret_key_id or not aws_secret_access_key:
             raise ValueError(
                 "AWS Access Key ID and Secret Access Key are required.\nPlease update in environment "
@@ -719,10 +722,123 @@ Description: {description if isinstance(description, str) else ''}"""
         )
         client = session.client("securityhub")
         aws_findings = fetch_aws_findings(aws_client=client)
+        # Note: Resources are extracted directly from findings, so separate resource fetch not needed
+        # Reset discovered assets for this run
+        self.discovered_assets.clear()
+        self.processed_asset_identifiers.clear()
+
         self.num_findings_to_process = len(aws_findings)
         for finding in aws_findings:
             yield from iter(self.parse_finding(finding))
 
+        # Log discovered assets count
+        if self.discovered_assets:
+            logger.info(f"Discovered {len(self.discovered_assets)} assets from Security Hub findings")
+
+    def get_discovered_assets(self) -> Iterator[IntegrationAsset]:
+        """
+        Get assets discovered from Security Hub findings.
+
+        :return: Iterator of discovered assets
+        :rtype: Iterator[IntegrationAsset]
+        """
+        logger.info(f"Yielding {len(self.discovered_assets)} discovered assets from findings")
+        for asset in self.discovered_assets:
+            yield asset
+
+    def sync_findings_and_assets(self, **kwargs) -> tuple[int, int]:
+        """
+        Sync both findings and discovered assets from AWS Security Hub.
+        First discovers assets from findings, creates them, then processes findings.
+
+        :return: Tuple of (findings_processed, assets_processed)
+        :rtype: tuple[int, int]
+        """
+        logger.info("Starting AWS Security Hub findings and assets sync...")
+
+        # First, fetch findings to discover assets (but don't sync findings yet)
+        logger.info("Discovering assets from AWS Security Hub findings...")
+
+        # Reset discovered assets for this run
+        self.discovered_assets.clear()
+        self.processed_asset_identifiers.clear()
+
+        # Fetch findings to discover assets - store them to avoid re-fetching
+        findings_list = list(self.fetch_findings(**kwargs))
+
+        # Sync the discovered assets first
+        if self.discovered_assets:
+            logger.info(f"Creating {len(self.discovered_assets)} assets discovered from findings...")
+            self.num_assets_to_process = len(self.discovered_assets)
+            assets_processed = self.update_regscale_assets(self.get_discovered_assets())
+            logger.info(f"Successfully created {assets_processed} assets")
+        else:
+            logger.info("No assets discovered from findings")
+            assets_processed = 0
+
+        # Now process the findings we already fetched (avoid double-fetching)
+        logger.info("Now syncing findings with created assets...")
+        findings_processed = self.update_regscale_findings(findings_list)
+
+        return findings_processed, assets_processed
+
+    def get_configured_issue_status(self) -> IssueStatus:
+        """
+        Get the configured issue status from the configuration.
+
+        :return: The configured issue status
+        :rtype: IssueStatus
+        """
+        try:
+            configured_status = self.app.config["issues"]["amazon"]["status"]
+            if configured_status.lower() == "open":
+                return IssueStatus.Open
+            elif configured_status.lower() == "closed":
+                return IssueStatus.Closed
+            else:
+                logger.warning(f"Unknown configured status '{configured_status}', defaulting to Open")
+                return IssueStatus.Open
+        except KeyError:
+            logger.warning("No status configuration found for amazon issues, defaulting to Open")
+            return IssueStatus.Open
+
+    def should_process_finding_by_severity(self, severity: str) -> bool:
+        """
+        Check if a finding should be processed based on the configured minimum severity.
+
+        :param str severity: The severity level of the finding
+        :return: True if the finding should be processed, False otherwise
+        :rtype: bool
+        """
+        try:
+            min_severity = self.app.config["issues"]["amazon"]["minimumSeverity"].upper()
+        except KeyError:
+            logger.warning("No minimumSeverity configuration found for amazon issues, processing all findings")
+            return True
+
+        # Define severity hierarchy (higher number = more severe)
+        severity_levels = {
+            "INFORMATIONAL": 0,
+            "INFO": 0,
+            "LOW": 1,
+            "MEDIUM": 2,
+            "MODERATE": 2,
+            "HIGH": 3,
+            "CRITICAL": 4,
+        }
+
+        finding_severity_level = severity_levels.get(severity.upper(), 0)
+        min_severity_level = severity_levels.get(min_severity, 1)  # Default to LOW if not found
+
+        should_process = finding_severity_level >= min_severity_level
+
+        if not should_process:
+            logger.debug(
+                f"Filtering out finding with severity '{severity}' (level {finding_severity_level}) - below minimum '{min_severity}' (level {min_severity_level})"
+            )
+
+        return should_process
+
     @staticmethod
     def get_baseline(resource: dict) -> str:
         """
@@ -763,6 +879,7 @@ Description: {description if isinstance(description, str) else ''}"""
     def parse_finding(self, finding: dict) -> list[IntegrationFinding]:
         """
         Parse AWS Security Hub to RegScale IntegrationFinding format.
+        Also collects assets from the finding resources for later processing.
 
         :param dict finding: AWS Security Hub finding
         :return: RegScale IntegrationFinding
@@ -771,6 +888,14 @@ Description: {description if isinstance(description, str) else ''}"""
         findings = []
         try:
             for resource in finding["Resources"]:
+                # Parse resource to asset and add to discovered assets (avoiding duplicates)
+                asset = self.parse_resource_to_asset(resource, finding)
+                if asset and asset.identifier not in self.processed_asset_identifiers:
+                    self.discovered_assets.append(asset)
+                    self.processed_asset_identifiers.add(asset.identifier)
+                    logger.debug(f"Discovered asset from finding: {asset.name} ({asset.identifier})")
+
+                # Continue with finding processing as before
                 status, results = determine_status_and_results(finding)
                 comments = get_comments(finding)
                 severity = check_finding_severity(comments)
@@ -779,6 +904,11 @@ Description: {description if isinstance(description, str) else ''}"""
                     friendly_sev = "high"
                 elif severity in ["MEDIUM", "MODERATE"]:
                     friendly_sev = "moderate"
+
+                # Filter findings based on minimum severity configuration
+                if not self.should_process_finding_by_severity(severity):
+                    logger.debug(f"Skipping finding with severity '{severity}' - below minimum threshold")
+                    continue
                 try:
                     days = self.app.config["issues"]["amazon"][friendly_sev]
                 except KeyError:
@@ -787,17 +917,23 @@ Description: {description if isinstance(description, str) else ''}"""
                 due_date = datetime_str(get_due_date(date_str(finding["CreatedAt"]), days))
 
                 plugin_name = next(iter(finding.get("Types", [])))
+                # Create a unique plugin_id using the finding ID to ensure each finding creates a separate issue
+                finding_id = finding.get("Id", "")
+                # Extract just the finding UUID from the full ARN for a cleaner ID
+                finding_uuid = finding_id.split("/")[-1] if "/" in finding_id else finding_id.split(":")[-1]
+                plugin_id = f"{plugin_name.replace(' ', '_').replace('/', '_').replace(':', '_')}_{finding_uuid}"
+
                 findings.append(
                     IntegrationFinding(
                         asset_identifier=self.extract_name_from_arn(resource["Id"]),
-                        external_id=self.extract_name_from_arn(resource["Id"]),
+                        external_id=finding_id,  # Use the full finding ID as external_id for uniqueness
                         control_labels=[],  # Determine how to populate this
                         title=finding["Title"],
                         category="SecurityHub",
                         issue_title=finding["Title"],
                         severity=self.finding_severity_map.get(severity),
                         description=finding["Description"],
-                        status=IssueStatus.Open if status == "Fail" else IssueStatus.Closed,
+                        status=self.get_configured_issue_status(),
                         checklist_status=self.get_checklist_status(status),
                         vulnerability_number="",
                         results=results,
@@ -809,6 +945,7 @@ Description: {description if isinstance(description, str) else ''}"""
                         date_created=date_str(finding["CreatedAt"]),
                         due_date=due_date,
                         plugin_name=plugin_name,
+                        plugin_id=plugin_id,  # Add the sanitized plugin_id
                         baseline=self.get_baseline(resource),
                         observations=comments,
                         gaps="",
@@ -822,3 +959,401 @@ Description: {description if isinstance(description, str) else ''}"""
             logger.error(f"Error parsing AWS Security Hub finding: {str(e)}", exc_info=True)
 
         return findings
+
+    def parse_resource_to_asset(self, resource: dict, finding: dict) -> Optional[IntegrationAsset]:
+        """
+        Parse AWS Security Hub resource to RegScale IntegrationAsset format.
+
+        :param dict resource: AWS Security Hub resource from finding
+        :param dict finding: AWS Security Hub finding for additional context
+        :return: RegScale IntegrationAsset or None if resource type not supported
+        :rtype: Optional[IntegrationAsset]
+        """
+        try:
+            resource_type = resource.get("Type", "")
+            resource_id = resource.get("Id", "")
+
+            if not resource_type or not resource_id:
+                logger.warning("Resource missing Type or Id, skipping asset creation")
+                return None
+
+            # Map resource types to parser methods
+            parser_map = {
+                "AwsEc2SecurityGroup": self._parse_security_group_resource,
+                "AwsEc2Subnet": self._parse_subnet_resource,
+                "AwsIamUser": self._parse_iam_user_resource,
+                "AwsEc2Instance": self._parse_ec2_instance_resource,
+                "AwsS3Bucket": self._parse_s3_bucket_resource,
+                "AwsRdsDbInstance": self._parse_rds_instance_resource,
+                "AwsLambdaFunction": self._parse_lambda_function_resource,
+                "AwsEcrRepository": self._parse_ecr_repository_resource,
+            }
+
+            parser_method = parser_map.get(resource_type)
+            if parser_method:
+                return parser_method(resource, finding)
+            else:
+                # Create a generic asset for unsupported resource types
+                return self._parse_generic_resource(resource)
+
+        except Exception as e:
+            logger.error(f"Error parsing resource to asset: {str(e)}", exc_info=True)
+            return None
+
+    def _parse_security_group_resource(self, resource: dict, finding: dict) -> IntegrationAsset:
+        """Parse AWS EC2 Security Group resource to IntegrationAsset."""
+        details = resource.get("Details", {}).get("AwsEc2SecurityGroup", {})
+        resource_id = resource.get("Id", "")
+        region = resource.get("Region", "us-east-1")
+        # Tags also available in details
+
+        # Extract security group ID from ARN
+        sg_id = self.extract_name_from_arn(resource_id) or details.get("GroupId", "")
+        group_name = details.get("GroupName", sg_id)
+
+        name = f"Security Group: {group_name}"
+        description = f"AWS EC2 Security Group {group_name} ({sg_id})"
+
+        # Build notes with security group rules
+        notes_parts = []
+        if ingress_rules := details.get("IpPermissions", []):
+            notes_parts.append(f"Ingress Rules: {len(ingress_rules)}")
+        if egress_rules := details.get("IpPermissionsEgress", []):
+            notes_parts.append(f"Egress Rules: {len(egress_rules)}")
+        if vpc_id := details.get("VpcId"):
+            notes_parts.append(f"VPC: {vpc_id}")
+
+        notes = "; ".join(notes_parts) if notes_parts else "AWS Security Group"
+
+        # Create console URI
+        uri = f"https://console.aws.amazon.com/ec2/v2/home?region={region}#SecurityGroups:groupId={sg_id}"
+
+        return IntegrationAsset(
+            name=name,
+            identifier=sg_id,
+            asset_type=regscale_models.AssetType.Firewall,  # Security groups act like firewalls
+            asset_category=regscale_models.AssetCategory.Software,
+            component_type=regscale_models.ComponentType.Software,
+            component_names=["Security Groups"],
+            parent_id=self.plan_id,
+            parent_module="securityplans",
+            status=regscale_models.AssetStatus.Active,
+            description=description,
+            location=region,
+            notes=notes,
+            manufacturer="AWS",
+            aws_identifier=sg_id,
+            vlan_id=details.get("VpcId"),
+            uri=uri,
+            source_data=resource,
+            is_virtual=True,
+        )
+
+    def _parse_subnet_resource(self, resource: dict, finding: dict) -> IntegrationAsset:
+        """Parse AWS EC2 Subnet resource to IntegrationAsset."""
+        details = resource.get("Details", {}).get("AwsEc2Subnet", {})
+        resource_id = resource.get("Id", "")
+        region = resource.get("Region", "us-east-1")
+
+        subnet_id = self.extract_name_from_arn(resource_id) or details.get("SubnetId", "")
+        cidr_block = details.get("CidrBlock", "")
+        az = details.get("AvailabilityZone", "")
+
+        name = f"Subnet: {subnet_id}"
+        if cidr_block:
+            name += f" ({cidr_block})"
+
+        description = f"AWS EC2 Subnet {subnet_id} in {az}"
+
+        # Build notes with subnet details
+        notes_parts = []
+        if cidr_block:
+            notes_parts.append(f"CIDR: {cidr_block}")
+        if az:
+            notes_parts.append(f"AZ: {az}")
+        if available_ips := details.get("AvailableIpAddressCount"):
+            notes_parts.append(f"Available IPs: {available_ips}")
+        if details.get("MapPublicIpOnLaunch"):
+            notes_parts.append("Auto-assigns public IP")
+
+        notes = "; ".join(notes_parts) if notes_parts else "AWS Subnet"
+
+        # Create console URI
+        uri = f"https://console.aws.amazon.com/vpc/home?region={region}#SubnetDetails:subnetId={subnet_id}"
+
+        return IntegrationAsset(
+            name=name,
+            identifier=subnet_id,
+            asset_type=regscale_models.AssetType.NetworkRouter,  # Subnets are network infrastructure
+            asset_category=regscale_models.AssetCategory.Hardware,
+            component_type=regscale_models.ComponentType.Hardware,
+            component_names=["Subnets"],
+            parent_id=self.plan_id,
+            parent_module="securityplans",
+            status=regscale_models.AssetStatus.Active,
+            description=description,
+            location=region,
+            notes=notes,
+            manufacturer="AWS",
+            aws_identifier=subnet_id,
+            vlan_id=details.get("VpcId"),
+            uri=uri,
+            source_data=resource,
+            is_virtual=True,
+            is_public_facing=details.get("MapPublicIpOnLaunch", False),
+        )
+
+    def _parse_iam_user_resource(self, resource: dict, finding: dict) -> IntegrationAsset:
+        """Parse AWS IAM User resource to IntegrationAsset."""
+        resource_id = resource.get("Id", "")
+        region = resource.get("Region", "us-east-1")
+
+        # Extract username from ARN
+        username = self.extract_name_from_arn(resource_id) or "Unknown User"
+
+        name = f"IAM User: {username}"
+        description = f"AWS IAM User {username}"
+
+        # Create console URI
+        uri = f"https://console.aws.amazon.com/iam/home?region={region}#/users/{username}"
+
+        return IntegrationAsset(
+            name=name,
+            identifier=username,
+            asset_type=regscale_models.AssetType.Other,  # IAM users don't fit standard asset types
+            asset_category=regscale_models.AssetCategory.Software,
+            component_type=regscale_models.ComponentType.Software,
+            component_names=["IAM Users"],
+            parent_id=self.plan_id,
+            parent_module="securityplans",
+            status=regscale_models.AssetStatus.Active,
+            description=description,
+            location=region,
+            notes="AWS IAM User Account",
+            manufacturer="AWS",
+            aws_identifier=username,
+            uri=uri,
+            source_data=resource,
+            is_virtual=True,
+        )
+
+    def _parse_ec2_instance_resource(self, resource: dict, finding: dict) -> IntegrationAsset:
+        """Parse AWS EC2 Instance resource to IntegrationAsset."""
+        details = resource.get("Details", {}).get("AwsEc2Instance", {})
+        resource_id = resource.get("Id", "")
+        region = resource.get("Region", "us-east-1")
+        tags = resource.get("Tags", {})
+
+        instance_id = self.extract_name_from_arn(resource_id) or details.get("InstanceId", "")
+        instance_type = details.get("Type", "")
+
+        # Try to get a friendly name from tags
+        friendly_name = tags.get("Name", instance_id)
+        name = f"EC2: {friendly_name}"
+        if instance_type:
+            name += f" ({instance_type})"
+
+        description = f"AWS EC2 Instance {instance_id}"
+
+        # Create console URI
+        uri = f"https://console.aws.amazon.com/ec2/v2/home?region={region}#InstanceDetails:instanceId={instance_id}"
+
+        return IntegrationAsset(
+            name=name,
+            identifier=instance_id,
+            asset_type=regscale_models.AssetType.VM,
+            asset_category=regscale_models.AssetCategory.Hardware,
+            component_type=regscale_models.ComponentType.Hardware,
+            component_names=[EC_INSTANCES],
+            parent_id=self.plan_id,
+            parent_module="securityplans",
+            status=regscale_models.AssetStatus.Active,
+            description=description,
+            location=region,
+            notes=f"AWS EC2 Instance - {instance_type}",
+            model=instance_type,
+            manufacturer="AWS",
+            aws_identifier=instance_id,
+            vlan_id=details.get("SubnetId"),
+            uri=uri,
+            source_data=resource,
+            is_virtual=True,
+        )
+
+    def _parse_s3_bucket_resource(self, resource: dict, finding: dict) -> IntegrationAsset:
+        """Parse AWS S3 Bucket resource to IntegrationAsset."""
+        details = resource.get("Details", {}).get("AwsS3Bucket", {})
+        resource_id = resource.get("Id", "")
+        region = resource.get("Region", "us-east-1")
+
+        bucket_name = self.extract_name_from_arn(resource_id) or details.get("Name", "")
+
+        name = f"S3 Bucket: {bucket_name}"
+        description = f"AWS S3 Bucket {bucket_name}"
+
+        # Create console URI
+        uri = f"https://s3.console.aws.amazon.com/s3/buckets/{bucket_name}?region={region}"
+
+        return IntegrationAsset(
+            name=name,
+            identifier=bucket_name,
+            asset_type=regscale_models.AssetType.Other,  # S3 buckets are storage, closest to Other
+            asset_category=regscale_models.AssetCategory.Software,
+            component_type=regscale_models.ComponentType.Software,
+            component_names=["S3 Buckets"],
+            parent_id=self.plan_id,
+            parent_module="securityplans",
+            status=regscale_models.AssetStatus.Active,
+            description=description,
+            location=region,
+            notes="AWS S3 Storage Bucket",
+            manufacturer="AWS",
+            aws_identifier=bucket_name,
+            uri=uri,
+            source_data=resource,
+            is_virtual=True,
+        )
+
+    def _parse_rds_instance_resource(self, resource: dict, finding: dict) -> IntegrationAsset:
+        """Parse AWS RDS Instance resource to IntegrationAsset."""
+        details = resource.get("Details", {}).get("AwsRdsDbInstance", {})
+        resource_id = resource.get("Id", "")
+        region = resource.get("Region", "us-east-1")
+
+        db_identifier = self.extract_name_from_arn(resource_id) or details.get("DbInstanceIdentifier", "")
+        db_class = details.get("DbInstanceClass", "")
+        engine = details.get("Engine", "")
+
+        name = f"RDS: {db_identifier}"
+        if engine:
+            name += f" ({engine})"
+
+        description = f"AWS RDS Database Instance {db_identifier}"
+
+        # Create console URI
+        uri = f"https://console.aws.amazon.com/rds/home?region={region}#database:id={db_identifier}"
+
+        return IntegrationAsset(
+            name=name,
+            identifier=db_identifier,
+            asset_type=regscale_models.AssetType.VM,  # RDS instances are virtual database servers
+            asset_category=regscale_models.AssetCategory.Software,
+            component_type=regscale_models.ComponentType.Software,
+            component_names=["RDS Instances"],
+            parent_id=self.plan_id,
+            parent_module="securityplans",
+            status=regscale_models.AssetStatus.Active,
+            description=description,
+            location=region,
+            notes=f"AWS RDS Database - {engine} {db_class}",
+            model=db_class,
+            software_name=engine,
+            manufacturer="AWS",
+            aws_identifier=db_identifier,
+            uri=uri,
+            source_data=resource,
+            is_virtual=True,
+        )
+
+    def _parse_lambda_function_resource(self, resource: dict, finding: dict) -> IntegrationAsset:
+        """Parse AWS Lambda Function resource to IntegrationAsset."""
+        details = resource.get("Details", {}).get("AwsLambdaFunction", {})
+        resource_id = resource.get("Id", "")
+        region = resource.get("Region", "us-east-1")
+
+        function_name = self.extract_name_from_arn(resource_id) or details.get("FunctionName", "")
+        runtime = details.get("Runtime", "")
+
+        name = f"Lambda: {function_name}"
+        if runtime:
+            name += f" ({runtime})"
+
+        description = f"AWS Lambda Function {function_name}"
+
+        # Create console URI
+        uri = f"https://console.aws.amazon.com/lambda/home?region={region}#/functions/{function_name}"
+
+        return IntegrationAsset(
+            name=name,
+            identifier=function_name,
+            asset_type=regscale_models.AssetType.Other,  # Lambda functions are serverless, closest to Other
+            asset_category=regscale_models.AssetCategory.Software,
+            component_type=regscale_models.ComponentType.Software,
+            component_names=["Lambda Functions"],
+            parent_id=self.plan_id,
+            parent_module="securityplans",
+            status=regscale_models.AssetStatus.Active,
+            description=description,
+            location=region,
+            notes=f"AWS Lambda Function - {runtime}",
+            software_name=runtime,
+            manufacturer="AWS",
+            aws_identifier=function_name,
+            uri=uri,
+            source_data=resource,
+            is_virtual=True,
+        )
+
+    def _parse_ecr_repository_resource(self, resource: dict, finding: dict) -> IntegrationAsset:
+        """Parse AWS ECR Repository resource to IntegrationAsset."""
+        details = resource.get("Details", {}).get("AwsEcrRepository", {})
+        resource_id = resource.get("Id", "")
+        region = resource.get("Region", "us-east-1")
+
+        repo_name = self.extract_name_from_arn(resource_id) or details.get("RepositoryName", "")
+
+        name = f"ECR Repository: {repo_name}"
+        description = f"AWS ECR Container Repository {repo_name}"
+
+        # Create console URI
+        uri = f"https://console.aws.amazon.com/ecr/repositories/{repo_name}?region={region}"
+
+        return IntegrationAsset(
+            name=name,
+            identifier=repo_name,
+            asset_type=regscale_models.AssetType.Other,  # ECR repositories are container registries
+            asset_category=regscale_models.AssetCategory.Software,
+            component_type=regscale_models.ComponentType.Software,
+            component_names=["ECR Repositories"],
+            parent_id=self.plan_id,
+            parent_module="securityplans",
+            status=regscale_models.AssetStatus.Active,
+            description=description,
+            location=region,
+            notes="AWS ECR Container Repository",
+            manufacturer="AWS",
+            aws_identifier=repo_name,
+            uri=uri,
+            source_data=resource,
+            is_virtual=True,
+        )
+
+    def _parse_generic_resource(self, resource: dict) -> IntegrationAsset:
+        """Parse generic AWS resource to IntegrationAsset."""
+        resource_type = resource.get("Type", "Unknown")
+        resource_id = resource.get("Id", "")
+        region = resource.get("Region", "us-east-1")
+
+        identifier = self.extract_name_from_arn(resource_id) or resource_id
+
+        name = f"{resource_type}: {identifier}"
+        description = f"AWS {resource_type} {identifier}"
+
+        return IntegrationAsset(
+            name=name,
+            identifier=identifier,
+            asset_type=regscale_models.AssetType.Other,
+            asset_category=regscale_models.AssetCategory.Software,
+            component_type=regscale_models.ComponentType.Software,
+            component_names=[f"{resource_type}s"],
+            parent_id=self.plan_id,
+            parent_module="securityplans",
+            status=regscale_models.AssetStatus.Active,
+            description=description,
+            location=region,
+            notes=f"AWS {resource_type}",
+            manufacturer="AWS",
+            aws_identifier=identifier,
+            source_data=resource,
+            is_virtual=True,
+        )