regscale-cli 6.27.3.0__py3-none-any.whl → 6.28.1.0__py3-none-any.whl

regscale/integrations/commercial/aws/scanner.py

@@ -7,9 +7,10 @@ import time
 from typing import Any, Dict, Iterator, List, Optional, Tuple
 
 from regscale.core.utils.date import date_str, datetime_str
-from regscale.integrations.commercial.amazon.common import (
+from regscale.integrations.commercial.amazon.amazon.common import (
     check_finding_severity,
     determine_status_and_results,
+    fetch_aws_findings,
     get_comments,
     get_due_date,
 )
@@ -36,7 +37,9 @@ class AWSInventoryIntegration(ScannerIntegration):
 
     title = "AWS"
     asset_identifier_field = "awsIdentifier"
-    issue_identifier_field = "awsIdentifier"
+    issue_identifier_field = ""  # Use default otherIdentifier - awsIdentifier doesn't exist on Issue model
+    suppress_asset_not_found_errors = True  # Suppress asset not found errors for AWS findings
+    enable_cci_mapping = False  # AWS findings don't use CCI references
     finding_severity_map = {
         "CRITICAL": regscale_models.IssueSeverity.High,
         "HIGH": regscale_models.IssueSeverity.High,
@@ -57,6 +60,8 @@ class AWSInventoryIntegration(ScannerIntegration):
         :param int plan_id: The RegScale plan ID
         """
         super().__init__(plan_id=plan_id, kwargs=kwargs)
+        # Override parent's default - suppress asset not found errors for AWS
+        self.suppress_asset_not_found_errors = True
         self.collector: Optional[AWSInventoryCollector] = None
         self.discovered_assets: List[IntegrationAsset] = []
         self.processed_asset_identifiers: set = set()  # Track processed assets to avoid duplicates
@@ -67,20 +72,30 @@ class AWSInventoryIntegration(ScannerIntegration):
         aws_secret_access_key: Optional[str],
         region: str = os.getenv("AWS_REGION", "us-east-1"),
         aws_session_token: Optional[str] = os.getenv("AWS_SESSION_TOKEN"),
+        profile: Optional[str] = None,
+        account_id: Optional[str] = None,
+        tags: Optional[Dict[str, str]] = None,
     ) -> None:
         """
         Authenticate with AWS and initialize the inventory collector.
 
-        :param str aws_access_key_id: Optional AWS access key ID
-        :param str aws_secret_access_key: Optional AWS secret access key
+        :param str aws_access_key_id: Optional AWS access key ID (overrides profile)
+        :param str aws_secret_access_key: Optional AWS secret access key (overrides profile)
         :param str region: AWS region to collect inventory from
-        :param str aws_session_token: Optional AWS session ID
+        :param str aws_session_token: Optional AWS session token (overrides profile)
+        :param str profile: Optional AWS profile name from ~/.aws/credentials
+        :param str account_id: Optional AWS account ID to filter resources
+        :param dict tags: Optional dictionary of tag key-value pairs to filter resources
         """
         self.collector = AWSInventoryCollector(
             region=region,
+            profile=profile,
             aws_access_key_id=aws_access_key_id,
             aws_secret_access_key=aws_secret_access_key,
             aws_session_token=aws_session_token,
+            account_id=account_id,
+            tags=tags,
+            collect_findings=False,  # Disable findings collection for asset-only sync
         )
 
     def fetch_aws_data_if_needed(
@@ -89,29 +104,43 @@ class AWSInventoryIntegration(ScannerIntegration):
         aws_access_key_id: Optional[str],
         aws_secret_access_key: Optional[str],
         aws_session_token: Optional[str] = None,
+        profile: Optional[str] = None,
+        account_id: Optional[str] = None,
+        tags: Optional[Dict[str, str]] = None,
+        force_refresh: bool = False,
     ) -> Dict[str, Any]:
         """
         Fetch AWS inventory data, using cached data if available and not expired.
 
         :param str region: AWS region to collect inventory from
-        :param str aws_access_key_id: Optional AWS access key ID
-        :param str aws_secret_access_key: Optional AWS secret access key
-        :param str aws_session_token: Optional AWS session ID
+        :param str aws_access_key_id: Optional AWS access key ID (overrides profile)
+        :param str aws_secret_access_key: Optional AWS secret access key (overrides profile)
+        :param str aws_session_token: Optional AWS session token (overrides profile)
+        :param str profile: Optional AWS profile name from ~/.aws/credentials
+        :param str account_id: Optional AWS account ID to filter resources
+        :param dict tags: Optional dictionary of tag key-value pairs to filter resources
+        :param bool force_refresh: Force refresh inventory data, ignoring cache
         :return: Dictionary containing AWS inventory data
         :rtype: Dict[str, Any]
         """
         from regscale.models import DateTimeEncoder
 
-        # Check if we have cached data that's still valid
-        if os.path.exists(INVENTORY_FILE_PATH):
+        # Check if we have cached data that's still valid (unless force_refresh is True)
+        if not force_refresh and os.path.exists(INVENTORY_FILE_PATH):
             file_age = time.time() - os.path.getmtime(INVENTORY_FILE_PATH)
             if file_age < CACHE_TTL_SECONDS:
+                logger.info(f"Using cached AWS inventory data (age: {int(file_age / 60)} minutes)")
                 with open(INVENTORY_FILE_PATH, "r", encoding="utf-8") as file:
                     return json.load(file)
 
+        if force_refresh and os.path.exists(INVENTORY_FILE_PATH):
+            logger.info("Force refresh enabled - ignoring cached inventory data")
+
         # No valid cache, need to fetch new data
         if not self.collector:
-            self.authenticate(aws_access_key_id, aws_secret_access_key, region, aws_session_token)
+            self.authenticate(
+                aws_access_key_id, aws_secret_access_key, region, aws_session_token, profile, account_id, tags
+            )
 
         if not self.collector:
             raise RuntimeError("Failed to initialize AWS inventory collector")
@@ -138,17 +167,11 @@ class AWSInventoryIntegration(ScannerIntegration):
         :yield: Iterator[IntegrationAsset]
         """
         for asset in assets:
-            if not isinstance(asset, dict) and asset not in ["Users", "Roles"]:
+            if not isinstance(asset, dict):
                 logger.warning(f"Skipping {asset_type} due to invalid data format: {asset}")
                 continue
             try:
-                if asset in ["Users", "Roles"]:
-                    for user in assets[asset]:
-                        self.num_assets_to_process += 1
-                        yield parser_method(user)
-                else:
-                    self.num_assets_to_process += 1
-                    yield parser_method(asset)
+                yield parser_method(asset)
             except Exception as e:
                 logger.error(f"Error parsing {asset_type} {asset}: {str(e)}", exc_info=True)
 
@@ -164,7 +187,14 @@ class AWSInventoryIntegration(ScannerIntegration):
         :param callable parser_method: Method to parse the asset
         :yield: Iterator[IntegrationAsset]
         """
-        assets = inventory.get(section_key, [])
+        section_data = inventory.get(section_key, [])
+
+        # Handle special case for IAM - need to extract Roles list from IAM dict
+        if section_key == "IAM" and isinstance(section_data, dict):
+            assets = section_data.get(asset_type, [])
+        else:
+            assets = section_data
+
         yield from self._process_asset_collection(assets, asset_type, parser_method)
 
     def get_asset_configs(self) -> List[Tuple[str, str, callable]]:
@@ -192,17 +222,34 @@ class AWSInventoryIntegration(ScannerIntegration):
         aws_access_key_id: Optional[str] = None,
         aws_secret_access_key: Optional[str] = None,
         aws_session_token: Optional[str] = None,
+        profile: Optional[str] = None,
+        account_id: Optional[str] = None,
+        tags: Optional[Dict[str, str]] = None,
+        force_refresh: bool = False,
     ) -> Iterator[IntegrationAsset]:
         """
         Fetch AWS assets from the inventory.
 
         :param str region: AWS region to collect inventory from
-        :param str aws_access_key_id: Optional AWS access key ID
-        :param str aws_secret_access_key: Optional AWS secret access key
-        :param str aws_session_token: Optional AWS session ID
+        :param str aws_access_key_id: Optional AWS access key ID (overrides profile)
+        :param str aws_secret_access_key: Optional AWS secret access key (overrides profile)
+        :param str aws_session_token: Optional AWS session token (overrides profile)
+        :param str profile: Optional AWS profile name from ~/.aws/credentials
+        :param str account_id: Optional AWS account ID to filter resources
+        :param dict tags: Optional dictionary of tag key-value pairs to filter resources
+        :param bool force_refresh: Force refresh inventory data, ignoring cache
         :yield: Iterator[IntegrationAsset]
         """
-        inventory = self.fetch_aws_data_if_needed(region, aws_access_key_id, aws_secret_access_key, aws_session_token)
+        inventory = self.fetch_aws_data_if_needed(
+            region,
+            aws_access_key_id,
+            aws_secret_access_key,
+            aws_session_token,
+            profile,
+            account_id,
+            tags,
+            force_refresh,
+        )
         # Process each asset type using the corresponding parser
         asset_configs = self.get_asset_configs()
 
@@ -211,6 +258,91 @@ class AWSInventoryIntegration(ScannerIntegration):
         for section_key, asset_type, parser_method in asset_configs:
             yield from self._process_inventory_section(inventory, section_key, asset_type, parser_method)
 
+    def _calculate_ec2_storage(self, instance: Dict[str, Any]) -> int:
+        """
+        Calculate total storage from EC2 block devices.
+
+        :param Dict[str, Any] instance: The EC2 instance data
+        :return: Total storage in GB
+        :rtype: int
+        """
+        total_storage = 0
+        for device in instance.get("BlockDeviceMappings", []):
+            if "Ebs" in device:
+                # Note: We need to add a call to describe_volumes to get actual size
+                total_storage += 8  # Default to 8 GB if size unknown
+        return total_storage
+
+    def _determine_ec2_asset_type(
+        self, image_name: str, platform: Optional[str]
+    ) -> tuple[Any, Any, Any, Any, list[str]]:
+        """
+        Determine EC2 asset type, category, component type, and names based on image and platform.
+
+        :param str image_name: Lowercase image name
+        :param Optional[str] platform: Platform type (e.g., 'windows')
+        :return: Tuple of (operating_system, asset_type, asset_category, component_type, component_names)
+        :rtype: tuple
+        """
+        # Check for Palo Alto device first
+        if "pa-vm-aws" in image_name:
+            return (
+                regscale_models.AssetOperatingSystem.PaloAlto,
+                regscale_models.AssetType.Appliance,
+                regscale_models.AssetCategory.Hardware,
+                regscale_models.ComponentType.Hardware,
+                ["Palo Alto Networks IDPS"],
+            )
+
+        # Check for Windows platform
+        if platform == "windows":
+            return (
+                regscale_models.AssetOperatingSystem.WindowsServer,
+                regscale_models.AssetType.VM,
+                regscale_models.AssetCategory.Hardware,
+                regscale_models.ComponentType.Hardware,
+                [EC_INSTANCES],
+            )
+
+        # Default to Linux
+        return (
+            regscale_models.AssetOperatingSystem.Linux,
+            regscale_models.AssetType.VM,
+            regscale_models.AssetCategory.Hardware,
+            regscale_models.ComponentType.Hardware,
+            [EC_INSTANCES],
+        )
+
+    def _build_ec2_notes(
+        self, description: str, instance: Dict[str, Any], image_info: Dict[str, Any], cpu_count: int, ram: int
+    ) -> str:
+        """
+        Build detailed notes for EC2 instance.
+
+        :param str description: Instance description
+        :param Dict[str, Any] instance: The EC2 instance data
+        :param Dict[str, Any] image_info: AMI image information
+        :param int cpu_count: Number of vCPUs
+        :param int ram: RAM in GB
+        :return: Formatted notes string
+        :rtype: str
+        """
+        return f"""Description: {description}
+AMI ID: {instance.get('ImageId', '')}
+AMI Description: {image_info.get('Description', '')}
+Architecture: {instance.get('Architecture', '')}
+Root Device Type: {image_info.get('RootDeviceType', '')}
+Virtualization: {image_info.get('VirtualizationType', '')}
+Instance Type: {instance.get('InstanceType', '')}
+vCPUs: {cpu_count}
+RAM: {ram}GB
+State: {instance.get('State')}
+Platform Details: {instance.get('PlatformDetails', 'Linux')}
+Private IP: {instance.get('PrivateIpAddress', 'N/A')}
+Public IP: {instance.get('PublicIpAddress', 'N/A')}
+VPC ID: {instance.get('VpcId', 'N/A')}
+Subnet ID: {instance.get('SubnetId', 'N/A')}"""
+
     def parse_ec2_instance(self, instance: Dict[str, Any]) -> IntegrationAsset:
         """Parse EC2 instance data into an IntegrationAsset.
 
@@ -224,15 +356,8 @@ class AWSInventoryIntegration(ScannerIntegration):
         )
         name = instance_name
 
-        # Calculate total storage from block devices
-        total_storage = 0
-        for device in instance.get("BlockDeviceMappings", []):
-            if "Ebs" in device:
-                # Note: We need to add a call to describe_volumes to get actual size
-                total_storage += 8  # Default to 8 GB if size unknown
-
-        # Calculate RAM based on instance type
-        # This would need a mapping of instance types to RAM
+        # Calculate resources
+        total_storage = self._calculate_ec2_storage(instance)
         ram = 16  # Default to 16 GB for c5.2xlarge
 
         # Get CPU info
@@ -246,26 +371,10 @@ class AWSInventoryIntegration(ScannerIntegration):
         image_info = instance.get("ImageInfo", {})
         image_name = image_info.get("Name", "").lower()
 
-        # Check for Palo Alto device first
-        if "pa-vm-aws" in image_name:
-            operating_system = regscale_models.AssetOperatingSystem.PaloAlto
-            # Also update the asset type to reflect it's a network security device
-            asset_type = regscale_models.AssetType.Appliance
-            asset_category = regscale_models.AssetCategory.Hardware
-            component_type = regscale_models.ComponentType.Hardware
-            component_names = ["Palo Alto Networks IDPS"]
-        elif instance.get("Platform") == "windows":
-            operating_system = regscale_models.AssetOperatingSystem.WindowsServer
-            asset_type = regscale_models.AssetType.VM
-            asset_category = regscale_models.AssetCategory.Hardware
-            component_type = regscale_models.ComponentType.Hardware
-            component_names = [EC_INSTANCES]
-        else:
-            operating_system = regscale_models.AssetOperatingSystem.Linux
-            asset_type = regscale_models.AssetType.VM
-            asset_category = regscale_models.AssetCategory.Hardware
-            component_type = regscale_models.ComponentType.Hardware
-            component_names = [EC_INSTANCES]
+        # Determine asset type and OS
+        operating_system, asset_type, asset_category, component_type, component_names = self._determine_ec2_asset_type(
+            image_name, instance.get("Platform")
+        )
 
         os_version = image_info.get("Description", "")
 
@@ -280,29 +389,21 @@ class AWSInventoryIntegration(ScannerIntegration):
         # Create description
         description = f"{instance_name} - {instance.get('PlatformDetails', 'Linux')} instance running on {instance.get('InstanceType', '')} with {cpu_count} vCPUs and {ram}GB RAM"
 
-        # Build notes with additional details
-        notes = f"""Description: {description}
-AMI ID: {instance.get('ImageId', '')}
-AMI Description: {image_info.get('Description', '')}
-Architecture: {instance.get('Architecture', '')}
-Root Device Type: {image_info.get('RootDeviceType', '')}
-Virtualization: {image_info.get('VirtualizationType', '')}
-Instance Type: {instance.get('InstanceType', '')}
-vCPUs: {cpu_count}
-RAM: {ram}GB
-State: {instance.get('State')}
-Platform Details: {instance.get('PlatformDetails', 'Linux')}
-Private IP: {instance.get('PrivateIpAddress', 'N/A')}
-Public IP: {instance.get('PublicIpAddress', 'N/A')}
-VPC ID: {instance.get('VpcId', 'N/A')}
-Subnet ID: {instance.get('SubnetId', 'N/A')}"""
+        # Build notes
+        notes = self._build_ec2_notes(description, instance, image_info, cpu_count, ram)
+
+        # Build full ARN for EC2 instance: arn:aws:ec2:region:account-id:instance/instance-id
+        instance_id = instance.get("InstanceId", "")
+        region = instance.get("Region", "us-east-1")
+        account_id = instance.get("OwnerId", "")
+        instance_arn = f"arn:aws:ec2:{region}:{account_id}:instance/{instance_id}"
 
         # Create URI for AWS Console link
-        uri = f"https://console.aws.amazon.com/ec2/v2/home?region={instance.get('Region', 'us-east-1')}#InstanceDetails:instanceId={instance.get('InstanceId', '')}"
+        uri = f"https://console.aws.amazon.com/ec2/v2/home?region={region}#InstanceDetails:instanceId={instance_id}"
 
         return IntegrationAsset(
             name=name,
-            identifier=instance.get("InstanceId", ""),
+            identifier=instance_arn,
             asset_type=asset_type,
             asset_category=asset_category,
             component_type=component_type,
@@ -322,12 +423,12 @@ Subnet ID: {instance.get('SubnetId', 'N/A')}"""
             ram=ram,
             operating_system=operating_system,
             os_version=os_version,
-            location=instance.get("Region", "us-east-1"),
+            location=region,
             notes=notes,
             model=instance.get("InstanceType"),
             manufacturer="AWS",
             is_public_facing=is_public_facing,
-            aws_identifier=instance.get("InstanceId"),
+            aws_identifier=instance_arn,  # Use full ARN for asset matching with findings
             vlan_id=instance.get("SubnetId"),
             uri=uri,
             source_data=instance,
@@ -368,7 +469,7 @@ Description: {description if isinstance(description, str) else ''}"""
         return IntegrationAsset(
             # Required fields
             name=name,
-            identifier=str(function.get("FunctionName", "")),
+            identifier=str(function.get("FunctionArn", "")),
             asset_type=regscale_models.AssetType.Other,
             asset_category=regscale_models.AssetCategory.Software,
             component_type=regscale_models.ComponentType.Software,
@@ -447,11 +548,11 @@ Description: {description if isinstance(description, str) else ''}"""
         :rtype: IntegrationAsset
         """
         name = bucket.get("Name", "")
-
+        arn = f"arn:aws:s3:::{bucket.get('Name')}"
         return IntegrationAsset(
             # Required fields
             name=name,
-            identifier=str(bucket.get("Name", "")),
+            identifier=arn,
             asset_type=regscale_models.AssetType.Other,
             asset_category=regscale_models.AssetCategory.Hardware,
             component_type=regscale_models.ComponentType.Hardware,
@@ -464,7 +565,7 @@ Description: {description if isinstance(description, str) else ''}"""
             location=bucket.get("Region"),
             # Cloud identifiers
             external_id=bucket.get("Name"),
-            aws_identifier=f"arn:aws:s3:::{bucket.get('Name')}",
+            aws_identifier=arn,
             uri=f"https://{bucket.get('Name')}.s3.amazonaws.com",
             # Additional metadata
             manufacturer="AWS",
@@ -491,7 +592,7 @@ Description: {description if isinstance(description, str) else ''}"""
         return IntegrationAsset(
             # Required fields
             name=name,
-            identifier=str(db.get("DBInstanceIdentifier", "")),
+            identifier=str(db.get("DBInstanceArn", "")),
             asset_type=regscale_models.AssetType.VM,
             asset_category=regscale_models.AssetCategory.Hardware,
             component_type=regscale_models.ComponentType.Hardware,
@@ -539,7 +640,7 @@ Description: {description if isinstance(description, str) else ''}"""
         return IntegrationAsset(
             # Required fields
             name=name,
-            identifier=str(table.get("TableName", "")),
+            identifier=str(table.get("TableArn", "")),
             asset_type=regscale_models.AssetType.Other,
             asset_category=regscale_models.AssetCategory.Software,
             component_type=regscale_models.ComponentType.Software,
@@ -578,10 +679,16 @@ Description: {description if isinstance(description, str) else ''}"""
         if vpc.get("IsDefault"):
             notes = "Default VPC\n" + notes
 
+        # Build full ARN for VPC: arn:aws:ec2:region:account-id:vpc/vpc-id
+        vpc_id = vpc.get("VpcId", "")
+        region = vpc.get("Region", "us-east-1")
+        account_id = vpc.get("OwnerId", "")
+        vpc_arn = f"arn:aws:ec2:{region}:{account_id}:vpc/{vpc_id}"
+
         return IntegrationAsset(
             # Required fields
             name=name,
-            identifier=str(vpc.get("VpcId", "")),
+            identifier=vpc_arn,
             asset_type=regscale_models.AssetType.NetworkRouter,
             asset_category=regscale_models.AssetCategory.Hardware,
             component_type=regscale_models.ComponentType.Hardware,
@@ -595,12 +702,12 @@ Description: {description if isinstance(description, str) else ''}"""
                 if vpc.get("State") == "available"
                 else regscale_models.AssetStatus.Inactive
             ),
-            location=vpc.get("Region"),
+            location=region,
             # Network information
-            vlan_id=vpc.get("VpcId"),
+            vlan_id=vpc_id,
             # Cloud identifiers
-            external_id=vpc.get("VpcId"),
-            aws_identifier=vpc.get("VpcId"),
+            external_id=vpc_id,
+            aws_identifier=vpc_arn,  # Use full ARN for asset matching with findings
             # Additional metadata
             manufacturer="AWS",
             notes=f"CIDR: {vpc.get('CidrBlock')}",
@@ -623,7 +730,7 @@ Description: {description if isinstance(description, str) else ''}"""
         return IntegrationAsset(
             # Required fields
             name=name,
-            identifier=str(lb.get("LoadBalancerName", "")),
+            identifier=lb.get("LoadBalancerArn"),
             asset_type=regscale_models.AssetType.NetworkRouter,
             asset_category=regscale_models.AssetCategory.Hardware,
             component_type=regscale_models.ComponentType.Hardware,
@@ -673,7 +780,7 @@ Description: {description if isinstance(description, str) else ''}"""
         return IntegrationAsset(
             # Required fields
             name=name,
-            identifier=str(repo.get("RepositoryName", "")),
+            identifier=str(repo.get("RepositoryArn", "")),
             asset_type=regscale_models.AssetType.Other,
             asset_category=regscale_models.AssetCategory.Software,
             component_type=regscale_models.ComponentType.Software,
@@ -693,6 +800,94 @@ Description: {description if isinstance(description, str) else ''}"""
             source_data=repo,
         )
 
+    def _validate_aws_credentials(
+        self,
+        profile: Optional[str],
+        aws_secret_key_id: Optional[str],
+        aws_secret_access_key: Optional[str],
+        region: Optional[str],
+    ) -> None:
+        """
+        Validate AWS credentials and region are provided.
+
+        :param profile: AWS profile name
+        :param aws_secret_key_id: AWS access key ID
+        :param aws_secret_access_key: AWS secret access key
+        :param region: AWS region
+        :raises ValueError: If credentials are not provided
+        """
+        if not profile and (not aws_secret_key_id or not aws_secret_access_key):
+            raise ValueError(
+                "AWS Profile or Access Credentials are required.\nPlease provide --profile or set environment "
+                "variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) or pass as arguments."
+            )
+        if not region:
+            logger.warning("AWS region not provided. Defaulting to 'us-east-1'.")
+
+    def _get_severity_config(self) -> Optional[str]:
+        """
+        Get minimum severity from config.
+
+        :return: Minimum severity or None
+        :rtype: Optional[str]
+        """
+        try:
+            minimum_severity = self.app.config.get("issues", {}).get("amazon", {}).get("minimumSeverity")
+            if minimum_severity:
+                logger.info(f"Using minimumSeverity from config: {minimum_severity}")
+            return minimum_severity
+        except (KeyError, AttributeError):
+            logger.debug("No minimumSeverity configured, fetching all findings")
+            return None
+
+    def _get_posture_management_config(self) -> bool:
+        """
+        Get posture management only setting from config.
+
+        :return: Posture management only setting (defaults to True)
+        :rtype: bool
+        """
+        try:
+            posture_management_only = (
+                self.app.config.get("issues", {}).get("amazon", {}).get("postureManagementOnly", True)
+            )
+            if posture_management_only:
+                logger.info("Fetching posture management findings only (security standards compliance checks)")
+            else:
+                logger.info("Fetching all Security Hub findings (including non-compliance findings)")
+            return posture_management_only
+        except (KeyError, AttributeError):
+            logger.debug("No postureManagementOnly configured, defaulting to True")
+            return True
+
+    def _create_aws_session(
+        self,
+        aws_secret_key_id: Optional[str],
+        aws_secret_access_key: Optional[str],
+        region: str,
+        profile: Optional[str],
+        **kwargs,
+    ):
+        """
+        Create AWS session with profile or explicit credentials.
+
+        :param aws_secret_key_id: AWS access key ID
+        :param aws_secret_access_key: AWS secret access key
+        :param region: AWS region
+        :param profile: AWS profile name
+        :return: Boto3 session
+        """
+        import boto3
+
+        if aws_secret_key_id or aws_secret_access_key:
+            return boto3.Session(
+                region_name=region,
+                aws_access_key_id=aws_secret_key_id,
+                aws_secret_access_key=aws_secret_access_key,
+                aws_session_token=kwargs.get("aws_session_token"),
+            )
+        return boto3.Session(profile_name=profile, region_name=region)
+
     def fetch_findings(self, *args, **kwargs) -> Iterator[IntegrationFinding]:
         """
         Fetch security findings from AWS Security Hub.
@@ -700,42 +895,35 @@ Description: {description if isinstance(description, str) else ''}"""
 
         :yield: Iterator[IntegrationFinding]
         """
-        import boto3
-
-        from regscale.integrations.commercial.amazon.common import fetch_aws_findings
-
         aws_secret_key_id = kwargs.get("aws_access_key_id") or os.getenv("AWS_ACCESS_KEY_ID")
         aws_secret_access_key = kwargs.get("aws_secret_access_key") or os.getenv("AWS_SECRET_ACCESS_KEY")
-        region = kwargs.get("region") or os.getenv("AWS_REGION")
+        region = kwargs.get("region") or os.getenv("AWS_REGION", "us-east-1")
         profile = kwargs.get("profile")
 
-        # Profile or credentials required
-        if not profile and (not aws_secret_key_id or not aws_secret_access_key):
-            raise ValueError(
-                "AWS Access Key ID and Secret Access Key are required.\nPlease update in environment "
-                "variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) or pass as arguments."
-            )
-        if not region:
-            logger.warning("AWS region not provided. Defaulting to 'us-east-1'.")
-            region = "us-east-1"
-        session = boto3.Session(
-            region_name=region,
-            aws_access_key_id=aws_secret_key_id,
-            aws_secret_access_key=aws_secret_access_key,
-            aws_session_token=kwargs.get("aws_session_token"),
-        )
+        self._validate_aws_credentials(profile, aws_secret_key_id, aws_secret_access_key, region)
+
+        minimum_severity = self._get_severity_config()
+        posture_management_only = self._get_posture_management_config()
+
+        # Create a copy of kwargs excluding parameters we're passing explicitly
+        session_kwargs = {
+            k: v
+            for k, v in kwargs.items()
+            if k not in ("aws_access_key_id", "aws_secret_access_key", "region", "profile")
+        }
+        session = self._create_aws_session(aws_secret_key_id, aws_secret_access_key, region, profile, **session_kwargs)
         client = session.client("securityhub")
-        aws_findings = fetch_aws_findings(aws_client=client)
-        # Note: Resources are extracted directly from findings, so separate resource fetch not needed
-        # Reset discovered assets for this run
+
+        aws_findings = fetch_aws_findings(
+            aws_client=client, minimum_severity=minimum_severity, posture_management_only=posture_management_only
+        )
+
         self.discovered_assets.clear()
         self.processed_asset_identifiers.clear()
 
-        self.num_findings_to_process = len(aws_findings)
         for finding in aws_findings:
             yield from iter(self.parse_finding(finding))
 
-        # Log discovered assets count
         if self.discovered_assets:
             logger.info(f"Discovered {len(self.discovered_assets)} assets from Security Hub findings")
 
@@ -758,34 +946,109 @@ Description: {description if isinstance(description, str) else ''}"""
         :return: Tuple of (findings_processed, assets_processed)
         :rtype: tuple[int, int]
         """
+        from regscale.core.app.utils.app_utils import create_progress_object
+
         logger.info("Starting AWS Security Hub findings and assets sync...")
 
-        # First, fetch findings to discover assets (but don't sync findings yet)
-        logger.info("Discovering assets from AWS Security Hub findings...")
+        # Create progress bar context for the entire operation
+        with create_progress_object() as progress:
+            # Store progress object for use by nested methods
+            self.finding_progress = progress
 
-        # Reset discovered assets for this run
-        self.discovered_assets.clear()
-        self.processed_asset_identifiers.clear()
+            # First, fetch findings to discover assets (but don't sync findings yet)
+            logger.info("Discovering assets from AWS Security Hub findings...")
 
-        # Fetch findings to discover assets - store them to avoid re-fetching
-        findings_list = list(self.fetch_findings(**kwargs))
+            # Reset discovered assets for this run
+            self.discovered_assets.clear()
+            self.processed_asset_identifiers.clear()
 
-        # Sync the discovered assets first
-        if self.discovered_assets:
-            logger.info(f"Creating {len(self.discovered_assets)} assets discovered from findings...")
-            self.num_assets_to_process = len(self.discovered_assets)
-            assets_processed = self.update_regscale_assets(self.get_discovered_assets())
-            logger.info(f"Successfully created {assets_processed} assets")
-        else:
-            logger.info("No assets discovered from findings")
-            assets_processed = 0
+            # Fetch findings to discover assets - store them to avoid re-fetching
+            findings_list = list(self.fetch_findings(**kwargs))
 
-        # Now process the findings we already fetched (avoid double-fetching)
-        logger.info("Now syncing findings with created assets...")
-        findings_processed = self.update_regscale_findings(findings_list)
+            # Sync the discovered assets first
+            if self.discovered_assets:
+                logger.info(f"Creating {len(self.discovered_assets)} assets discovered from findings...")
+                self.num_assets_to_process = len(self.discovered_assets)
+                assets_processed = self.update_regscale_assets(self.get_discovered_assets())
+                logger.info(f"Successfully created {assets_processed} assets")
+            else:
+                logger.info("No assets discovered from findings")
+                assets_processed = 0
+
+            # Now process the findings we already fetched (avoid double-fetching)
+            logger.info("Now syncing findings with created assets...")
+            findings_processed = self.update_regscale_findings(findings_list)
+
+            # Log completion summary
+            logger.info(
+                f"AWS Security Hub sync completed successfully: {findings_processed} findings processed, {assets_processed} assets created"
+            )
 
         return findings_processed, assets_processed
 
+    @classmethod
+    def sync_findings(cls, plan_id: int, **kwargs) -> int:
+        """
+        Sync AWS Security Hub findings to RegScale.
+
+        :param int plan_id: The RegScale plan ID
+        :param kwargs: Additional keyword arguments including:
+            - region (str): AWS region
+            - profile (Optional[str]): AWS profile name
+            - aws_access_key_id (Optional[str]): AWS access key ID
+            - aws_secret_access_key (Optional[str]): AWS secret access key
+            - aws_session_token (Optional[str]): AWS session token
+            - account_id (Optional[str]): AWS account ID to filter by
+            - tags (Optional[Dict[str, str]]): Tags to filter by
+            - import_all_findings (bool): Import all findings even without matching assets
+        :return: Number of findings processed
+        :rtype: int
+        """
+        # Extract parameters from kwargs
+        region = kwargs.get("region", "us-east-1")
+        profile = kwargs.get("profile")
+        aws_access_key_id = kwargs.get("aws_access_key_id")
+        aws_secret_access_key = kwargs.get("aws_secret_access_key")
+        aws_session_token = kwargs.get("aws_session_token")
+        account_id = kwargs.get("account_id")
+        tags = kwargs.get("tags")
+        import_all_findings = kwargs.get("import_all_findings", False)
+
+        instance = cls(plan_id=plan_id, import_all_findings=import_all_findings)
+        instance.authenticate(
+            aws_access_key_id=aws_access_key_id,
+            aws_secret_access_key=aws_secret_access_key,
+            region=region,
+            aws_session_token=aws_session_token,
+            profile=profile,
+            account_id=account_id,
+            tags=tags,
+        )
+
+        # Load assets first
+        logger.info("Loading asset map from RegScale...")
+        instance.asset_map_by_identifier.update(instance.get_asset_map())
+
+        # Fetch and sync findings
+        logger.info("Fetching and syncing AWS Security Hub findings...")
+        findings = list(
+            instance.fetch_findings(
+                profile=profile,
+                aws_access_key_id=aws_access_key_id,
+                aws_secret_access_key=aws_secret_access_key,
+                aws_session_token=aws_session_token,
+                region=region,
+                account_id=account_id,
+                tags=tags,
+            )
+        )
+
+        # Use progress bar context for findings processing
+        with instance.finding_progress:
+            findings_processed = instance.update_regscale_findings(findings)
+
+        return findings_processed
+
     def get_configured_issue_status(self) -> IssueStatus:
         """
         Get the configured issue status from the configuration.
@@ -843,6 +1106,70 @@ Description: {description if isinstance(description, str) else ''}"""
 
         return should_process
 
+    def is_service_enabled_for_resource(self, resource_type: str) -> bool:
+        """
+        Check if the AWS service for a given resource type is enabled in config.
+
+        :param str resource_type: AWS resource type (e.g., 'AwsEc2Instance', 'AwsS3Bucket')
+        :return: True if the service is enabled or config not found, False otherwise
+        :rtype: bool
+        """
+        # Map resource types to service configuration keys
+        resource_to_service_map = {
+            "AwsEc2Instance": ("compute", "ec2"),
+            "AwsEc2SecurityGroup": ("security", "securityhub"),
+            "AwsEc2Subnet": ("networking", "vpc"),
+            "AwsS3Bucket": ("storage", "s3"),
+            "AwsRdsDbInstance": ("database", "rds"),
+            "AwsLambdaFunction": ("compute", "lambda"),
+            "AwsEcrRepository": ("containers", "ecr"),
+            "AwsIamUser": ("security", "iam"),
+            "AwsIamRole": ("security", "iam"),
+            "AwsDynamoDbTable": ("database", "dynamodb"),
+            "AwsKmsKey": ("security", "kms"),
+            "AwsSecretsManagerSecret": ("security", "secrets_manager"),
+            "AwsCloudTrailTrail": ("security", "cloudtrail"),
+            "AwsConfigConfigurationRecorder": ("security", "config"),
+            "AwsGuardDutyDetector": ("security", "guardduty"),
+            "AwsInspector2": ("security", "inspector"),
+            "AwsAuditManagerAssessment": ("security", "audit_manager"),
+        }
+
+        try:
+            # Get the service category and service name for this resource type
+            service_info = resource_to_service_map.get(resource_type)
+            if not service_info:
+                # If resource type not in map, allow it by default (don't filter unknowns)
+                logger.debug(f"Resource type '{resource_type}' not in service map, allowing by default")
+                return True
+
+            category, service_name = service_info
+
+            # Check if the service is enabled in config
+            enabled_services = self.app.config.get("aws", {}).get("inventory", {}).get("enabled_services", {})
+
+            # Check if category is enabled
+            category_config = enabled_services.get(category, {})
+            if not category_config.get("enabled", True):
+                logger.debug(f"Service category '{category}' is disabled, filtering resource type '{resource_type}'")
+                return False
+
+            # Check if specific service is enabled
+            services = category_config.get("services", {})
+            is_enabled = services.get(service_name, True)
+
+            if not is_enabled:
+                logger.debug(
+                    f"Service '{service_name}' in category '{category}' is disabled, filtering resource type '{resource_type}'"
+                )
+
+            return is_enabled
+
+        except (KeyError, AttributeError) as e:
+            # If config not found or malformed, allow by default (don't filter)
+            logger.debug(f"Could not check service enablement for '{resource_type}': {e}. Allowing by default.")
+            return True
+
     @staticmethod
     def get_baseline(resource: dict) -> str:
         """
@@ -880,6 +1207,306 @@ Description: {description if isinstance(description, str) else ''}"""
             except IndexError:
                 return None
 
+    def _discover_asset_from_resource(self, resource: dict, finding: dict) -> None:
+        """
+        Discover and track asset from finding resource.
+
+        :param dict resource: AWS Security Hub resource
+        :param dict finding: AWS Security Hub finding
+        """
+        asset = self.parse_resource_to_asset(resource, finding)
+        if asset and asset.identifier not in self.processed_asset_identifiers:
+            self.discovered_assets.append(asset)
+            self.processed_asset_identifiers.add(asset.identifier)
+            logger.debug(f"Discovered asset from finding: {asset.name} ({asset.identifier})")
+
+    def _get_friendly_severity(self, severity: str) -> str:
+        """
+        Convert severity level to friendly name.
+
+        :param str severity: Raw severity level
+        :return: Friendly severity name (low, moderate, high)
+        :rtype: str
+        """
+        if severity in ["CRITICAL", "HIGH"]:
+            return "high"
+        elif severity in ["MEDIUM", "MODERATE"]:
+            return "moderate"
+        return "low"
+
+    def _get_due_date_for_finding(self, finding: dict, friendly_sev: str) -> str:
+        """
+        Calculate due date for finding based on severity.
+
+        :param dict finding: AWS Security Hub finding
+        :param str friendly_sev: Friendly severity name
+        :return: Due date string
+        :rtype: str
+        """
+        try:
+            days = self.app.config["issues"]["amazon"][friendly_sev]
+        except KeyError:
+            logger.warning("Invalid severity level, defaulting to 30 day due date")
+            days = 30
+        return datetime_str(get_due_date(date_str(finding["CreatedAt"]), days))
+
+    def _construct_plugin_id(self, finding: dict, resource: dict = None) -> tuple[str, str]:
+        """
+        Construct plugin name and ID from finding.
+
+        :param dict finding: AWS Security Hub finding
+        :param dict resource: Optional resource dict for per-resource plugin ID
+        :return: Tuple of (plugin_name, plugin_id)
+        :rtype: tuple[str, str]
+        """
+        plugin_name = next(iter(finding.get("Types", [])), "Unknown")
+        finding_id = finding.get("Id", "")
+
+        # Extract UUID from ARN or full ID
+        if "/" in finding_id:
+            finding_uuid = finding_id.split("/")[-1]
+        else:
+            finding_uuid = finding_id.split(":")[-1]
+
+        # Sanitize plugin name for ID
+        sanitized_name = plugin_name.replace(" ", "_").replace("/", "_").replace(":", "_")
+
+        # If we have multiple resources for this finding, include resource identifier
+        # This ensures proper deduplication when a finding affects multiple resources
+        if resource and len(finding.get("Resources", [])) > 1:
+            resource_id = resource.get("Id", "")
+            # Extract just the resource identifier part from ARN
+            if "/" in resource_id:
+                resource_suffix = resource_id.split("/")[-1]
+            elif ":" in resource_id:
+                resource_suffix = resource_id.split(":")[-1]
+            else:
+                resource_suffix = resource_id
+
+            # Sanitize and append resource suffix
+            resource_suffix = resource_suffix.replace(" ", "_").replace("/", "_").replace(":", "_")
+            plugin_id = f"{sanitized_name}_{finding_uuid}_{resource_suffix}"
+        else:
+            plugin_id = f"{sanitized_name}_{finding_uuid}"
+
+        return plugin_name, plugin_id
+
+    def _extract_cvss_scores(self, cvss_list: list) -> list:
+        """
+        Extract CVSS scores from vulnerability data.
+
+        :param list cvss_list: List of CVSS data
+        :return: List of formatted CVSS score strings
+        :rtype: list
+        """
+        cvss_scores = []
+        for cvss in cvss_list:
+            cvss_version = cvss.get("Version", "")
+            cvss_score = cvss.get("BaseScore", 0)
+            cvss_vector = cvss.get("BaseVector", "")
+            if cvss_score:
+                score_str = f"CVSS{cvss_version}: {cvss_score}"
+                if cvss_vector:
+                    score_str += f" ({cvss_vector})"
+                cvss_scores.append(score_str)
+        return cvss_scores
+
+    def _extract_vendor_info(self, vendor: dict) -> str:
+        """
+        Extract vendor information from vulnerability data.
+
+        :param dict vendor: Vendor data
+        :return: Formatted vendor info string
+        :rtype: str
+        """
+        vendor_name = vendor.get("Name", "")
+        vendor_url = vendor.get("Url", "")
+        if not vendor_name:
+            return ""
+        return f"{vendor_name}: {vendor_url}" if vendor_url else vendor_name
+
+    def _build_package_version_string(self, pkg: dict) -> str:
+        """
+        Build version string from package data.
+
+        :param dict pkg: Package data
+        :return: Formatted version string
+        :rtype: str
+        """
+        pkg_version = pkg.get("Version", "")
+        if not pkg_version:
+            return ""
+
+        version_str = pkg_version
+        if pkg_epoch := pkg.get("Epoch", ""):
+            version_str = f"{pkg_epoch}:{version_str}"
+        if pkg_release := pkg.get("Release", ""):
+            version_str = f"{version_str}-{pkg_release}"
+        if pkg_arch := pkg.get("Architecture", ""):
+            version_str = f"{version_str}.{pkg_arch}"
+        return version_str
+
+    def _extract_package_details(self, pkg: dict) -> str:
+        """
+        Extract package details from vulnerable package data.
+
+        :param dict pkg: Package data
+        :return: Formatted package details string
+        :rtype: str
+        """
+        pkg_details = []
+
+        if pkg_name := pkg.get("Name", ""):
+            pkg_details.append(f"Package: {pkg_name}")
+
+        if version_str := self._build_package_version_string(pkg):
+            pkg_details.append(f"Installed Version: {version_str}")
+
+        if fixed_version := pkg.get("FixedInVersion", ""):
+            pkg_details.append(f"Fixed In: {fixed_version}")
+
+        return " | ".join(pkg_details) if pkg_details else ""
+
+    def _process_vulnerability(self, vuln: dict, cve_data: dict) -> None:
+        """
+        Process a single vulnerability and update CVE data dictionary.
+
+        :param dict vuln: Vulnerability data
+        :param dict cve_data: CVE data dictionary to update
+        """
+        if cve_id := vuln.get("Id", ""):
+            cve_data["cve_ids"].append(cve_id)
+
+        if cvss_list := vuln.get("Cvss", []):
+            cve_data["cvss_scores"].extend(self._extract_cvss_scores(cvss_list))
+
+        if vendor := vuln.get("Vendor", {}):
+            if vendor_info := self._extract_vendor_info(vendor):
+                cve_data["vendor_info"].append(vendor_info)
+
+        if ref_urls := vuln.get("ReferenceUrls", []):
+            cve_data["reference_urls"].extend(ref_urls)
+
+        for pkg in vuln.get("VulnerablePackages", []):
+            if pkg_details := self._extract_package_details(pkg):
+                cve_data["vulnerability_details"].append(pkg_details)
+
+    def _extract_cve_data(self, finding: dict) -> dict:
+        """
+        Extract CVE and vulnerability data from AWS Security Hub finding.
+
+        :param dict finding: AWS Security Hub finding
+        :return: Dictionary with CVE data
+        :rtype: dict
+        """
+        cve_data: dict = {
+            "cve_ids": [],
+            "cvss_scores": [],
+            "vulnerability_details": [],
+            "vendor_info": [],
+            "reference_urls": [],
+        }
+
+        vulnerabilities = finding.get("Vulnerabilities", [])
+        if not vulnerabilities:
+            return cve_data
+
+        for vuln in vulnerabilities:
+            self._process_vulnerability(vuln, cve_data)
+
+        return cve_data
+
+    def _create_integration_finding(
+        self,
+        resource: dict,
+        finding: dict,
+        severity: str,
+        comments: str,
+        status: str,
+        results: str,
+        due_date: str,
+        plugin_name: str,
+        plugin_id: str,
+    ) -> IntegrationFinding:
+        """
+        Create IntegrationFinding from processed finding data.
+
+        :param dict resource: AWS resource from finding
+        :param dict finding: AWS Security Hub finding
+        :param str severity: Severity level
+        :param str comments: Finding comments
+        :param str status: Compliance status
+        :param str results: Test results
+        :param str due_date: Due date string
+        :param str plugin_name: Plugin name
+        :param str plugin_id: Plugin ID
+        :return: Integration finding
+        :rtype: IntegrationFinding
+        """
+        # Extract CVE data from finding
+        cve_data = self._extract_cve_data(finding)
+
+        # Build enhanced comments with CVE information
+        enhanced_comments = comments
+        if cve_data["cve_ids"]:
+            enhanced_comments += f"\n\nCVE IDs: {', '.join(cve_data['cve_ids'])}"
+        if cve_data["cvss_scores"]:
+            enhanced_comments += f"\nCVSS Scores: {'; '.join(cve_data['cvss_scores'])}"
+        if cve_data["vulnerability_details"]:
+            enhanced_comments += "\n\nVulnerable Packages:\n" + "\n".join(
+                f"- {detail}" for detail in cve_data["vulnerability_details"]
+            )
+        if cve_data["vendor_info"]:
+            enhanced_comments += f"\n\nVendor Info: {'; '.join(cve_data['vendor_info'])}"
+        if cve_data["reference_urls"]:
+            enhanced_comments += "\n\nReferences:\n" + "\n".join(
+                f"- {url}" for url in cve_data["reference_urls"][:5]  # Limit to first 5 URLs
+            )
+
+        # Build observations with CVE details
+        observations = enhanced_comments
+
+        # Build gaps field with vulnerability details
+        gaps = ""
+        if cve_data["vulnerability_details"]:
+            gaps = "Vulnerable packages identified:\n" + "\n".join(cve_data["vulnerability_details"])
+
+        # Build evidence field with reference URLs
+        evidence = ""
+        if cve_data["reference_urls"]:
+            evidence = "Reference URLs:\n" + "\n".join(cve_data["reference_urls"])
+
+        # Determine vulnerability number (primary CVE ID)
+        vulnerability_number = cve_data["cve_ids"][0] if cve_data["cve_ids"] else ""
+
+        return IntegrationFinding(
+            asset_identifier=resource["Id"],
+            external_id=finding.get("Id", ""),
+            control_labels=[],
+            title=finding["Title"],
+            category="SecurityHub",
+            issue_title=finding["Title"],
+            severity=self.finding_severity_map.get(severity),
+            description=finding["Description"],
+            status=self.get_configured_issue_status(),
+            checklist_status=self.get_checklist_status(status),
+            vulnerability_number=vulnerability_number,
+            results=results,
+            recommendation_for_mitigation=finding.get("Remediation", {}).get("Recommendation", {}).get("Text", ""),
+            comments=enhanced_comments,
+            poam_comments=enhanced_comments,
+            date_created=date_str(finding["CreatedAt"]),
+            due_date=due_date,
+            plugin_name=plugin_name,
+            plugin_id=plugin_id,
+            baseline=self.get_baseline(resource),
+            observations=observations,
+            gaps=gaps,
+            evidence=evidence,
+            impact="",
+            vulnerability_type="Vulnerability Scan",
+        )
+
     def parse_finding(self, finding: dict) -> list[IntegrationFinding]:
         """
         Parse AWS Security Hub to RegScale IntegrationFinding format.
@@ -892,78 +1519,96 @@ Description: {description if isinstance(description, str) else ''}"""
         findings = []
         try:
             for resource in finding["Resources"]:
-                # Parse resource to asset and add to discovered assets (avoiding duplicates)
-                asset = self.parse_resource_to_asset(resource, finding)
-                if asset and asset.identifier not in self.processed_asset_identifiers:
-                    self.discovered_assets.append(asset)
-                    self.processed_asset_identifiers.add(asset.identifier)
-                    logger.debug(f"Discovered asset from finding: {asset.name} ({asset.identifier})")
-
-                # Continue with finding processing as before
+                # Check if the service for this resource type is enabled
+                resource_type = resource.get("Type", "")
+                if not self.is_service_enabled_for_resource(resource_type):
+                    logger.debug(f"Skipping finding for disabled service resource type '{resource_type}'")
+                    continue
+
+                # Discover asset from resource
+                self._discover_asset_from_resource(resource, finding)
+
+                # Determine status and severity
                 status, results = determine_status_and_results(finding)
                 comments = get_comments(finding)
                 severity = check_finding_severity(comments)
-                friendly_sev = "low"
-                if severity in ["CRITICAL", "HIGH"]:
-                    friendly_sev = "high"
-                elif severity in ["MEDIUM", "MODERATE"]:
-                    friendly_sev = "moderate"
+                friendly_sev = self._get_friendly_severity(severity)
 
-                # Filter findings based on minimum severity configuration
+                # Filter by minimum severity
                 if not self.should_process_finding_by_severity(severity):
                     logger.debug(f"Skipping finding with severity '{severity}' - below minimum threshold")
                     continue
-                try:
-                    days = self.app.config["issues"]["amazon"][friendly_sev]
-                except KeyError:
-                    logger.warning("Invalid severity level: %s, defaulting to 30 day due date", severity)
-                    days = 30
-                due_date = datetime_str(get_due_date(date_str(finding["CreatedAt"]), days))
-
-                plugin_name = next(iter(finding.get("Types", [])))
-                # Create a unique plugin_id using the finding ID to ensure each finding creates a separate issue
-                finding_id = finding.get("Id", "")
-                # Extract just the finding UUID from the full ARN for a cleaner ID
-                finding_uuid = finding_id.split("/")[-1] if "/" in finding_id else finding_id.split(":")[-1]
-                plugin_id = f"{plugin_name.replace(' ', '_').replace('/', '_').replace(':', '_')}_{finding_uuid}"
-
-                findings.append(
-                    IntegrationFinding(
-                        asset_identifier=self.extract_name_from_arn(resource["Id"]),
-                        external_id=finding_id,  # Use the full finding ID as external_id for uniqueness
-                        control_labels=[],  # Determine how to populate this
-                        title=finding["Title"],
-                        category="SecurityHub",
-                        issue_title=finding["Title"],
-                        severity=self.finding_severity_map.get(severity),
-                        description=finding["Description"],
-                        status=self.get_configured_issue_status(),
-                        checklist_status=self.get_checklist_status(status),
-                        vulnerability_number="",
-                        results=results,
-                        recommendation_for_mitigation=finding.get("Remediation", {})
-                        .get("Recommendation", {})
-                        .get("Text", ""),
-                        comments=comments,
-                        poam_comments=comments,
-                        date_created=date_str(finding["CreatedAt"]),
-                        due_date=due_date,
-                        plugin_name=plugin_name,
-                        plugin_id=plugin_id,  # Add the sanitized plugin_id
-                        baseline=self.get_baseline(resource),
-                        observations=comments,
-                        gaps="",
-                        evidence="",
-                        impact="",
-                        vulnerability_type="Vulnerability Scan",
-                    )
+
+                # Calculate due date and construct IDs
+                due_date = self._get_due_date_for_finding(finding, friendly_sev)
+                plugin_name, plugin_id = self._construct_plugin_id(finding, resource)
+
+                # Create finding object
+                integration_finding = self._create_integration_finding(
+                    resource, finding, severity, comments, status, results, due_date, plugin_name, plugin_id
                 )
+                findings.append(integration_finding)
 
         except Exception as e:
             logger.error(f"Error parsing AWS Security Hub finding: {str(e)}", exc_info=True)
 
         return findings
 
+    def process_findings_with_evidence(
+        self,
+        findings: List[dict],
+        service_name: str,
+        generate_evidence: bool = False,
+        ssp_id: Optional[int] = None,
+        control_ids: Optional[List[int]] = None,
+        ocsf_format: bool = False,
+    ) -> tuple[List[IntegrationFinding], Optional[Any]]:
+        """
+        Process findings and optionally generate evidence
+
+        :param List[dict] findings: Raw AWS findings
+        :param str service_name: AWS service name
+        :param bool generate_evidence: Whether to generate evidence record
+        :param Optional[int] ssp_id: SSP ID to link evidence
+        :param Optional[List[int]] control_ids: Control IDs to link
+        :param bool ocsf_format: Whether to generate OCSF format
+        :return: Tuple of (parsed findings, evidence record)
+        :rtype: tuple[List[IntegrationFinding], Optional[Any]]
+        """
+        from regscale.integrations.commercial.aws.evidence_generator import AWSEvidenceGenerator
+        from regscale.integrations.commercial.aws.ocsf.mapper import AWSOCSFMapper
+
+        # Parse findings to IntegrationFinding objects
+        integration_findings = []
+        for finding in findings:
+            integration_findings.extend(self.parse_finding(finding))
+
+        # Generate OCSF data if requested
+        ocsf_data = None
+        if ocsf_format:
+            mapper = AWSOCSFMapper()
+            if service_name == "SecurityHub":
+                ocsf_data = [mapper.securityhub_to_ocsf(f) for f in findings]
+            elif service_name == "GuardDuty":
+                ocsf_data = [mapper.guardduty_to_ocsf(f) for f in findings]
+            elif service_name == "CloudTrail":
+                ocsf_data = [mapper.cloudtrail_event_to_ocsf(f) for f in findings]
+
+        # Generate evidence if requested
+        evidence_record = None
+        if generate_evidence:
+            from regscale.core.app.api import Api
+
+            evidence_gen = AWSEvidenceGenerator(api=Api(), ssp_id=ssp_id)
+            evidence_record = evidence_gen.create_evidence_from_scan(
+                service_name=service_name,
+                findings=findings,
+                ocsf_data=ocsf_data,
+                control_ids=control_ids,
+            )
+
+        return integration_findings, evidence_record
+
     def parse_resource_to_asset(self, resource: dict, finding: dict) -> Optional[IntegrationAsset]:
         """
         Parse AWS Security Hub resource to RegScale IntegrationAsset format.
@@ -1034,7 +1679,7 @@ Description: {description if isinstance(description, str) else ''}"""
 
         return IntegrationAsset(
             name=name,
-            identifier=sg_id,
+            identifier=resource_id,
             asset_type=regscale_models.AssetType.Firewall,  # Security groups act like firewalls
             asset_category=regscale_models.AssetCategory.Software,
             component_type=regscale_models.ComponentType.Software,
@@ -1046,7 +1691,7 @@ Description: {description if isinstance(description, str) else ''}"""
             location=region,
             notes=notes,
             manufacturer="AWS",
-            aws_identifier=sg_id,
+            aws_identifier=resource_id,  # Use full ARN for asset matching
             vlan_id=details.get("VpcId"),
             uri=uri,
             source_data=resource,
@@ -1087,7 +1732,7 @@ Description: {description if isinstance(description, str) else ''}"""
 
         return IntegrationAsset(
             name=name,
-            identifier=subnet_id,
+            identifier=resource_id,
             asset_type=regscale_models.AssetType.NetworkRouter,  # Subnets are network infrastructure
             asset_category=regscale_models.AssetCategory.Hardware,
             component_type=regscale_models.ComponentType.Hardware,
@@ -1099,7 +1744,7 @@ Description: {description if isinstance(description, str) else ''}"""
             location=region,
             notes=notes,
             manufacturer="AWS",
-            aws_identifier=subnet_id,
+            aws_identifier=resource_id,  # Use full ARN for asset matching
             vlan_id=details.get("VpcId"),
             uri=uri,
             source_data=resource,
@@ -1123,7 +1768,7 @@ Description: {description if isinstance(description, str) else ''}"""
 
         return IntegrationAsset(
             name=name,
-            identifier=username,
+            identifier=resource_id,
             asset_type=regscale_models.AssetType.Other,  # IAM users don't fit standard asset types
             asset_category=regscale_models.AssetCategory.Software,
             component_type=regscale_models.ComponentType.Software,
@@ -1135,7 +1780,7 @@ Description: {description if isinstance(description, str) else ''}"""
             location=region,
             notes="AWS IAM User Account",
             manufacturer="AWS",
-            aws_identifier=username,
+            aws_identifier=resource_id,  # Use full ARN for asset matching
             uri=uri,
             source_data=resource,
             is_virtual=True,
@@ -1164,7 +1809,7 @@ Description: {description if isinstance(description, str) else ''}"""
 
         return IntegrationAsset(
             name=name,
-            identifier=instance_id,
+            identifier=resource_id,
             asset_type=regscale_models.AssetType.VM,
             asset_category=regscale_models.AssetCategory.Hardware,
             component_type=regscale_models.ComponentType.Hardware,
@@ -1177,7 +1822,7 @@ Description: {description if isinstance(description, str) else ''}"""
             notes=f"AWS EC2 Instance - {instance_type}",
             model=instance_type,
             manufacturer="AWS",
-            aws_identifier=instance_id,
+            aws_identifier=resource_id,  # Use full ARN for asset matching
             vlan_id=details.get("SubnetId"),
             uri=uri,
             source_data=resource,
@@ -1200,7 +1845,7 @@ Description: {description if isinstance(description, str) else ''}"""
 
         return IntegrationAsset(
             name=name,
-            identifier=bucket_name,
+            identifier=resource_id,
             asset_type=regscale_models.AssetType.Other,  # S3 buckets are storage, closest to Other
             asset_category=regscale_models.AssetCategory.Software,
             component_type=regscale_models.ComponentType.Software,
@@ -1212,7 +1857,7 @@ Description: {description if isinstance(description, str) else ''}"""
             location=region,
             notes="AWS S3 Storage Bucket",
             manufacturer="AWS",
-            aws_identifier=bucket_name,
+            aws_identifier=resource_id,  # Use full ARN for asset matching
             uri=uri,
             source_data=resource,
             is_virtual=True,
@@ -1239,7 +1884,7 @@ Description: {description if isinstance(description, str) else ''}"""
 
         return IntegrationAsset(
             name=name,
-            identifier=db_identifier,
+            identifier=resource_id,
             asset_type=regscale_models.AssetType.VM,  # RDS instances are virtual database servers
             asset_category=regscale_models.AssetCategory.Software,
             component_type=regscale_models.ComponentType.Software,
@@ -1253,7 +1898,7 @@ Description: {description if isinstance(description, str) else ''}"""
             model=db_class,
             software_name=engine,
             manufacturer="AWS",
-            aws_identifier=db_identifier,
+            aws_identifier=resource_id,  # Use full ARN for asset matching
             uri=uri,
             source_data=resource,
             is_virtual=True,
@@ -1279,7 +1924,7 @@ Description: {description if isinstance(description, str) else ''}"""
 
         return IntegrationAsset(
             name=name,
-            identifier=function_name,
+            identifier=resource_id,
             asset_type=regscale_models.AssetType.Other,  # Lambda functions are serverless, closest to Other
             asset_category=regscale_models.AssetCategory.Software,
             component_type=regscale_models.ComponentType.Software,
@@ -1292,7 +1937,7 @@ Description: {description if isinstance(description, str) else ''}"""
             notes=f"AWS Lambda Function - {runtime}",
             software_name=runtime,
             manufacturer="AWS",
-            aws_identifier=function_name,
+            aws_identifier=resource_id,  # Use full ARN for asset matching
             uri=uri,
             source_data=resource,
             is_virtual=True,
@@ -1314,7 +1959,7 @@ Description: {description if isinstance(description, str) else ''}"""
 
         return IntegrationAsset(
             name=name,
-            identifier=repo_name,
+            identifier=resource_id,
             asset_type=regscale_models.AssetType.Other,  # ECR repositories are container registries
             asset_category=regscale_models.AssetCategory.Software,
             component_type=regscale_models.ComponentType.Software,
@@ -1326,7 +1971,7 @@ Description: {description if isinstance(description, str) else ''}"""
             location=region,
             notes="AWS ECR Container Repository",
             manufacturer="AWS",
-            aws_identifier=repo_name,
+            aws_identifier=resource_id,  # Use full ARN for asset matching
             uri=uri,
             source_data=resource,
             is_virtual=True,
@@ -1345,7 +1990,7 @@ Description: {description if isinstance(description, str) else ''}"""
 
         return IntegrationAsset(
             name=name,
-            identifier=identifier,
+            identifier=resource_id,
             asset_type=regscale_models.AssetType.Other,
             asset_category=regscale_models.AssetCategory.Software,
             component_type=regscale_models.ComponentType.Software,
@@ -1357,7 +2002,7 @@ Description: {description if isinstance(description, str) else ''}"""
             location=region,
             notes=f"AWS {resource_type}",
             manufacturer="AWS",
-            aws_identifier=identifier,
+            aws_identifier=resource_id,  # Use full ARN for asset matching
             source_data=resource,
             is_virtual=True,
         )