diff --git a/data.tf b/data.tf
index 2184acf..f5a171a 100644
--- a/data.tf
+++ b/data.tf
@@ -27,6 +27,7 @@ data "aws_iam_policy_document" "aqua_cspm_secret" {
 data "aws_iam_policy_document" "aqua_cspm_control_tower_kms_key" {
   #checkov:skip=CKV_AWS_109
   #checkov:skip=CKV_AWS_111
+  #checkov:skip=CKV_AWS_356
   statement {
     sid = "Allow administration of the key"
 
@@ -125,6 +126,7 @@ data "aws_iam_policy_document" "aqua_cspm_lambda" {
 }
 
 data "aws_iam_policy_document" "aqua_cspm_supplemental" {
+  #checkov:skip=CKV_AWS_356
   statement {
     effect = "Allow"
 
@@ -406,6 +408,7 @@ data "aws_iam_policy_document" "aquahub_sechub_trust" {
 data "aws_iam_policy_document" "aquasec_importfindings" {
   #checkov:skip=CKV_AWS_111
   #checkov:skip=CKV_AWS_108
+  #checkov:skip=CKV_AWS_356
   statement {
     actions = [
       "securityhub:BatchImportFindings"
diff --git a/locals.tf b/locals.tf
index 9b8ecc3..7f8bde5 100644
--- a/locals.tf
+++ b/locals.tf
@@ -4,7 +4,7 @@ locals {
   secret_name = "/aquacspm/secret-cspm"
 
   external_id        = jsondecode(aws_lambda_invocation.external_id.result)["status"] == "FAILED" ? jsondecode(aws_lambda_invocation.external_id.result)["message"] : jsondecode(aws_lambda_invocation.external_id.result)["ExternalId"]
-  sechub_external_id = jsondecode(aws_lambda_invocation.sechub_integration_external_id[0].result)["status"] == "FAILED" ? jsondecode(aws_lambda_invocation.sechub_integration_external_id[0].result)["message"] : jsondecode(aws_lambda_invocation.sechub_integration_external_id[0].result)["ExternalId"]
+  sechub_external_id = local.enable_security_hub_integration ? (jsondecode(aws_lambda_invocation.sechub_integration_external_id[0].result)["status"] == "FAILED" ? jsondecode(aws_lambda_invocation.sechub_integration_external_id[0].result)["message"] : jsondecode(aws_lambda_invocation.sechub_integration_external_id[0].result)["ExternalId"]) : null
 
   aquasec_account_id = "057012691312"
   # public_ip   = "13.215.18.141/32"