Package: Invicti AppSec Enterprise (on-premise, on-demand)
Lacework CSPM Integration
Lacework provides cloud security posture management with continuous monitoring of cloud configurations, compliance violations, and security risks across AWS, GCP, and Azure environments. In Invicti AppSec, the Lacework CSPM integration connects to your Lacework account to import cloud security findings into your projects.
Prerequisites
| Field | Description |
|---|---|
| Key ID | Lacework API Key ID |
| Secret | Lacework API Secret |
| URL | Base URL of your Lacework instance (e.g., https://<account>.lacework.net) |
Get API Credentials (on Lacework Side)
- Log in to the Lacework console.
- Navigate to Settings > API Keys.
- Click Create New to generate a new API key.
- Copy the Key ID and Secret — the secret is shown only at creation.
- Note the URL for your Lacework instance (typically
https://<your-account>.lacework.net).
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the CSPM Tab
On the Integrations > Scanners page, click on the CSPM tab.
Step 3: Find and Activate Lacework CSPM
Scroll through the list of CSPM scanners to find Lacework CSPM.
- If Lacework CSPM is not activated, click the Activate button to enable the integration.
Step 4: Configure Connection Settings
Click the gear icon on the Lacework CSPM card to open the settings panel. Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| Key ID | Lacework API Key ID | Yes |
| Secret | Lacework API Secret | Yes |
| URL | Base URL of your Lacework instance | Yes |
| Insecure | Skip TLS certificate verification (not recommended for production) | No |
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms that Invicti AppSec can authenticate with the Lacework API.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the CSPM tab |
| 3 | Activate Lacework CSPM |
| 4 | Enter Key ID, Secret, and URL |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Lacework CSPM Scanner
- Select CSPM as the scanner type.
- Choose Lacework CSPM from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Associate the scan with a feature environment | No |
| Account ID | Lacework account identifier to scan | Yes |
| AWS Account Name | AWS account name linked to the selected Lacework account | Yes |
| Branch | The branch to associate cloud findings with | Yes |
| Meta Data | Additional metadata to tag the scan | No |
| Scan Tag | Free-text tag to identify or group scans | No |
| Fork Scan | Run the scan in an isolated fork | No |
-
Invicti AppSec automatically syncs Lacework CSPM vulnerabilities on a daily basis — no manual trigger is required after the initial scan is configured.
-
Account ID is a searchable field that lists your configured Lacework accounts. Once an Account ID is selected, the AWS Account Name field is populated with the corresponding AWS accounts linked to that Lacework account.
Scheduler
Enable the Scheduler toggle to automatically re-run the Lacework CSPM scan on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t laceworkcspm -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid Key ID or Secret | Verify the API credentials in the Lacework console under Settings > API Keys. The secret is shown only at creation — generate a new key if it was not saved. |
| Incorrect URL | Ensure the URL matches your Lacework instance (e.g., https://<account>.lacework.net). Check your Lacework account settings for the correct endpoint. |
| Unauthorized | Confirm the API key has sufficient permissions to read cloud security findings. |
| TLS errors | If using a self-signed certificate in a test environment, enable Insecure mode. Do not use this in production. |
Scan Issues
| Issue | Resolution |
|---|---|
| No findings imported | Verify that Lacework has completed assessments for your cloud accounts. Confirm the selected Account ID and AWS Account Name are correct. |
| Account ID or AWS Account Name not listed | Verify the integration connection is valid and that the Lacework account has cloud accounts configured. |
| Scan not starting | Verify the scanner is activated and the connection test passes in the integration settings. |
Best Practices
- Use a dedicated API key for Invicti AppSec with read-only permissions — do not use admin credentials.
- Rotate the API Secret periodically and update the integration settings in Invicti AppSec accordingly.
- Associate each project scan with the specific Lacework Account ID and AWS Account Name that correspond to that project's cloud infrastructure.
- Use the Scheduler to keep cloud security findings aligned with Lacework's assessment cadence.
- Disable the Insecure option in production environments to ensure encrypted communication.
Limitations
- Lacework CSPM in Invicti AppSec imports cloud security posture findings — it does not trigger new Lacework assessments.
- Only findings accessible via the provided API credentials are available for import.
- Vulnerability sync occurs daily automatically; manual on-demand sync is not supported outside of scheduled scans.
- Requires an active Lacework subscription with CSPM capabilities enabled.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center