# Lacework SureCloud connects to Lacework to retrieve cloud security posture findings, workload anomaly alerts, and compliance assessment results across your cloud environments. This allows SureCloud to surface misconfigurations, active threats, and policy violations detected by Lacework — correlating them with controls evidence to demonstrate that your cloud workload protection and security monitoring capabilities are operating continuously. ## Authentication and setup Lacework uses an API key model based on a Key ID, Secret, and Account Name. SureCloud exchanges these credentials for a short-lived JWT access token using Lacework's authentication API. {% stepper %} {% step %} ### Create an API key in Lacework Log in to the Lacework console. Navigate to **Settings → API Keys** and click **Create New**. Give the key a name such as `SureCloud CCM` and assign it the **Read-Only** role. Click **Save** and download the generated JSON credentials file — it contains the `keyId`, `secret`, and `account` values you will need. {% endstep %} {% step %} ### Enter the credentials in SureCloud Navigate to **SureCloud → Integrations → Lacework → Connect**. Enter your Lacework account name (the subdomain of your Lacework instance, e.g. `mycompany` from `mycompany.lacework.net`), the Key ID, and the Secret from the downloaded JSON file. Click **Save**. {% endstep %} {% step %} ### Test the connection Click **Test Connection**. SureCloud will authenticate against `POST /api/v2/access/tokens` and confirm it can retrieve account data. A green status confirms the connection is live. {% endstep %} {% endstepper %} {% hint style="warning" %} Store the Lacework API secret securely. SureCloud encrypts it at rest, but treat it as a sensitive credential. Rotate the API key every 90 days in **Lacework → Settings → API Keys** and update the credentials in **SureCloud → Integrations → Lacework → Edit Connection**. {% endhint %} ## Endpoints | API Call | Use Case | | ------------------------------------------- | ------------------------------------------------------------------------- | | `POST /api/v2/access/tokens` | Authenticate and obtain a JWT access token | | `GET /api/v2/Configs/ComplianceEvaluations` | Retrieve cloud compliance assessment results across AWS, Azure, and GCP | | `GET /api/v2/Alerts` | Retrieve active and recent security alerts and anomaly detections | | `GET /api/v2/Entities/CloudAccounts` | List integrated cloud accounts to confirm coverage scope | | `GET /api/v2/Entities/Machines` | Enumerate monitored workloads (VMs, containers) and their security status | | `GET /api/v2/Policies` | Retrieve active security policies to confirm monitoring configuration | | `GET /api/v2/Reports` | Access compliance and posture reports for evidence collection | | `GET /api/v2/UserProfile` | Retrieve account profile and connected integrations | ## Pagination `GET /api/v2/Alerts` and `GET /api/v2/Entities/Machines` support cursor-based pagination. SureCloud uses the `nextPage` token from each response as the `pageToken` parameter in the next request, continuing until no `nextPage` is returned. ```json GET /api/v2/Alerts?pageSize=500&pageToken= ``` `GET /api/v2/Configs/ComplianceEvaluations` and `GET /api/v2/Reports` return bounded result sets. `GET /api/v2/Policies` returns all policies in a single response for most account configurations. ## Required permissions SureCloud requires a Lacework API key assigned to the **Read-Only** role. This role provides: * Read access to compliance evaluations and assessment results * Read access to alerts and anomaly events * Read access to entities (accounts, machines, containers) * Read access to policies and reports No administrative, write, or configuration-change permissions are required. ## Polling frequency | Data Type | Interval | | -------------------------------------- | -------------- | | Compliance assessment results | Every 24 hours | | Security alerts and anomaly detections | Every 4 hours | | Cloud account and workload inventory | Every 24 hours | | Policy configuration | Every 24 hours | ## Troubleshooting
Connection test fails with "Invalid credentials" or 401 error The Key ID or Secret is incorrect, or the API key has been revoked in Lacework. Navigate to **Lacework → Settings → API Keys**, confirm the key is active, and if necessary, create a new key. Download the JSON credentials and re-enter them in **SureCloud → Integrations → Lacework → Edit Connection**.
Compliance evaluations are empty even though assessments are running in Lacework Lacework compliance evaluations are scoped to specific cloud integrations (AWS accounts, Azure subscriptions, GCP projects). If the Read-Only API key does not have visibility into those cloud account integrations, the evaluations endpoint will return empty results. Confirm that the service account used for the API key has access to the relevant cloud account integrations in **Lacework → Settings → Integrations → Cloud Accounts**.
Alerts are missing or appear incomplete SureCloud collects alerts within a defined lookback window. If a large volume of alerts was generated between polling cycles, some may be paginated out of the default window. SureCloud handles pagination automatically, but for accounts with very high alert volumes, contact SureCloud Support to adjust the lookback window or polling frequency.
JWT token expires mid-collection Lacework JWT tokens have a short lifetime (typically 1 hour). SureCloud requests a new token at the start of each polling cycle. If a collection run exceeds the token lifetime, SureCloud will re-authenticate automatically. If you see repeated authentication failures, confirm that the API key secret has not been rotated without updating SureCloud.
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/lacework.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.