Connecting Cloudflare to Drata allows for the automated, continuous monitoring and evidence collection of the dozens of infrastructure security controls required for compliance.
BEFORE DIVING IN
Make sure you have Administrator or Super Administrator access to your company's Cloudflare account. Specifically, you'll need the ability to create new roles.
HERE'S HOW
Follow these instructions to connect Cloudflare to Drata:
Select Connections on the side navigation menu.
Select the Available connections tab, search for Cloudflare, and select Connect.
Follow the instructions in the slide-out panel carefully. Take your time and complete one step entirely before moving on to the next.
Overview of what we're going to set up
Create a new Custom API Token
Set the Read Permissions
Decide to include all of the domains or specific ones
Input the new API Token into Drata
Create a new Custom API Token
Log in to the Cloudflare Dashboard with the account you want the new API Token to be associated with.
Click on the user menu on the top right of the page, and click on My Profile, then click on the tab titled API Tokens.
Click on the Create Token button, then on the bottom of the page under the Custom token section, click on the Get started button to create a custom token.
In the Token name field, use the following name
Token name:
Drata
Set the Read Permissions
Next we're going to add the minimal amount of Read Only permissions that Drata needs to review your Cloudflare configuration for compliance verification. There will be eight in total. Click on the + Add more link seven times so there are a total of eight permissions.
Type | Scope | Access |
Account | Access: Organizations, Identity Providers, and Groups | Read |
Account | Account Firewall Access Rules | Read |
Account | Account Settings | Read |
Zone | Zone Settings | Read |
Zone | Zone | Read |
Zone | Firewall Services | Read |
Zone | Access: Apps and Policies | Read |
Zone | Zone WAF | Read |
Users | Memberships | Read |
Users | User Details | Read |
Decide to include all of the domains or specific ones
Next, under the Account Resources section, select the account(s) you want to grant Drata access to. You can select All accounts, or you can scope it down to just a specific account (recommended).
Note, if you want to select more than one specific account, once you select the first one, click on the + Add more link to add another.
2. Under Zone Resources, you can select All zones, or filter down to a Specific zone (recommended if you use just one domain for your production data).
Note, if you want to select more than one specific zone, once you select the first one, click on the + Add more link to add another.
3. Leave the Client IP Address Filtering and TTL sections alone, then click on the Continue to summary button
4. Click the Create token button.
Input the new API Token into Drata
Make sure to copy the API token, as it will never be shown again after this screen.
Copy and paste the API token value into the API Token field on Drata.
π You have just successfully setup proper read-only access for Drata π