HERE'S WHY
Connecting Cloudflare to Drata allows for the automated, continuous monitoring, and evidence collection of security controls required for compliance around your DNS and WAF.
BEFORE DIVING IN
You can create the needed API Token on your account, though it's recommended to create an account on Cloudflare that you use for automation, more of a service account. This way, if the API Token creator leaves the company, the API Token will live on as it will be attached to the service account.
Overview of what we're going to set up
Create a new Custom API Token
Set the Read Permissions
Decide to include all of the domains or specific ones
Input the new API Token into Drata
Create a new Custom API Token
Log in to the Cloudflare Dashboard with the account you want the new API Token to be associated with.
Click on the user menu on the top right of the page, and click on My Profile, then click on the tab titled API Tokens.
Click on the Create Token button, then on the bottom of the page under the Custom token section, click on the Get started button to create a custom token.
In the Token name field, use the following name
Token name:
Drata
Set the Read Permissions
Next we're going to add the minimal amount of Read Only permissions that Drata needs to review your Cloudflare configuration for compliance verification. There will be eight in total. Click on the + Add more link seven times so there are a total of eight permissions.
Type | Scope | Access |
Account | Access: Organizations, Identity Providers, and Groups | Read |
Account | Account Firewall Access Rules | Read |
Account | Account Settings | Read |
Zone | Zone Settings | Read |
Zone | Zone | Read |
Zone | Firewall Services | Read |
Zone | Access: Apps and Policies | Read |
Zone | Zone WAF | Read |
Users | Memberships | Read |
Users | User Details | Read |
Decide to include all of the domains or specific ones
Next, under the Account Resources section, select the account(s) you want to grant Drata access to. You can select All accounts, or you can scope it down to just a specific account (recommended).
Note, if you want to select more than one specific account, once you select the first one, click on the + Add more link to add another.
2. Under Zone Resources, you can select All zones, or filter down to a Specific zone (recommended if you use just one domain for your production data).
Note, if you want to select more than one specific zone, once you select the first one, click on the + Add more link to add another.
3. Leave the Client IP Address Filtering and TTL sections alone, then click on the Continue to summary button
4. Click the Create token button.
Input the new API Token into Drata
Make sure to copy the API token, as it will never be shown again after this screen.
Copy and paste the API token value into the API Token field on Drata.
π You have just successfully setup proper read-only access for Drata π