Connecting Cloudflare to Drata allows for the automated, continuous monitoring and evidence collection of the dozens of infrastructure security controls required for compliance.
BEFORE DIVING IN
Make sure you have Administrator or Super Administrator access to your company's Cloudflare account. Specifically, you'll need the ability to create new roles.
Connect Cloudflare to Drata
Select Connections on the side navigation menu.
Select the Available connections tab, search for Cloudflare, and select Connect.
On the connection setup page, select “Create Connection” in the top right to open the connection instructions page.
Take your time and complete one step entirely before moving on to the next.
Overview of what we're going to set up
Create a Custom API Token
Set the Read Permissions
Select Accounts and Zones
Enter the API Token in Drata
Create a Custom API Token
To keep your Cloudflare integration stable and secure, create the API token using a dedicated service account, such as [email protected], rather than a personal user account.
To create a custom API token:
Sign in to the Cloudflare Dashboard using the dedicated service account.
In the upper-right corner, select your profile icon, then select My Profile and go to the API Tokens.
Select Create Token, then scroll to the Custom token section and select Get started.
In the Token name field, enter a name like
Drata
Now that you’ve started creating your token, you’ll need to assign the required permissions listed in the next section.
Set the Read Permissions
Drata only needs read-only access to verify your Cloudflare configuration. You’ll need to add eight permission scopes.
To set the permissions:
In the permissions configuration screen, select + Add more seven times so that you have eight scopes in total.
Use the table below to add the correct type, scope, and access level:
Type | Scope | Access |
Account | Access: Organizations, Identity Providers, and Groups | Read |
Account | Account Firewall Access Rules | Read |
Account | Account Settings | Read |
Zone | Zone Settings | Read |
Zone | Zone | Read |
Zone | Firewall Services | Read |
Zone | Access: Apps and Policies | Read |
Zone | Zone WAF | Read |
Users | Memberships | Read |
Users | User Details | Read |
After setting permissions, you'll choose which Cloudflare accounts and zones the token can access.
Select Accounts and Zones
In this step, define the scope of access for the token. We recommend limiting access to only the accounts and zones you use in production.
In the Account Resources section:
Select All accounts, or
Choose specific accounts (recommended).
To add more than one account, select the first, then choose + Add more.
In the Zone Resources section:
In the Zone Resources section, select All zones, or select Specific zones (It is recommended to select specific zones if you use one domain for production).
To include multiple specific zones, select the first one, then select + Add more.
Leave the Client IP Address Filtering and TTL settings unchanged.
Select Continue to summary, then select Create token.
Enter the API Token in Drata
Once the token is created, copy it immediately—you won’t be able to view it again.
Then, paste the token into the API Token field in Drata to complete the connection.
🎉 You have just successfully setup proper read-only access for Drata 🎉