Skip to main content
All CollectionsIntegrations
Cloudflare Connection Details
Cloudflare Connection Details

This article walks through the details of configuring Cloudflare to connect to Drata.

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago

HERE'S WHY

Connecting Cloudflare to Drata allows for the automated, continuous monitoring, and evidence collection of security controls required for compliance around your DNS and WAF.

BEFORE DIVING IN

You can create the needed API Token on your account, though it's recommended to create an account on Cloudflare that you use for automation, more of a service account. This way, if the API Token creator leaves the company, the API Token will live on as it will be attached to the service account.

Overview of what we're going to set up

  • Create a new Custom API Token

  • Set the Read Permissions

  • Decide to include all of the domains or specific ones

  • Input the new API Token into Drata


Create a new Custom API Token

  1. Log in to the Cloudflare Dashboard with the account you want the new API Token to be associated with.

  2. Click on the user menu on the top right of the page, and click on My Profile, then click on the tab titled API Tokens.

  3. Click on the Create Token button, then on the bottom of the page under the Custom token section, click on the Get started button to create a custom token.

  4. In the Token name field, use the following name

Token name:

Drata

Set the Read Permissions

Next we're going to add the minimal amount of Read Only permissions that Drata needs to review your Cloudflare configuration for compliance verification. There will be eight in total. Click on the + Add more link seven times so there are a total of eight permissions.

Type

Scope

Access

Account

Access: Organizations, Identity Providers, and Groups

Read

Account

Account Firewall Access Rules

Read

Account

Account Settings

Read

Zone

Zone Settings

Read

Zone

Zone

Read

Zone

Firewall Services

Read

Zone

Access: Apps and Policies

Read

Zone

Zone WAF

Read

Users

Memberships

Read

Users

User Details

Read

Decide to include all of the domains or specific ones

  1. Next, under the Account Resources section, select the account(s) you want to grant Drata access to. You can select All accounts, or you can scope it down to just a specific account (recommended).

Note, if you want to select more than one specific account, once you select the first one, click on the + Add more link to add another.

2. Under Zone Resources, you can select All zones, or filter down to a Specific zone (recommended if you use just one domain for your production data).

Note, if you want to select more than one specific zone, once you select the first one, click on the + Add more link to add another.

3. Leave the Client IP Address Filtering and TTL sections alone, then click on the Continue to summary button

4. Click the Create token button.

Input the new API Token into Drata

  1. Make sure to copy the API token, as it will never be shown again after this screen.

  2. Copy and paste the API token value into the API Token field on Drata.


πŸŽ‰ You have just successfully setup proper read-only access for Drata πŸŽ‰

Did this answer your question?