Table: cloudflare_access_application - Query Cloudflare Access Applications using SQL
Cloudflare Access is a cloud-based security service that protects your internal applications without a VPN. It operates on a per-user basis, giving you control over who can access your internal applications, and from where. It also offers features like Single Sign-On (SSO) and Multi-Factor Authentication (MFA) for added security.
Table Usage Guide
The cloudflare_access_application table provides insights into Access Applications within Cloudflare Access. As a security engineer, explore application-specific details through this table, including the application's domain, session duration, and access policies. Utilize it to uncover information about applications, such as their configuration, settings, and the security measures in place.
Examples
Basic info
Explore which Cloudflare access applications have been created, along with their respective names, IDs and domains. This can be beneficial in managing access control and understanding the distribution of applications across different domains.
select name, id, domain, created_atfrom cloudflare_access_application;select name, id, domain, created_atfrom cloudflare_access_application;Get application count by account
Gain insights into the distribution of applications across different accounts. This query is useful for understanding the usage patterns and managing resources efficiently.
select count(*), typefrom cloudflare_access_applicationgroup by account_id;select count(*), typefrom cloudflare_access_applicationgroup by account_id;List applications with binding cookie enabled for increased security
Analyze the settings to understand which applications have the binding cookie enabled for increased security. This is useful for identifying potential vulnerabilities and ensuring optimal security configurations.
select name, id, domainfrom cloudflare_access_applicationwhere enable_binding_cookie;select name, id, domainfrom cloudflare_access_applicationwhere enable_binding_cookie = 1;Schema for cloudflare_access_application
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| account_id | text | = | ID of the account, access application belongs. |
| account_name | text | = | Name of the account, access application belongs. |
| allowed_idps | jsonb | The identity providers selected for the application. | |
| aud | text | Audience tag. | |
| auto_redirect_to_identity | boolean | Option to skip identity provider selection if only one is configured in allowed_idps. Defaults to false (disabled). | |
| cors_headers | jsonb | CORS configuration for the access application. See below for reference structure. | |
| created_at | timestamp with time zone | Timestamp when the application was created. | |
| custom_deny_message | text | Option that returns a custom error message when a user is denied access to the application. | |
| custom_deny_url | text | Option that redirects to a custom URL when a user is denied access to the application. | |
| domain | text | The domain and path that access will block. | |
| enable_binding_cookie | boolean | Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to false. | |
| id | text | Application API uuid. | |
| name | text | Friendly name of the access application. | |
| session_duration | text | How often a user will be forced to re-authorise. Must be in the format "48h" or "2h45m". Valid time units are ns, us (or µs), ms, s, m, h. Defaults to 24h. | |
| updated_at | timestamp with time zone | Timestamp when the application was last modified. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- cloudflareYou can pass the configuration to the command with the --config argument:
steampipe_export_cloudflare --config '<your_config>' cloudflare_access_application