Table: cloudflare_access_policy - Query Cloudflare Access Policies using SQL
Cloudflare Access Policy is a feature within Cloudflare that allows you to control who can access your application based on user identity, IP address, or other criteria. It provides a centralized way to set up and manage access policies for various Cloudflare resources, including web applications, databases, and more. Cloudflare Access Policy helps you secure your applications and take appropriate actions when predefined conditions are met.
Table Usage Guide
The cloudflare_access_policy
table provides insights into Access Policies within Cloudflare. As a Security Analyst, explore policy-specific details through this table, including permissions, IP addresses, and associated metadata. Utilize it to uncover information about policies, such as those with specific permissions, the IP addresses associated with policies, and the verification of access conditions.
Examples
Basic info
Explore which access policies are in place within your Cloudflare application. This is useful for assessing the precedence of these policies and understanding the decision-making process of your application's security.
select name, id, application_id, application_name, decision, precedencefrom cloudflare_access_policy;
select name, id, application_id, application_name, decision, precedencefrom cloudflare_access_policy;
List policies that require justification for accessing resources
Explore which policies necessitate a justification when accessing resources. This can be useful in enhancing security measures by identifying areas where additional user accountability is needed.
select name, id, application_name, decision, precedencefrom cloudflare_access_policywhere purpose_justification_required;
select name, id, application_name, decision, precedencefrom cloudflare_access_policywhere purpose_justification_required = 1;
Schema for cloudflare_access_policy
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | The ID of account where application belongs. | |
application_id | text | = | The id of application to which policy belongs. |
application_name | text | The name of application to which policy belongs. | |
approval_groups | jsonb | The list of approval groups that must approve the access request. | |
created_at | timestamp with time zone | Timestamp when access policy was created. | |
decision | text | Defines the action Access will take if the policy matches the user. Allowed values: allow, deny, non_identity, bypass | |
exclude | jsonb | The exclude policy works like a NOT logical operator. The user must not satisfy all of the rules in exclude. | |
id | text | Access policy unique API identifier. | |
include | jsonb | The include policy works like an OR logical operator. The user must satisfy one of the rules in includes. | |
name | text | The name of the policy. Only used in the UI. | |
precedence | bigint | The unique precedence for policies on a single application. | |
purpose_justification_prompt | text | The text the user will be prompted with when a purpose justification is required. | |
purpose_justification_required | boolean | Defines whether or not the user is prompted for a justification when this policy is applied. | |
require | jsonb | The require policy works like a AND logical operator. The user must satisfy all of the rules in require. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
updated_at | timestamp with time zone | Timestamp when access policy was last modified. | |
user_id | text | =, !=, ~~, ~~*, !~~, !~~* | ID of the current user. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- cloudflare
You can pass the configuration to the command with the --config
argument:
steampipe_export_cloudflare --config '<your_config>' cloudflare_access_policy