Table: cloudflare_access_policy - Query Cloudflare Access Policies using SQL

Cloudflare Access Policy is a feature within Cloudflare that allows you to control who can access your application based on user identity, IP address, or other criteria. It provides a centralized way to set up and manage access policies for various Cloudflare resources, including web applications, databases, and more. Cloudflare Access Policy helps you secure your applications and take appropriate actions when predefined conditions are met.

Table Usage Guide

The cloudflare_access_policy table provides insights into Access Policies within Cloudflare. As a Security Analyst, explore policy-specific details through this table, including permissions, IP addresses, and associated metadata. Utilize it to uncover information about policies, such as those with specific permissions, the IP addresses associated with policies, and the verification of access conditions.

Examples

Basic info

Explore which access policies are in place within your Cloudflare application. This is useful for assessing the precedence of these policies and understanding the decision-making process of your application's security.

select
  name,
  id,
  application_id,
  application_name,
  decision,
  precedence
from
  cloudflare_access_policy;

select
  name,
  id,
  application_id,
  application_name,
  decision,
  precedence
from
  cloudflare_access_policy;

List policies that require justification for accessing resources

Explore which policies necessitate a justification when accessing resources. This can be useful in enhancing security measures by identifying areas where additional user accountability is needed.

select
  name,
  id,
  application_name,
  decision,
  precedence
from
  cloudflare_access_policy
where
  purpose_justification_required;

select
  name,
  id,
  application_name,
  decision,
  precedence
from
  cloudflare_access_policy
where
  purpose_justification_required = 1;

Schema for cloudflare_access_policy

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form, e.g. connection_name.
account_id	text		The ID of account where application belongs.
application_id	text	=	The id of application to which policy belongs.
application_name	text		The name of application to which policy belongs.
approval_groups	jsonb		The list of approval groups that must approve the access request.
created_at	timestamp with time zone		Timestamp when access policy was created.
decision	text		Defines the action Access will take if the policy matches the user. Allowed values: allow, deny, non_identity, bypass
exclude	jsonb		The exclude policy works like a NOT logical operator. The user must not satisfy all of the rules in exclude.
id	text		Access policy unique API identifier.
include	jsonb		The include policy works like an OR logical operator. The user must satisfy one of the rules in includes.
name	text		The name of the policy. Only used in the UI.
precedence	bigint		The unique precedence for policies on a single application.
purpose_justification_prompt	text		The text the user will be prompted with when a purpose justification is required.
purpose_justification_required	boolean		Defines whether or not the user is prompted for a justification when this policy is applied.
require	jsonb		The require policy works like a AND logical operator. The user must satisfy all of the rules in require.
updated_at	timestamp with time zone		Timestamp when access policy was last modified.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- cloudflare

You can pass the configuration to the command with the --config argument:

steampipe_export_cloudflare --config '<your_config>' cloudflare_access_policy