turbot/cloudflare
steampipe plugin install cloudflare

Table: cloudflare_access_policy - Query Cloudflare Access Policies using SQL

Cloudflare Access Policy is a feature within Cloudflare that allows you to control who can access your application based on user identity, IP address, or other criteria. It provides a centralized way to set up and manage access policies for various Cloudflare resources, including web applications, databases, and more. Cloudflare Access Policy helps you secure your applications and take appropriate actions when predefined conditions are met.

Table Usage Guide

The cloudflare_access_policy table provides insights into Access Policies within Cloudflare. As a Security Analyst, explore policy-specific details through this table, including permissions, IP addresses, and associated metadata. Utilize it to uncover information about policies, such as those with specific permissions, the IP addresses associated with policies, and the verification of access conditions.

Examples

Basic info

Explore which access policies are in place within your Cloudflare application. This is useful for assessing the precedence of these policies and understanding the decision-making process of your application's security.

select
name,
id,
application_id,
application_name,
decision,
precedence
from
cloudflare_access_policy;
select
name,
id,
application_id,
application_name,
decision,
precedence
from
cloudflare_access_policy;

List policies that require justification for accessing resources

Explore which policies necessitate a justification when accessing resources. This can be useful in enhancing security measures by identifying areas where additional user accountability is needed.

select
name,
id,
application_name,
decision,
precedence
from
cloudflare_access_policy
where
purpose_justification_required;
select
name,
id,
application_name,
decision,
precedence
from
cloudflare_access_policy
where
purpose_justification_required = 1;

Schema for cloudflare_access_policy

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtextThe ID of account where application belongs.
application_idtext=The id of application to which policy belongs.
application_nametextThe name of application to which policy belongs.
approval_groupsjsonbThe list of approval groups that must approve the access request.
created_attimestamp with time zoneTimestamp when access policy was created.
decisiontextDefines the action Access will take if the policy matches the user. Allowed values: allow, deny, non_identity, bypass
excludejsonbThe exclude policy works like a NOT logical operator. The user must not satisfy all of the rules in exclude.
idtextAccess policy unique API identifier.
includejsonbThe include policy works like an OR logical operator. The user must satisfy one of the rules in includes.
nametextThe name of the policy. Only used in the UI.
precedencebigintThe unique precedence for policies on a single application.
purpose_justification_prompttextThe text the user will be prompted with when a purpose justification is required.
purpose_justification_requiredbooleanDefines whether or not the user is prompted for a justification when this policy is applied.
requirejsonbThe require policy works like a AND logical operator. The user must satisfy all of the rules in require.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
updated_attimestamp with time zoneTimestamp when access policy was last modified.
user_idtext=, !=, ~~, ~~*, !~~, !~~*ID of the current user.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- cloudflare

You can pass the configuration to the command with the --config argument:

steampipe_export_cloudflare --config '<your_config>' cloudflare_access_policy