Cloudflare
optional feature turned off by default
What is Cloudflare?
- Cloudflare is a cloud platform providing infrastructure, content delivery network services, and security solutions for enterprise users
Supported DNS vulnerability types
- NS subdomains
- CNAMEs pointing to missing resources, e.g. Elastic Beanstalk, Azure storage
- Cloudflare proxy configured with S3 origin in Free plan, directs to non-existent S3 bucket matching domain name
Cloudflare manual scans
- scan your Cloudflare environment from a laptop
- details at Cloudflare manual scans
Notifications from scheduled lambda function scans
- receive alerts by Slack or email
Automated takeover
Supported resource types detailed in takeover:
- S3 buckets
- Elastic Beanstalk environments
How to enable Cloudflare lambda functions
- by default Cloudflare lambda functions are not deployed
- to enable, set environment variable
cloudflare = truein tfvars file or CI/CD pipeline
Cloudflare API token
- required for Lambda functions to interact with Cloudflare
- log in to the Cloudflare console with a service account identity
- go to My Profile, API Tokens, Create Token
- at API Tokens, Create Token
- at Create Custom Token press Get Started
- give the API token a suitable name, e.g. domain-protect
- at permissions, choose Zone, DNS, read
- at Zone Resources, include all zones
- press Continue to summary
- press Create Token
- copy token and save securely
- set token as environment variable
cf_api_key = "xxxxxx"in tfvars file or CI/CD pipeline