Skip to content

Cloudflare Account Security -- 2FA and Audit Logs

DodaTech 8 min read

In this tutorial, you'll learn about Cloudflare Account Security. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloudflare Account Security encompasses two-factor authentication (2FA), audit log monitoring, API token management, and team access controls that protect your Cloudflare account from unauthorized access and help you detect and respond to security incidents.

Why Account Security Matters

Your Cloudflare account controls DNS records, SSL certificates, WAF rules, and edge configuration for all your domains. If an attacker gains access, they can redirect traffic, steal certificates, or disable security features. In 2025, credential-based attacks increased by 71 percent year over year, and cloud console access was the top vector in data breaches according to multiple industry reports. Enforcing 2FA and regularly reviewing audit logs are the two most effective controls you can implement today.

Real-world use: A DevSecOps team managing 50 domains across 12 team members discovered a compromised API token during a routine audit log review. The logs showed a GET request from an unrecognized IP address in a foreign country at 3 AM. They revoked the token immediately, triggered an Incident Response, and rotated all credentials within 15 minutes. The audit log review prevented what could have been a full account takeover.

Account Security Flow

flowchart TD
    L[Login Attempt] --> A{2FA Enabled?}
    A -->|No| P[Password Only - High Risk]
    A -->|Yes| T[TOTP Code Required]
    T --> V{Valid Code?}
    V -->|Yes| D[Dashboard Access]
    V -->|No| B[Access Denied]
    D --> AL[Audit Log Records]
    AL --> M[Monitor for Suspicious Events]
    M -->|Suspicious| R["Revoke Tokens / Rotate Keys"]
    M -->|Normal| C[Continue]
    style T fill:#f90,color:#fff
    style AL fill:#f90,color:#fff
    style B fill:#e74c3c,color:#fff

Without 2FA, a single stolen password is enough to take over your account. With 2FA enabled, an attacker also needs access to your TOTP seed, hardware key, or recovery codes -- a much higher bar.

Enabling Two-Factor Authentication

2FA adds a second verification step after your password. Cloudflare supports TOTP authenticator apps, hardware security keys (WebAuthn), and SMS backup codes.

# Step 1: Navigate to security settings
# Log in to dash.cloudflare.com
# Go to My Profile > Authentication > Two-Factor Authentication
# Click "Enable Two-Factor Authentication"

If you are using the Cloudflare API to check your 2FA status programmatically, you can query the user API endpoint.

# Check your 2FA status via API (requires Super Administrator role)
curl -s -X GET "https://api.cloudflare.com/client/v4/user" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" | python3 -c "
import sys, json
data = json.load(sys.stdin)
user = data['result']
print(f'Email: {user[\"email\"]}')
print(f'2FA Enabled: {user.get(\"two_factor_authentication\", False)}')
print(f'Role: {user.get(\"role\", \"N/A\")}')
"

Expected output: Your email address, whether 2FA is enabled (true or false), and your account role. If 2FA is false, enable it immediately from the dashboard using an authenticator app like Google Authenticator, Authy, or a hardware security key.

After enabling 2FA, download your recovery codes and store them in a secure password manager. Without recovery codes, losing your 2FA device can lock you out of your account permanently.

Reviewing Audit Logs

Audit logs record every action taken in your Cloudflare account -- who did what, when, and from which IP address. You access them from the dashboard under Manage Account > Audit Log, or via the API.

# Fetch the last 20 audit log entries via API
curl -s -X GET "https://api.cloudflare.com/client/v4/accounts/$CLOUDFLARE_ACCOUNT_ID/audit_logs?per_page=20" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" | python3 -c "
import sys, json
data = json.load(sys.stdin)
for entry in data['result']:
    actor = entry.get('actor', {}).get('email', 'unknown')
    action = entry.get('action', {}).get('type', 'unknown')
    resource = entry.get('resource', {}).get('type', 'unknown')
    when = entry.get('when', 'unknown')
    metadata = entry.get('metadata', {})
    ip = metadata.get('ip_address', 'unknown') if metadata else 'unknown'
    print(f'[{when}] {actor} | {action} on {resource} | IP: {ip}')
"

Expected output: Timestamped audit log entries showing each action: login (successful authentication), zone.create (new domain added), dns.update (DNS record changed), api_token.create, ssl.update, and so on. Each entry includes the actor's email, action type, target resource, timestamp, and source IP address.

Reviewing these logs daily or using a SIEM integration helps you detect unauthorized changes early. Focus on high-risk actions: API token creation, DNS record modifications, user role changes, and SSL certificate updates.

API Token Security

API tokens are a common attack vector because they often have broad permissions and are stored in scripts, CI/CD pipelines, and configuration files. Follow these token management practices.

# List all API tokens and check their permissions
curl -s -X GET "https://api.cloudflare.com/client/v4/user/tokens" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" | python3 -c "
import sys, json
data = json.load(sys.stdin)
for token in data['result']:
    name = token.get('name', 'Unnamed')
    status = token.get('status', 'unknown')
    created = token.get('issued_on', 'unknown')
    perms = token.get('policies', [])
    perm_names = [p.get('permission_group', {}).get('name', 'unknown') for p in perms]
    print(f'Token: {name}')
    print(f'  Status: {status}')
    print(f'  Created: {created}')
    print(f'  Permissions: {chr(44).join(perm_names)}')
    print()
"

Expected output: A list of all API tokens with their names, status (active or disabled), creation dates, and permission groups. Remove any tokens you do not recognize, and disable tokens that have not been used in 90 days.

Token best practices are: create separate tokens for each service or script so you can revoke them independently, use the minimum permission scope for each token, set token expiration to 30-90 days max, and rotate tokens on a schedule or immediately after a compromise.

Team Access and Roles

If you manage multiple users, use Cloudflare's role-based access control to limit privileges. The principle of Least Privilege applies here -- no one should have Super Administrator access unless they absolutely need it.

Role Permissions Best For
Super Administrator Full account access, billing, user management 1-2 senior admins
Administrator Full zone configuration, limited billing Day-to-day ops team
Billing Invoice and payment management only Finance team
Analytics Read-only access to analytics Stakeholders
Cloudflare Worker Admin Full Workers and Pages access Developers
DNS DNS record management only DNS engineers

Use the audit log to verify that role assignments match your team's current structure. When someone leaves the team, remove their access immediately. Cloudflare does not automatically deprovision users based on SSO group membership unless you configure SCIM, so manual offboarding is essential.

Responding to Suspicious Activity

When you detect suspicious activity in your audit log, follow this Incident Response workflow.

# Revoke a compromised API token immediately
curl -s -X DELETE "https://api.cloudflare.com/client/v4/user/tokens/TOKEN_ID" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
# Expected output: {"success": true, "result": {"id": "TOKEN_ID"}}

# After revocation, rotate all remaining tokens and API keys
# Change your Cloudflare password
# Review all DNS records for unauthorized changes
# Check SSL certificate issuance for your zones
# Review WAF rules and firewall policies

After an incident, create a post-mortem report. Document what happened, how it was detected, what the Blast Radius was, and what controls need to improve. Common improvements include shorter token expiration, automated audit log alerts, and mandatory 2FA enforcement through Cloudflare Zero Trust.

Common Errors

Issue Cause Fix
Cannot disable 2FA Cloudflare requires at least one 2FA method Add a second method first (hardware key or authenticator app)
Lost 2FA device No recovery codes saved Contact Cloudflare support with proof of account ownership
Audit log not showing events Incorrect time zone or date range Default to UTC and review the last 24 hours
API token revocation fails Token already expired or deleted Check user/tokens list for valid tokens
Team member cannot log in SSO session expired or IP access rule blocking Verify Zero Trust policies and SSO configuration

Practice Questions

  1. What three authentication methods does Cloudflare support for 2FA?
  2. Which API endpoint do you use to retrieve audit log entries for your account?
  3. What is the minimum recommended permission scope for a CI/CD pipeline API token?

FAQ

Can I enforce 2FA for all users in my Cloudflare account?

Yes. Cloudflare accounts with Enterprise plans can enforce 2FA for all members through Cloudflare Zero Trust. On other plans, you must communicate the requirement to your team and verify Compliance manually through audit log review. There is no per-account toggle to force 2FA on self-serve plans.

How long does Cloudflare retain audit logs?

Cloudflare retains audit logs for 18 months on all plans. You can export them via API for longer-term storage in your SIEM or logging platform. The API returns up to 1000 results per page, and you can paginate through the full 18-month retention window.

What is the difference between an API token and an API key?

An API token is scoped to specific permissions and zones, can be rotated individually, and supports expiration. An API key (global key) has full account access and never expires. Cloudflare recommends using API tokens for all automation and disabling the global API key. Tokens are more secure because they follow the principle of Least Privilege.

Summary

Cloudflare account security starts with enabling two-factor authentication using TOTP authenticator apps or hardware keys, then extends to regular audit log monitoring, API token hygiene, role-based access control, and a clear Incident Response plan. Audit logs capture every action in your account with actor identity, timestamp, and source IP -- review them daily or integrate with your SIEM. API tokens should be scoped, short-lived, and rotated frequently. Team access should follow the principle of Least Privilege with regular access reviews.

This Web Security framework is used internally by DodaTech to protect Doda Browser's cloud infrastructure and Durga Antivirus Pro's threat analysis pipelines. Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro -- security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro