8.1. CIS Benchmark Mapping#
FlareInspect maps findings to Center for Internet Security (CIS) controls for Cloudflare.
8.1.1. Usage#
flareinspect assess --token $TOKEN --compliance cis
8.1.2. Control Mapping#
1. Account Security
CIS Control |
Check IDs |
|---|---|
CIS 1.1 |
CFL-ACC-001 — MFA Enforcement |
CIS 1.2 |
CFL-ACC-002 — API Token Security |
CIS 1.3 |
CFL-ACC-003 — Admin Access Control |
CIS 1.4 |
CFL-ACC-004 — Audit Log Monitoring |
CIS 1.5 |
CFL-ACC-005 — Account Takeover Protection |
2. DNS Security
CIS Control |
Check IDs |
|---|---|
CIS 2.1 |
CFL-DNS-001 — DNSSEC Enablement |
CIS 2.2 |
CFL-DNS-002 — DNS Proxy Status |
CIS 2.3 |
CFL-DNS-003 — Wildcard DNS Records |
CIS 2.4 |
CFL-DNS-004 — CAA Records |
CIS 2.5 |
CFL-DNS-005 — DNS over HTTPS |
CIS 2.6 |
CFL-INSIGHT-005 — Unproxied DNS Records |
3. SSL/TLS
CIS Control |
Check IDs |
|---|---|
CIS 3.1 |
CFL-SSL-001 — SSL Mode Configuration |
CIS 3.2 |
CFL-SSL-002 — Minimum TLS Version |
CIS 3.3 |
CFL-SSL-003 — Certificate Validity |
CIS 3.4 |
CFL-SSL-004 — HSTS Configuration |
CIS 3.5 |
CFL-SSL-005 — Always Use HTTPS |
CIS 3.6 |
CFL-MTLS-001 — mTLS Enforcement |
CIS 3.7 |
CFL-MTLS-002 — mTLS Certificate Rotation |
CIS 3.8 |
CFL-CH-001 — Custom Hostname Validation |
CIS 3.9 |
CFL-ORIGCERT-001 — Origin Certificate Expiry |
4. WAF & Traffic Protection
CIS Control |
Check IDs |
|---|---|
CIS 4.1 |
CFL-WAF-001 — WAF Security Level |
CIS 4.2 |
CFL-WAF-002 — Custom Firewall Rules |
CIS 4.3 |
CFL-WAF-003 — Rate Limiting |
CIS 4.4 |
CFL-WAF-004 / CFL-BOT-001 — Bot Management |
CIS 4.5 |
CFL-WAF-005 — OWASP Rule Set |
CIS 4.6 |
CFL-TURN-001 — Turnstile Widget |
CIS 4.7 |
CFL-PAGESHIELD-001 — Page Shield |
CIS 4.8 |
CFL-CDA-001 — Cache Deception Armor |
CIS 4.9 |
CFL-TXRULE-001 — Transform Rule Audit |
5. Zero Trust
CIS Control |
Check IDs |
|---|---|
CIS 5.1 |
CFL-ZT-001 — Identity Provider |
CIS 5.2 |
CFL-ZT-002 — Access Policies |
CIS 5.3 |
CFL-ZT-003 — Device Enrollment |
CIS 5.4 |
CFL-ZT-004 — Tunnel Configuration |
CIS 5.5 |
CFL-ZT-005 — DNS Filtering |
CIS 5.6 |
CFL-ZT-006 — Gateway Logging |
CIS 5.7 |
CFL-DLP-001 — Data Loss Prevention |
CIS 5.8 |
CFL-TUNNEL-001 — Cloudflare Tunnels |
CIS 5.9 |
CFL-GW-001 — Gateway Policies |
CIS 5.10 |
CFL-DEVICE-001 — Device Enrollment Policy |
6–12. Additional Controls
CIS 6.1–6.5 cover performance, CIS 7.1–7.4 cover Workers/Pages, CIS 8.1–8.2 cover API Gateway, CIS 9.1–9.3 cover load balancing and Spectrum, CIS 10.1–10.3 cover email, CIS 11.1–11.7 cover Security Center, and CIS 12.1 covers Logpush.