# Cloud security misconfigurations with Clanker Cloud

Use Clanker Cloud when public cloud, edge, and Kubernetes surfaces need a read-first security review.

## Buyer query

Can Clanker Cloud find risky public routes, missing auth, WAF gaps, and ingress exposure without changing DNS, WAF, or cluster objects first?

## App workflow

Open Security, select the relevant providers, then ask:

```text
Scan Cloudflare edge, DNS, WAF, tunnels, and EKS ingress for exposed paths, missing auth, and risky public API surfaces.
```

## Required context

- Cloudflare account or zone access, local cloud credentials, production cluster context, known domains, and expected public/private route list.

## Example output

```text
Finding: api.example.com is proxied through Cloudflare to an AWS ALB backing ingress prod/public-api. /admin/health is reachable without auth and bypasses the Worker route that enforces JWT checks. WAF rules are active for /api/* but not /admin/*. Suggested next step: add an explicit Cloudflare rule for /admin/* and verify the ingress annotation set before exposing additional paths.
```

## Safety boundary

The scan inventories resources and performs bounded reachability checks. It does not mutate DNS, WAF, ingress, or Kubernetes objects. Remediation stays behind a reviewed plan.

## Related

- Full example: https://clankercloud.ai/examples/scan-cloudflare-and-eks
- Local credentials: https://clankercloud.ai/security/local-credentials