Reference Architecture

Cloudrail is a cloud-delivered service (SaaS) that exposes certain APIs to interact with the service, both for running IaC security scans and to interact with the web application.

Users interact with the Cloudrail service through the Cloudrail CLI and Web Application.

The Cloudrail service itself also connects directly to your cloud accounts if you choose to use the Static + Dynamic analysis (instead of only Static).

Connectivity into Cloudrail SaaS


The Cloudrail CLI can be used either on your personal workstation to run assessments or in CI/CD tools to automatically run assessments based on certain git triggers (pull requests, commits, etc)

When a user runs a scan with the Cloudrail CLI, the CLI tool will interact with Cloudrail’s API services through the following endpoint:

Ports: 443 (HTTPS)

Note, all interactions are authorized using an API key that is provided for each Cloudrail user.

Web Application

The Web Application is accessible via most browsers at

Cloudrail has a strict same-origin policy, which may impact your access to the web application if you are using a proxy. You may want to avoid the use of proxy in such a case.

From Cloudrail to your cloud accounts

Cloudrail will connect to the cloud accounts you configure. Depending on the cloud service provider (CSP), the method of connectivity will vary:

  • Amazon Web Services (AWS) – Cloudrail asks that you configure a role within your account that Cloudrail can assume. The role has specific policies attached to it (SecurityAudit and ViewOnlyAccess) and you also can choose to set your own policies.
  • Microsoft Azure – Cloudrail connects through an Active Directory application. The application will need to be provided with the Reader role.