Consul ACL Token
Service Name: HashiCorp Consul
Service Description: HashiCorp Consul is a service networking solution that enables teams to manage secure network connectivity between services and across environments. It provides service discovery, health checking, and a distributed key-value store.
Service Address: https://www.consul.io/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the service level using Consul's ACL system and network segmentation policies.
Secret Access Scope: Grants access to Consul resources based on the token's associated policies. Tokens can have different levels of access from read-only to full management capabilities.
Secret Revokement URL: https://developer.hashicorp.com/consul/commands/acl/token/delete
Secret Example: e95a1e4b-251c-4852-ad41-f46b2d9fcd38
Suspicious Activity Investigation Instructions:
- Review Consul audit logs for unusual API calls or resource access patterns
- Check for unauthorized service registrations or deregistrations
- Monitor for unexpected changes to key-value store entries
- Look for policy modifications or new token creations
- Examine network traffic patterns to identify unusual access to Consul endpoints
Mitigation Instructions:
-
Immediately revoke the compromised token using the Consul CLI:
consul acl token delete -id <token_id> -
Alternatively, use the Consul API or UI to delete the token
- Create a new token with appropriate policies if needed
- Review and update ACL policies to ensure the Principle of Least Privilege
- Enable audit logging if not already enabled to track future token usage
- Consider implementing shorter token TTLs (Time-To-Live) for sensitive tokens
- Rotate all management tokens as a precaution
- Update any applications or services that were using the compromised token