Elastic Cloud Admin Console API Key
Service Name: Elastic Cloud
Service Description: Elastic Cloud is a fully managed service that offers Elasticsearch and Kibana as a hosted solution, providing scalable and secure access to the Elastic Stack.
Service Address: https://cloud.elastic.co/
Validation Type: API Auth
IP Allow list: Does not exist
Secret Access Scope: Grants administrative access to manage Elastic Cloud deployments, including creating, updating, and deleting deployments.
Secret Revokement URL: https://cloud.elastic.co/security/api-keys
Secret Example: essa_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2g3h4i5j6k7l8m9n0o1p2q3r4s5t6u7v8w9x0y1z2AAAAA123456=
Suspicious Activity Investigation Instructions:
- Check Elastic Cloud audit logs for unusual deployment activities or configuration changes
- Review API access logs for unauthorized API calls from unexpected IP addresses
- Verify if there are any new deployments or modifications to existing deployments that were not authorized
- Check for unusual billing activity that might indicate resource abuse
- Look for changes to user permissions or new API keys created
Mitigation Instructions:
- Immediately revoke the compromised API key through the Elastic Cloud console
- Create a new API key with appropriate permissions
- Review and update access controls for all Elastic Cloud resources
- Enable IP filtering for API access if available
- Review deployment configurations for any unauthorized changes
- Enable audit logging if not already enabled to track future activities