Elastic Cloud API Key
Service Name: Elastic Cloud
Service Description: Elastic Cloud is a fully managed service that makes it easy to deploy, operate, and scale Elasticsearch and Kibana in the cloud. It provides the full Elastic Stack with features for security, observability, and enterprise search.
Service Address: https://cloud.elastic.co
Validation Type: API Auth
IP Allow list: Does not exist
Secret Access Scope: Grants access to manage Elastic Cloud deployments, including creating, updating, and deleting Elasticsearch clusters, Kibana instances, and other Elastic Stack components.
Secret Revokement URL: https://cloud.elastic.co/security/api-keys
Secret Example: essu_abcdefghijklmnopqrstuvwxyz123456789012345678901234567890123456789012345678901234567890AAAAA123456=
Suspicious Activity Investigation Instructions:
- Review Elastic Cloud audit logs for unusual API calls or deployment changes
- Check for unauthorized deployments or modifications to existing deployments
- Examine access patterns for unusual geographic locations or times
- Monitor for unexpected increases in resource usage or billing
- Review user access and permissions in the Elastic Cloud console
Mitigation Instructions:
- Immediately revoke the compromised API key in the Elastic Cloud console
- Navigate to the Elastic Cloud console and go to the Security section
- Select API Keys and locate the compromised key
- Click the Delete button to revoke the key
- Create a new API key with appropriate permissions
- Update any applications or services using the old key
- Review and adjust API key permissions to follow the principle of least privilege