Elastic Cloud Credentials
Service Name: Elastic Cloud
Service Description: Elastic Cloud is a fully managed service that offers Elasticsearch and Kibana as a service. It provides a scalable, resilient, and secure way to deploy, operate, and scale Elasticsearch clusters in the cloud.
Service Address: https://cloud.elastic.co/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the deployment level through network settings and security rules.
Secret Access Scope: Grants programmatic access to manage Elastic Cloud deployments, including creating, modifying, and deleting Elasticsearch clusters, as well as accessing deployment information.
Secret Revokement URL: https://cloud.elastic.co/account/keys
Secret Example: ec_api_key_1a2b3c4d5e6f7g8h9i0j_abcdefghijklmnopqrstuvwxyz123456789
Suspicious Activity Investigation Instructions:
- Review the Elastic Cloud audit logs for unusual API calls or deployment modifications.
- Check for unauthorized deployments or modifications to existing deployments.
- Monitor for unusual access patterns or access from unexpected locations.
- Verify if there are any unexpected changes to deployment configurations or security settings.
- Check for unauthorized user access or role changes within the Elastic Cloud console.
Mitigation Instructions:
- Log in to the Elastic Cloud console at https://cloud.elastic.co/.
- Navigate to the Account section.
- Select the API Keys tab.
- Locate the compromised API key.
- Select the Delete button next to the compromised key.
- Create a new API key with appropriate permissions if needed.
- Update any applications or services that were using the old key.
- Review deployment security settings and ensure proper access controls are in place.
- Consider enabling IP filtering for API access if available.
- Review and update security policies to prevent future credential exposure.