By default, following the Elastic guide for Elastic Cloud, Filebeat uses the elastic account, which is high privileged account. If one of the servers where Filebeat is located gets compromised, attackers would be able to read/write/delete the stored Elastic data.
I'm trying to setup a user which has only create_doc privileges in the desired indexes, however I'm facing a lot of permissions errors in Filebeat... As an example, this is the latest one I'm trying to solve:
{"level":"error","timestamp":"2020-04-02T14:55:21.819+0200","caller":"pipeline/output.go:100","message":"Failed to connect to backoff(elasticsearch(<redacted>)): Connection marked as failed because the onConnect callback failed: failed to check for policy name 'filebeat-7.4.0': (status=403) {\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"action [cluster:admin/ilm/get] is unauthorized for user [beats]\"}],\"type\":\"security_exception\",\"reason\":\"action [cluster:admin/ilm/get] is unauthorized for user [beats]\"},\"status\":403}: 403 Forbidden: {\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"action [cluster:admin/ilm/get] is unauthorized for user [beats]\"}],\"type\":\"security_exception\",\"reason\":\"action [cluster:admin/ilm/get] is unauthorized for user [beats]\"},\"status\":403}"}
I think providing less permissions as possible to Filebeat should be a default setting, so I don't understand why there is no direct documentation on this. What would be the secure recommended way to achieve this?