Agent-skills cloud-network-security

Name: cloud-network-security
Author: elastic

install

source · Clone the upstream repo

git clone https://github.com/elastic/agent-skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/elastic/agent-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/cloud/network-security" ~/.claude/skills/elastic-agent-skills-cloud-network-security && rm -rf "$T"

manifest: skills/cloud/network-security/SKILL.md

source content

Cloud Network Security

Manage network security policies for Elastic Cloud Serverless projects: IP filters to allowlist specific IPs or CIDRs, and VPC filters (AWS PrivateLink) to restrict traffic to specific VPC endpoints.

Prerequisite: This skill assumes the cloud-setup skill has already run —
EC_API_KEY
is set in the environment and the organization context is established. If
EC_API_KEY
is missing, instruct the agent to invoke cloud-setup first. Do NOT prompt the user for an API key directly.

For project creation and day-2 operations (including associating filters with projects), see cloud-create-project and cloud-manage-project. For identity and access management (users, roles, API keys), see cloud-access-management.

For detailed API endpoints and request schemas, see references/api-reference.md.

Terminology

This skill uses network security as the umbrella term, aligned with the Elastic Cloud UI direction. The underlying API uses traffic filters — you will see

traffic-filters

in endpoint paths and

traffic_filters

in JSON fields. When a user or agent says "traffic filter," they mean the same thing as "network security policy." The two filter types are IP filters (type

ip

) and VPC filters (type

vpce

Jobs to Be Done

Create an IP filter to restrict ingress to specific IPs or CIDR blocks
Create a VPC filter (AWS PrivateLink) to restrict traffic to specific VPC endpoint IDs
List, inspect, update, and delete network security policies
Look up PrivateLink region metadata (service names, domain names, availability zones)
Associate or disassociate filters with Serverless projects (delegates to cloud-manage-project)
Audit the current network security posture for an organization

Prerequisites and permissions

Item	Description
EC_API_KEY	Cloud API key (set by cloud-setup). Required for all operations.
Region	Filters are region-scoped. The user must specify the target region when creating filters.
Project IDs	Required only when associating filters with projects (handled by cloud-manage-project).

Run

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters

to verify that

EC_API_KEY

is valid before proceeding with any operation.

Operation-level permissions

The following permissions are required for common network security operations in Elastic Cloud Serverless.

Operation	Required permission
List filters / get metadata	Any organization member
Create / update / delete filters	Organization owner ( `organization-admin` )
Associate filters with projects	Organization owner or project Admin

This skill does not perform a separate role pre-check. Attempt the requested operation and let the API enforce authorization. If the API returns an authorization error (for example,

403 Forbidden

), stop and ask the user to verify the provided API key permissions.

Manual setup fallback (when cloud-setup is unavailable)

If this skill is installed standalone and

cloud-setup

is not available, instruct the user to configure Cloud environment variables manually before running commands. Never ask the user to paste API keys in chat.

Variable	Required	Description
`EC_API_KEY`	Yes	Elastic Cloud API key (see permissions table above for required roles by operation).
`EC_BASE_URL`	No	Cloud API base URL (default: `https://api.elastic-cloud.com` ).

Note: If
EC_API_KEY
is missing, or the user does not have a Cloud API key yet, direct the user to generate one at Elastic Cloud API keys, then configure it locally using the steps below.

Preferred method (agent-friendly): create a

.env

file in the project root:

EC_API_KEY=your-api-key
EC_BASE_URL=https://api.elastic-cloud.com

All

cloud/*

scripts auto-load

.env

from the working directory.

Alternative: export directly in the terminal:

export EC_API_KEY="<your-cloud-api-key>"
export EC_BASE_URL="https://api.elastic-cloud.com"

Terminal exports may not be visible to sandboxed agents running in separate shell sessions, so prefer

.env

when using an agent.

Decomposing Network Security Requests

When the user describes a network security need in natural language (for example, "restrict my search project to our office IP"), break the request into discrete tasks before executing.

Step 1 — Identify the components

Component	Question to answer
Filter type	IP filter (public IPs/CIDRs) or VPC filter (AWS PrivateLink endpoint)?
Region	Which AWS region are the target projects in?
Rules	What source IPs, CIDRs, or VPC endpoint IDs should be allowed?
Scope	Apply to all new projects by default, or specific projects only?
Projects	Which existing projects should this filter be associated with?

Step 2 — Check existing state

Before creating a new filter, check what already exists:

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region us-east-1

Filter hygiene: If an existing filter already covers the same source rules for the same purpose, reuse it instead of creating a duplicate. Filters are region-scoped and can be associated with multiple projects, so a single filter with the right rules serves many projects. Two filters with identical source rules are fine when they serve different purposes (for example, different teams managing their own policies), but creating a second filter for the same purpose is unnecessary.

Step 3 — Create the filter

Run the appropriate command from

skills/cloud/network-security/scripts/cloud_network_security.py

Step 4 — Associate with projects

Filter association is managed using the project PATCH endpoint. Use cloud-manage-project to associate or disassociate filters:

PATCH /api/v1/serverless/projects/{type}/{id}
Body: { "traffic_filters": [{ "id": "filter-id-1" }, { "id": "filter-id-2" }] }

When updating associations, provide the complete list of filter IDs. Any filter not included in the list is disassociated from the project.

Step 5 — Verify

After execution, list filters again or GET the project to confirm the change took effect.

IP Filters versus VPC Filters

Aspect	IP Filter ( `ip` )	VPC Filter ( `vpce` )
Purpose	Allowlist public IP addresses or CIDR blocks	Restrict traffic to specific AWS VPC endpoint IDs
Use case	Office IPs, CI/CD runners, partner access	Private connectivity without public internet exposure
Source format	IP address or CIDR (for example, `203.0.113.0/24` )	AWS VPC endpoint ID (for example, `vpce-0abc123def456` )
Network path	Public internet	AWS PrivateLink (private, never leaves AWS network)
Prerequisite	None	VPC endpoint and DNS record created in AWS console first

Key concept: Private connectivity in AWS is accepted by default in Elastic Cloud. Creating a VPC filter is only needed to restrict traffic to specific VPC endpoint IDs. If you only need private connectivity (without filtering), create the VPC endpoint and DNS record in AWS — no filter is needed on the Elastic Cloud side.

Examples

Allowlist an office IP range

Prompt: "Only allow traffic from our office network 203.0.113.0/24 to projects in us-east-1."

python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
  --name "Office IP allowlist" \
  --type ip \
  --region us-east-1 \
  --rules '[{"source": "203.0.113.0/24", "description": "Office network"}]'

Then associate the filter with specific projects using cloud-manage-project.

Restrict traffic to a VPC endpoint

Prompt: "Lock down my observability project to only accept traffic from our VPC endpoint."

python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
  --name "Production VPC" \
  --type vpce \
  --region us-east-1 \
  --rules '[{"source": "vpce-0abc123def456", "description": "Production VPC endpoint"}]'

List all filters in a region

Prompt: "Show me all network security policies in eu-west-1."

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region eu-west-1

Update a filter to add a new IP

Prompt: "Add the VPN IP 198.51.100.5 to our existing office filter."

python3 skills/cloud/network-security/scripts/cloud_network_security.py get-filter --filter-id tf-12345
# Review current rules, then update with the complete rule set:
python3 skills/cloud/network-security/scripts/cloud_network_security.py update-filter \
  --filter-id tf-12345 \
  --body '{"rules": [{"source": "203.0.113.0/24", "description": "Office network"}, {"source": "198.51.100.5", "description": "VPN"}]}'

Look up PrivateLink metadata for a region

Prompt: "What PrivateLink service name do I need for us-east-1?"

python3 skills/cloud/network-security/scripts/cloud_network_security.py get-metadata --region us-east-1

Delete an unused filter

Prompt: "Remove the old staging IP filter."

python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890 --dry-run
# Review what would be deleted, then confirm:
python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890

Guidelines

If
```
EC_API_KEY
```
is not set, do not prompt the user — instruct the agent to invoke cloud-setup first.
Always confirm destructive actions (delete filter) with the user before executing.
Filters are region-scoped: a filter created in
```
us-east-1
```
can only be associated with projects in that region.
Filter hygiene — reuse, scope, and clean up:
- Before creating a filter, always run
```
list-filters
```
  and check whether an existing filter for the same purpose already has the required source rules. Filters can be associated with multiple projects, so one filter with the right rules is better than duplicates.
- Duplicate filters means filters for the same purpose with identical source rules — not merely overlapping IPs. Two filters covering different project groups with the same CIDR are legitimate.
- Review unused filters periodically. If a filter is no longer associated with any project, prompt the user to delete it to reduce clutter.
Updating rules replaces the entire rule set. When adding a rule using PATCH, include all existing rules plus the new one. Omitting an existing rule removes it.
Deleting a filter fails if it is still associated with a project. Disassociate first using cloud-manage-project (PATCH the project with the filter removed from the
```
traffic_filters
```
list), then delete.
```
include_by_default
```
automatically associates the filter with all new projects in the region. Use with caution — it affects every future project.
For project association and disassociation, delegate to the cloud-manage-project skill. This skill manages filter definitions only.
For identity and access management (users, roles, API keys), see cloud-access-management.
For Elasticsearch-level security (native users, role mappings, DLS/FLS), see elasticsearch-authz.