The three API endpoints are called by default by Metricbeat and are not configurable. All three are needed in order for Kibana Monitoring to properly function.
The documentation for internal monitoring provided at the below link has been depreciated by Elastic.
Here are logs. Looking at the data available in each of the 3 endpoints there isn’t anything sensitive that is available in /api/stats or /api/settings that is also not already available in /api/status.
Can /api/stats and /api/settings be whitelisted to allow unauthenticated access just like /api/status currently is?
{"type":"response","@timestamp":"2022-01-17T19:54:16-06:00","tags":["api"],"pid":22305,"method":"get","statusCode":200,"req":{"url":"/api/status","method":"get","headers":{"host":"server:5601","user-agent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","accept-encoding":"gzip"},"remoteAddress":"10.1.1.1","userAgent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)"},"res":{"statusCode":200,"responseTime":4,"contentLength":24241},"message":"GET /api/status 200 4ms - 23.7KB"}
{"type":"response","@timestamp":"2022-01-17T19:54:16-06:00","tags":["api"],"pid":22305,"method":"get","statusCode":302,"req":{"url":"/api/stats?extended=true&legacy=true&exclude_usage=true","method":"get","headers":{"host":"server:5601","user-agent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","accept-encoding":"gzip"},"remoteAddress":"10.1.1.1","userAgent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)"},"res":{"statusCode":302,"responseTime":2},"message":"GET /api/stats?extended=true&legacy=true&exclude_usage=true 302 2ms"}
{"type":"response","@timestamp":"2022-01-17T19:54:16-06:00","tags":[],"pid":22305,"method":"get","statusCode":200,"req":{"url":"/auth/openid/encode?extended=true&legacy=true&exclude_usage=true&nextUrl=%2Fapi%2Fstats%3Fextended%3Dtrue%26legacy%3Dtrue%26exclude_usage%3Dtrue","method":"get","headers":{"host":"server:5601","user-agent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","referer":"https://server:5601/api/stats?extended=true&legacy=true&exclude_usage=true","accept-encoding":"gzip"},"remoteAddress":"10.1.1.1","userAgent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","referer":"https://server:5601/api/stats?extended=true&legacy=true&exclude_usage=true"},"res":{"statusCode":200,"responseTime":2,"contentLength":170},"message":"GET /auth/openid/encode?extended=true&legacy=true&exclude_usage=true&nextUrl=%2Fapi%2Fstats%3Fextended%3Dtrue%26legacy%3Dtrue%26exclude_usage%3Dtrue 200 2ms - 170.0B"}
{"type":"response","@timestamp":"2022-01-17T19:54:16-06:00","tags":[],"pid":22305,"method":"get","statusCode":302,"req":{"url":"/api/settings?extended=true&legacy=true","method":"get","headers":{"host":"server:5601","user-agent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","accept-encoding":"gzip"},"remoteAddress":"10.1.1.1","userAgent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)"},"res":{"statusCode":302,"responseTime":1},"message":"GET /api/settings?extended=true&legacy=true 302 1ms"}
{"type":"response","@timestamp":"2022-01-17T19:54:16-06:00","tags":[],"pid":22305,"method":"get","statusCode":200,"req":{"url":"/auth/openid/encode?extended=true&legacy=true&nextUrl=%2Fapi%2Fsettings%3Fextended%3Dtrue%26legacy%3Dtrue","method":"get","headers":{"host":"server:5601","user-agent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","referer":"https://server:5601/api/settings?extended=true&legacy=true","accept-encoding":"gzip"},"remoteAddress":"10.1.1.1","userAgent":"Elastic-Metricbeat/7.16.2 (linux; amd64; 3c518f4d17a15dc85bdd68a5a03d5af51d9edd8e; 2021-12-18 21:17:33 +0000 UTC)","referer":"https://server:5601/api/settings?extended=true&legacy=true"},"res":{"statusCode":200,"responseTime":3,"contentLength":170},"message":"GET /auth/openid/encode?extended=true&legacy=true&nextUrl=%2Fapi%2Fsettings%3Fextended%3Dtrue%26legacy%3Dtrue 200 3ms - 170.0B"}