Secure your cluster or deployment

ECE ECK Elastic Cloud Hosted Self Managed

It's important to protect your Elasticsearch cluster and the data it contains. Implementing an in-depth defense strategy provides multiple layers of security to help safeguard your system.

You can configure the following aspects of your Elastic cluster or deployment to maintain and enhance security:

Elasticsearch security features unlock key capabilities such as authentication and authorization, TLS encryption, and other security-related functionality described in this section. The first step in securing your deployment is to ensure that the Elasticsearch security features are enabled and properly configured.

For self-managed deployments, security features are automatically configured when possible. To learn about the automatic configuration process, the cases where automatic configuration might be skipped, and how to manually configure security, refer to Set up security in self-managed deployments.

Deployments managed by Elastic Cloud on Kubernetes, Elastic Cloud Enterprise, Elastic Cloud Hosted, as well as Elastic Cloud Serverless projects, automatically configure security by default. This includes setting the elastic user password, generating TLS certificates, and configuring Kibana to connect to Elasticsearch securely. Disabling security is not supported in these deployment types.

• Manage TLS certificates: TLS certificates apply security controls to network communications. Elastic uses TLS certificates to secure communications in two places:
  • The HTTP layer: Used for communication between your cluster or deployment and the internet.
  • The transport layer: Used mainly for inter-node communications, and in certain cases for cluster to cluster communication.
  • In self-managed Elasticsearch clusters, you can also Configure Kibana and Elasticsearch to use mutual TLS.
• Enable cipher suites for stronger encryption: The TLS and SSL protocols use a cipher suite that determines the strength of encryption used to protect the data. You may want to enable the use of additional cipher suites, so you can use different cipher suites for your TLS communications or communications with authentication providers.
• Restrict connections using traffic filtering: Traffic filtering allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. Restrict access based on IP addresses or CIDR ranges, or, in Elastic Cloud Hosted deployments, secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
• Allow or deny Elastic Cloud Hosted IP ranges: Elastic Cloud publishes a list of IP addresses used by its Elastic Cloud Hosted services for both incoming and outgoing traffic. Users can use these lists to configure their network firewalls as needed to allow or restrict traffic related to Elastic Cloud Hosted services.

• Secure your settings: Some of the settings that you configure in Elastic are sensitive, such as passwords, and relying on file system permissions to protect these settings is insufficient. Learn how to configure secure settings in the Elasticsearch keystore or Kibana keystore.

• Secure saved objects: Kibana stores entities such as dashboards, visualizations, alerts, actions, and advanced settings as saved objects, which are kept in a dedicated, internal Elasticsearch index. If such an object includes sensitive information, for example a PagerDuty integration key or email server credentials used by the alert action, Kibana encrypts it and makes sure it cannot be accidentally leaked or tampered with. You can configure and rotate the saved object encryption key for additional security.

• Encrypt data at rest: By default, Elastic Cloud already encrypts your Elastic Cloud Hosted deployment data, Serverless project data, and snapshots at rest. If you’re using ECH, then you can reinforce this mechanism by providing your own encryption key, also known as Bring Your Own Key (BYOK).

  Note

  Other deployment types don’t implement encryption at rest out of the box. For self-managed clusters, to implement encryption at rest, the hosts running the cluster must be configured with disk-level encryption, such as dm-crypt. In addition, snapshot targets must ensure that data is encrypted at rest as well.

  Configuring dm-crypt or similar technologies is outside the scope of this documentation, and issues related to disk encryption are outside the scope of support.

Manage Kibana sessions to control the timeout and lifespan of logged-in sessions to Kibana, as well as the number of concurrent sessions each user can have.

Audit logging is a powerful feature that helps you monitor and track security-related events within the Elastic Stack. By enabling audit logs, you can gain visibility into authentication attempts, authorization decisions, and other system activity.

Audit logging also provides forensic evidence in the event of an attack, and can be enabled independently for Elasticsearch and Kibana.

Learn how to enable audit logging.

ECK Self Managed

The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), titled "Security Requirements for Cryptographic Modules" is a U.S. government computer security standard used to approve cryptographic modules. You can run a self-managed cluster or Elastic Cloud on Kubernetes cluster in FIPS-compliant mode:

• Self-managed
• ECK

Security feature availability varies by deployment type, with each feature having one of the following statuses:

Select your deployment type below to see what's available and how implementation responsibilities are distributed: