Merge branch 'main' into tbs-config-discard-on-write

Author: florent-leborgne

.github/workflows/doc-preview-comment.yml

@@ -16,4 +16,4 @@ jobs:
       deployments: write
       id-token: write
       contents: read
-      pull-requests: read
+      pull-requests: write

.github/workflows/docs-build.yml

@@ -12,11 +12,17 @@ jobs:
       contents: read
 
     steps:
+        # Adding this step for debug purposes
+        # If this works as expected, we can simplify this workflow
+        # and replace it with the `check-membership` step
+      - name: Check organization membership (test)
+        run: echo "${{ github.event.issue.author_association == 'MEMBER' }}"
       - name: Check organization membership
         id: check-membership
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.ORG_MEMBER_READ_TOKEN }}
+          result-encoding: string
           script: |
             const issueAuthor = '${{ github.event.issue.user.login }}';
             const orgName = 'elastic';
@@ -55,4 +61,4 @@ jobs:
               labels: ['community']
             });
             
-            console.log(`Added "community" label to issue by ${issueAuthor}`);
+            console.log(`Added "community" label to issue by ${issueAuthor}`);

.github/workflows/label-community-issues.yml

@@ -106,4 +106,12 @@ The only secure and recommended approach is to use one Elastic account for each
 
 For now, you will need to answer an MFA challenge on every login, but we are working on adding a **Trust this device** option, which will "silence" the MFA challenge for one month per user session.
 
+**Can I use multiple email addresses for MFA?**
+
+No, only one email address can be used for MFA verification. In alignment with security best practices, Elastic Cloud is designed to use only one designated email address for MFA purposes. This email is used to send your one-time verification codes during login. If you need to update your MFA email address, review [Update your email address](update-your-email-address.md) for more information.
+
+
+
+
+
 

cloud-account/multifactor-authentication.md

@@ -15,7 +15,7 @@ Several types of {{es}} API keys exist:
 * **Cross-cluster** API key: allows other clusters to connect to this cluster.
 * **Managed** API key: created and managed by {{kib}} to run background tasks.
 
-To manage API keys in {{kib}}, go to the **API Keys** management page using the navigation menu or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md).
+To manage API keys in {{kib}}, go to **Management > Stack Management > API Keys** from the navigation menu or use the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md).
 
 ![API Keys UI](/deploy-manage/images/kibana-api-keys.png "")
 
@@ -33,23 +33,41 @@ To manage roles, go to the **Roles** management page using the navigation menu o
 
 ## Create an API key [create-api-key]
 
-To create an API key, go to the **API Keys** management page using the navigation menu or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md), and select **Create API key**.
+Two methods are available to create an API key:
 
-![Create API Key UI](/deploy-manage/images/kibana-create-ccr-api-key.png "")
+* As a quick option to create a personal API key from anywhere in {{kib}}:
+  1. From the **Help menu** (![help icon](/deploy-manage/images/help-icon.svg)), select **Connection details > API key**.  
+  1. Give the key a name.
+  1. Select **Create API key**.
+  
+  Your personal API key is created with a default expiration of 90 days from the time of creation. You can manage the key from the **API Keys** page.
 
-Refer to the [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) documentation to learn more about creating user API keys.
+* To create a personal or cross-cluster API key with configurable options, go to **Management > Stack Management > API Keys** from the navigation menu or use the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md), and select **Create API key**.
 
-Refer to the [Create cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) documentation to learn more about creating cross-cluster API keys.
+  ![Create API Key UI](/deploy-manage/images/kibana-create-user-api-key.png "")
 
+  1. Choose to create either a user or a cross-cluster API key.
+  2. Optionally, set an expiry date. By default the API key will not expire, but it's a good security practice to give the key a limited lifespan.
+  3. Configure access:
+      * For a user API key, you can opt to configure access to specific {{es}} APIs and resources by assigning the key with predefined roles or custom privileges. Refer to [Defining roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) and the [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) API documentation to learn more.
+      * For a cross-cluster API key, you can control the indices that other clusters have access to. Refer to the [Create cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) API documentation to learn more.
+  4. Add any additional metadata about the API as one or more key-value pairs. Refer to the [Create API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) API documentation for examples.
 
 ## Update an API key [update-api-key]
 
-To update an API key, go to the **API Keys** management page using the navigation menu or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md), and then click on the name of the key. You cannot update the name or the type of API key.
+To update an API key, go to **Management > Stack Management > API Keys** from the navigation menu or use the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md), and then click on the name of the key. You cannot update the name or the type of an API key.
 
-Refer to the [Update API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-update-api-key) documentation to learn more about updating user API keys.
-
-Refer to the [Update cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-update-cross-cluster-api-key) documentation to learn more about updating cross-cluster API keys.
+* For a user API key, you can update:
+  * The API key's access to {{es}} APIs and resources.
+  * The metadata associated with the key.
+ 
+  Refer to the [Update API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-update-api-key) API documentation to learn more.
 
+* For a cross-cluster API key, you can update:
+  * The indices that other clusters have access to.
+  * The metadata associated with the key.
+ 
+  Refer to the [Update cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-update-cross-cluster-api-key) API documentation to learn more.
 
 ## View and delete API keys [view-api-keys]
 

deploy-manage/api-keys/elasticsearch-api-keys.md

@@ -46,9 +46,9 @@ API keys are intended for programmatic access. Don’t use API keys to authentic
 
 
 
-### Restrict privileges [api-keys-restrict-privileges]
+### Control security privileges [api-keys-restrict-privileges]
 
-When you create or update an API key, use **Restrict privileges** to limit the permissions. Define the permissions using a JSON `role_descriptors` object, where you specify one or more roles and the associated privileges.
+When you create or update an API key, use **Control security privileges** to configure access to specific {{es}} APIs and resources. Define the permissions using a JSON `role_descriptors` object, where you specify one or more roles and the associated privileges.
 
 For example, the following `role_descriptors` object defines a `books-read-only` role that limits the API key to `read` privileges on the `books` index.
 

deploy-manage/api-keys/serverless-project-api-keys.md

@@ -43,7 +43,7 @@ Currently, autoscaling behavior is as follows:
 * **Data tiers**
 
     * Each {{es}} [data tier](../../manage-data/lifecycle/data-tiers.md) scales upward based on the amount of available storage. When we detect more storage is needed, autoscaling will scale up each data tier independently to ensure you can continue and ingest more data to your hot and content tier, or move data to the warm, cold, or frozen data tiers.
-    * In addition to scaling up existing data tiers, a new data tier will be automatically added when necessary, based on your [index lifecycle management policies](https://www.elastic.co/guide/en/cloud-enterprise/current/ece-configure-index-management.html).
+    * In addition to scaling up existing data tiers, a new data tier will be automatically added when necessary, based on your [index lifecycle management policies](/manage-data/lifecycle/index-lifecycle-management.md).
     * To control the maximum size of each data tier and ensure it will not scale above a certain size, you can use the maximum size per zone field.
     * Autoscaling based on memory or CPU, as well as autoscaling downward, is not currently supported. In case you want to adjust the size of your data tier to add more memory or CPU, or in case you deleted data and want to scale it down, you can set the current size per zone of each data tier manually.
 

deploy-manage/autoscaling/autoscaling-in-ece-and-ech.md

@@ -99,7 +99,7 @@ $$$faq-included$$$What is included in my paid {{ech}} deployment?
 
     * Free 1GB RAM {{kib}} instance
     * Free 1GB RAM Machine Learning node
-    * Free 1GB RAM APM server
+    * Free 1GB RAM APM / Integrations Server instance
     * A free allowance for [data transfer and snapshot storage costs](#faq-dts)
 
     Note that if you go above the free tier of Kibana/ML/APM (for example, a 2GB {{kib}} instance), you will be charged in full for the size of that instance.

deploy-manage/cloud-organization/billing/billing-faq.md

@@ -70,8 +70,7 @@ Logs, events, alerts, and configuration data ingested into your security project
 
 For more details about {{elastic-sec}} serverless project rates and billable assets, refer to Cloud Protection in the [{{ecloud}} pricing table](https://cloud.elastic.co/cloud-pricing-table?productType=serverless&project=security).
 
-% Note: Commenting out this section until this is ready to be published. 
 
-% ## Elastic-managed LLM
+## Elastic Managed LLM
 
-% The default LLM enables you to leverage AI-powered search as a service without deploying a model in your serverless project. It's configured by default to use with the Security AI Assistant, Attack Discovery, and other applicable AI features as a part of your "Complete" tier subscription. Using the default LLM will use tokens and incur related token-based add-on billing for your serverless project.
+The default [Elastic Managed LLM](kibana://reference/connectors-kibana/elastic-managed-llm.md) enables you to leverage AI-powered search as a service without deploying a model in your serverless project. It's configured by default to use with the Security AI Assistant, Attack Discovery, and other applicable AI features as a part of your "Complete" tier subscription. Using the default LLM will use tokens and incur related token-based add-on billing for your serverless project.

deploy-manage/cloud-organization/billing/security-billing-dimensions.md

@@ -184,7 +184,7 @@ In this example, we assume the Identity Provider does not publish its SAML metad
 
 ## Example: Custom JVM trust store bundle [ece-add-custom-bundle-example-cacerts]
 
-If you are using SSL certificates signed by non-public certificate authorities, {{es}} is not able to communicate with the services using those certificates unless you import a custom JVM trust store containing the certificates of your signing authority into your {{ece}} installation. You’ll need the trust store to access snapshot repositories like Minio, for your {{ece}} proxy, or to reindex from remote.
+If you are using SSL certificates signed by non-public certificate authorities, {{es}} is not able to communicate with the services using those certificates unless you import a custom JVM trust store containing the certificates of your signing authority into your {{ece}} installation. You’ll need the trust store to access snapshot repositories like MinIO, for your {{ece}} proxy, or to reindex from remote.
 
 To import a JVM trust store: