Merge branch 'main' into ts-obs-applies

Author: natasha-moore-elastic

deploy-manage/deploy/cloud-enterprise/configure.md

@@ -33,7 +33,7 @@ Other sections of the documentation describe important ECE features to consider:
 * [Configure allocator affinity](configure-allocator-affinity.md) - Determine how ECE distributes your Elastic Stack deployments across allocators.
 * [Change allocator disconnect timeout](change-allocator-disconnect-timeout.md) - Configure how long ECE waits before considering allocators to be disconnected.
 * [Migrate ECE to Podman hosts](./migrate-ece-to-podman-hosts.md) - If you are running a Docker based installation and you need to migrate to Podman.
-* [Migrate ECE on Podman hosts to SELinux in enforcing mode](migrate-ece-on-podman-hosts-to-selinux-enforce.md) - Migrate ECE to SELinux in `enforcing` mode using Podman.
+* [Migrate ECE on Podman hosts to SELinux in enforcing mode](../../security/secure-your-elastic-cloud-enterprise-installation/migrate-ece-on-podman-hosts-to-selinux-enforce.md) - Migrate ECE to SELinux in `enforcing` mode using Podman.
 
 ## Maintenance activities
 

deploy-manage/deploy/cloud-enterprise/deploy-an-orchestrator.md

@@ -52,5 +52,5 @@ To start orchestrating your {{es}} clusters, refer to [](./working-with-deployme
 The following tasks are only needed on certain circumstances:
 
 * [Migrate ECE to Podman hosts](./migrate-ece-to-podman-hosts.md)
-* [Migrate ECE on Podman hosts to SELinux enforce](./migrate-ece-on-podman-hosts-to-selinux-enforce.md)
+* [Migrate ECE on Podman hosts to SELinux enforce](./../../security/secure-your-elastic-cloud-enterprise-installation/migrate-ece-on-podman-hosts-to-selinux-enforce.md)
 * [Change allocator disconnect timeout](./change-allocator-disconnect-timeout.md)

deploy-manage/deploy/cloud-enterprise/enable-custom-endpoint-aliases.md

@@ -29,6 +29,7 @@ After installing or upgrading to version 2.10 or later:
     * For Kibana, the certificate needs to allow for ***.kb.<your-domain>**
     * For APM, the certificate needs to allow for ***.apm.<your-domain>**
     * For Fleet, the certificate needs to allow for ***.fleet.<your-domain>**
+    * For Universal Profiling, the certificate needs to allow for ***.profiling.<your-domain>** and ***.symbols.<your-domain>**
 
 3. In the **Platform** menu, select **Settings**.
 4. Under the **Enable custom endpoint alias naming**, toggle the setting to allow platform administrators and deployment managers to choose a simplified, unique URL for the endpoint.

deploy-manage/deploy/cloud-on-k8s.md

@@ -80,11 +80,11 @@ Alpha, beta, and stable API versions follow the same [conventions used by Kubern
 
 ECK is compatible with the following Elastic Stack applications:
 
-* Elasticsearch, Kibana, APM Server: 6.8+, 7.1+, 8+
-* Enterprise Search: 7.7+, 8+
-* Beats: 7.0+, 8+
-* Elastic Agent: 7.10+ (standalone), 7.14+ (Fleet), 8+
-* Elastic Maps Server: 7.11+, 8+
+* Elasticsearch, Kibana, APM Server: 7.17+, 8+
+* Enterprise Search: 7.17+, 8+
+* Beats: 7.17+, 8+
+* Elastic Agent: 7.10+ (standalone), 7.17+ (Fleet), 8+
+* Elastic Maps Server: 7.17+, 8+
 * Logstash: 8.7+
 
 Elastic Stack application images for the OpenShift-certified Elasticsearch (ECK) Operator are only available from version 7.10 and later.

deploy-manage/deploy/deployment-comparison.md

@@ -12,7 +12,7 @@ For more details about feature availability in Serverless, check [](elastic-clou
 | [Security configurations](/deploy-manage/security.md) | Full control | Limited control | Limited control |
 | [Authentication realms](/deploy-manage/users-roles.md) | Available | Available | Available, through Elastic Cloud only |
 | [Custom roles](/deploy-manage/users-roles.md) | Available | Available | Available |
-| [Audit logging](/deploy-manage/monitor/logging-configuration/configuring-audit-logs.md) | Available | Available | No |
+| [Audit logging](/deploy-manage/security/logging-configuration/security-event-audit-logging.md) | Available | Available | No |
 
 ## Infrastructure and cluster management
 

deploy-manage/monitor/stack-monitoring/collecting-log-data-with-filebeat.md

@@ -27,7 +27,7 @@ If you’re using {{agent}}, do not deploy {{filebeat}} for log collection. Inst
 
 2. Identify which logs you want to monitor.
 
-    The {{filebeat}} {{es}} module can handle [audit logs](../logging-configuration/logfile-audit-output.md), [deprecation logs](../logging-configuration/elasticsearch-log4j-configuration-self-managed.md#deprecation-logging), [gc logs](elasticsearch://reference/elasticsearch/jvm-settings.md#gc-logging), [server logs](../logging-configuration/elasticsearch-log4j-configuration-self-managed.md), and [slow logs](elasticsearch://reference/elasticsearch/index-settings/slow-log.md). For more information about the location of your {{es}} logs, see the [path.logs](../../deploy/self-managed/important-settings-configuration.md#path-settings) setting.
+    The {{filebeat}} {{es}} module can handle [audit logs](../../security/logging-configuration/logfile-audit-output.md), [deprecation logs](../logging-configuration/elasticsearch-log4j-configuration-self-managed.md#deprecation-logging), [gc logs](elasticsearch://reference/elasticsearch/jvm-settings.md#gc-logging), [server logs](../logging-configuration/elasticsearch-log4j-configuration-self-managed.md), and [slow logs](elasticsearch://reference/elasticsearch/index-settings/slow-log.md). For more information about the location of your {{es}} logs, see the [path.logs](../../deploy/self-managed/important-settings-configuration.md#path-settings) setting.
 
     ::::{important}
     If there are both structured (`*.json`) and unstructured (plain text) versions of the logs, you must use the structured logs. Otherwise, they might not appear in the appropriate context in {{kib}}.

deploy-manage/monitor/stack-monitoring/ece-stack-monitoring.md

@@ -181,7 +181,7 @@ When shipping logs to a monitoring deployment there are more logging features av
 
 #### For {{es}}: [ece-extra-logging-features-elasticsearch]
 
-* [Audit logging](../logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment
+* [Audit logging](../../security/logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment
 * [Slow query and index logging](elasticsearch://reference/elasticsearch/index-settings/slow-log.md) - helps find and debug slow queries and indexing
 * Verbose logging - helps debug stack issues by increasing component logs
 
@@ -190,7 +190,7 @@ After you’ve enabled log delivery on your deployment, you can [add the Elastic
 
 #### For Kibana: [ece-extra-logging-features-kibana]
 
-* [Audit logging](../logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment
+* [Audit logging](../../security/logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment
 
 After you’ve enabled log delivery on your deployment, you can [add the Kibana user settings](../../deploy/cloud-enterprise/edit-stack-settings.md) to enable this feature.
 

deploy-manage/security.md

@@ -75,102 +75,158 @@ $$$maintaining-audit-trail$$$
 
 # Security
 
-This section covers how to secure your Elastic environment. Learn how to implement TLS encryption, network security controls, and data protection measures.
+This overview page helps you understand Elastic's security capabilities across different deployment types. You'll find:
+
+- Key security features for protecting your Elastic deployment
+- Security capabilities specific to each deployment type
+- Comparison tables showing feature availability and configurability by deployment type
+- Links to detailed implementation guides
 
 ## Security overview
 
-An Elastic implementation comprises many moving parts: {es} nodes forming the cluster, {kib} instances, additional stack components such as Logstash and Beats, and various clients and integrations communicating with your deployment.
+An Elastic implementation comprises many moving parts: {{es}} nodes forming the cluster, {{kib}} instances, additional stack components such as Logstash and Beats, and various clients and integrations communicating with your deployment.
 
 To keep your data secured, Elastic offers comprehensive security features that:
 - Prevent unauthorized access to your deployment
 - Encrypt communications between components
 - Protect data at rest
 - Secure sensitive settings and saved objects
 
-Security requirements and capabilities vary by deployment. Features may be managed automatically by Elastic, require configuration, or must be fully self-managed. Refer to [Security by deployment type](#security-by-deployment-type) for details.
+:::{note}
+The availability and configurability of security features vary by deployment type. Refer to [Security by deployment type](#security-features-by-deployment-type) for a comparison table.
+:::
 
-::::{tip}
-See the [Deployment overview](/deploy-manage/deploy.md) to understand your options for deploying Elastic.
-::::
+## Security topics
 
-### Security by deployment type
+The documentation is organized into three main areas.
 
-Security features have one of these statuses across deployment types:
+On every page, you'll see deployment type indicators that show which content applies to specific deployment types. Focus on sections tagged with your deployment type and look for subsections specifically addressing your deployment model.
 
-| Status | Description |
-|--------|-------------|
-| **Managed** | Handled automatically by Elastic with no user configuration needed |
-| **Configurable** | Built-in feature that needs your configuration (like IP filters or passwords) |
-| **Self-managed** | Infrastructure-level security you implement and maintain |
-| **N/A** | Not available for this deployment type |
+### 1. Secure your orchestrator
 
-#### Communication security
+The [security of your orchestrator](security/secure-hosting-environment.md) forms the foundation of your overall security posture. This section covers environment-specific security controls:
 
-| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed |
-|------------------|------------|--------------|-----|-----|--------------|
-| **TLS (HTTP Layer)** | Managed | Managed | Configurable | Configurable | Self-managed |
-| **TLS (Transport Layer)** | Managed | Managed | Managed | Managed | Self-managed |
+- [**Elastic Cloud Hosted and Serverless**](security/secure-your-elastic-cloud-organization.md)
+- [**Elastic Cloud Enterprise**](security/secure-your-elastic-cloud-enterprise-installation.md)
+- [**Elastic Cloud on Kubernetes**](security/secure-your-eck-installation.md)
 
-#### Network security
+:::{note}
+There is no orchestration layer for self-managed deployments because you directly control the host environment. Refer to [](security/manually-configure-security-in-self-managed-cluster.md) to learn more about securing self-managed installations.
+:::
 
-| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed |
-|------------------|------------|--------------|-----|-----|--------------|
-| **IP traffic filtering** | Configurable | Configurable | Configurable | Configurable | Configurable |
-| **Private link** | N/A | Configurable | N/A | N/A | N/A |
-| **Static IPs** | Configurable | Configurable | N/A | N/A | N/A |
+### 2. Secure your deployments and clusters
 
-#### Data security
+[Secure your deployments](security/secure-your-cluster-deployment.md) with features available across all deployment types:
 
-| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed |
-|------------------|------------|--------------|-----|-----|--------------|
-| **Encryption at rest** | Managed | Managed | Self-managed | Self-managed | Self-managed |
-| **Bring your own encryption key** | N/A | Configurable | N/A | N/A | N/A |
-| **Keystore security** | Managed | Managed | Configurable | Configurable | Configurable |
-| **Saved object encryption** | Managed | Managed | Configurable | Configurable | Configurable |
+- [**Traffic filtering**](security/traffic-filtering.md): IP filtering, private links, and static IPs
+- [**Secure communications**](security/secure-cluster-communications.md): TLS configuration, certificates management
+- [**Data protection**](security/data-security.md): Encryption at rest, secure settings, saved objects
+- [**Security event audit logging**](security/logging-configuration/security-event-audit-logging.md): {{es}} and {{kib}} audit logs
+- [**Session management**](security/kibana-session-management.md): Kibana session controls
+- [**FIPS 140-2 compliance**](security/fips-140-2.md): Federal security standards
 
-#### User session security
+### 3. Secure your clients and integrations
 
-| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed |
-|------------------|------------|--------------|-----|-----|--------------|
-| **Kibana Sessions** | Managed | Configurable | Configurable | Configurable | Configurable |
+[Secure your clients and integrations](security/secure-clients-integrations.md) to ensure secure communication between your applications and Elastic:
 
-### Using this documentation
+- [**Client security**](security/httprest-clients-security.md): Best practices for securely connecting applications to {{es}}
+- **Integration security**: Secure configuration for Beats, Logstash, and other integrations
 
-Throughout this security documentation, you'll see deployment type indicators that show which content applies to specific deployment types. Each section clearly identifies which deployment types it applies to, and deployment-specific details are separated within each topic.
+## Security features by deployment type
 
-To get the most relevant information for your environment, focus on sections tagged with your deployment type and look for subsections specifically addressing your deployment model.
+Security feature availability varies by deployment type, with each feature having one of the following statuses:
 
-## Security topics
+| **Status** | **Description** |
+|--------|-------------|
+| **Managed** | Handled automatically by Elastic with no user configuration needed |
+| **Configurable** | Built-in feature that needs your configuration (like IP filters or passwords) |
+| **Self-managed** | Infrastructure-level security you implement and maintain |
+| **N/A** | Not available for this deployment type |
 
-This security documentation is organized into four main areas:
+Select your deployment type below to see what's available and how implementation responsibilities are distributed:
 
-% TODO: Add links to the sections below
+::::{tab-set}
+:group: deployment-type
 
-### 1. Secure your hosting environment
+:::{tab-item} Elastic Cloud Hosted
+:sync: cloud-hosted
 
-The security of your hosting environment forms the foundation of your overall security posture. This section covers environment-specific security controls:
+| **Security Category** | **Security Feature** | **Status** | **Description** |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Managed | Automatically configured by Elastic |
+| | TLS (Transport Layer) | Managed | Automatically configured by Elastic |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | Configurable | Establish secure VPC connection |
+| | Static IPs | Configurable | Enable fixed IP addresses |
+| **Data** | Encryption at rest | Managed | Automatically encrypted by Elastic |
+| | Bring your own encryption key | Configurable | Implement customer-provided keys |
+| | Keystore security | Managed | Automatically protected by Elastic |
+| | Saved object encryption | Managed | Automatically encrypted by Elastic |
+| **User Session** | Kibana Sessions | Configurable | Customize session parameters |
 
-- **Elastic Cloud Hosted and Serverless**: Organization-level SSO, role-based access control, and cloud API keys
-- **Elastic Cloud Enterprise**: TLS certificates, role-based access control, and cloud API keys
-- **Self-managed environments**: TLS certificates, HTTPS configuration
+:::
 
-### 2. Secure your deployments and clusters
+:::{tab-item} Serverless
+:sync: serverless
+
+| **Security Category** | **Security Feature** | **Status** | **Description** |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Managed | Automatically configured by Elastic |
+| | TLS (Transport Layer) | Managed | Automatically configured by Elastic |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | N/A | X |
+| | Static IPs | Configurable | Enable fixed IP addresses |
+| **Data** | Encryption at rest | Managed | Automatically encrypted by Elastic |
+| | Bring your own encryption key | N/A | X |
+| | Keystore security | Managed | Automatically protected by Elastic |
+| | Saved object encryption | Managed | Automatically encrypted by Elastic |
+| **User Session** | Kibana Sessions | Managed | Automatically configured by Elastic |
 
-Protect your deployments with features available across all deployment types:
+:::
+
+:::{tab-item} ECE/ECK
+:sync: ece-eck
+
+| **Security Category** | **Security Feature** | **Status** | **Description** |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Configurable | Configure custom certificates |
+| | TLS (Transport Layer) | Managed | Automatically configured by Elastic |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | N/A | X |
+| | Static IPs | N/A | X |
+| **Data** | Encryption at rest | Self-managed | Implement at infrastructure level |
+| | Bring your own encryption key | N/A | X |
+| | Keystore security | Configurable | Configure secure settings storage |
+| | Saved object encryption | Configurable | Enable encryption for saved objects |
+| **User Session** | Kibana Sessions | Configurable | Customize session parameters |
 
-- **Authentication and access controls**: User management, API keys, authentication protocols, and traffic filtering
-- **Data protection**: Encryption, sensitive settings, and document-level security
-- **Monitoring and compliance**: Audit logging and security best practices
+:::
 
-### 3. Secure your user accounts
+:::{tab-item} Self-managed
+:sync: self-managed
+
+| **Security Category** | **Security Feature** | **Status** | **Description** |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Self-managed | Implement and maintain certificates |
+| | TLS (Transport Layer) | Self-managed | Implement and maintain certificates |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | N/A | X |
+| | Static IPs | N/A | X |
+| **Data** | Encryption at rest | Self-managed | Implement at infrastructure level |
+| | Bring your own encryption key | N/A | X |
+| | Keystore security | Configurable | Configure secure settings storage |
+| | Saved object encryption | Configurable | Enable encryption for saved objects |
+| **User Session** | Kibana Sessions | Configurable | Customize session parameters |
 
-Individual user security helps prevent unauthorized access:
+:::
 
-- **Multi-factor authentication**: Add an extra layer of security to your login process
+::::
 
-### 4. Secure your clients and integrations
+## Next steps
 
-Ensure secure communication between your applications and Elastic:
+Refer to the following sections for detailed instructions about securing your hosting environment:
 
-- **Client security**: Best practices for securely connecting applications to {es}
-- **Integration security**: Secure configuration for Beats, Logstash, and other integrations
+* [Elastic Cloud Hosted and Serverless security setup](/deploy-manage/security/secure-your-elastic-cloud-organization.md)
+* [Elastic Cloud Enterprise (ECE) security setup](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md)
+* [Elastic Cloud on Kubernetes (ECK) security setup](/deploy-manage/security/secure-your-eck-installation.md)
+* [Self-managed cluster security setup](/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md)