Apply suggestions from code review

Co-authored-by: shainaraskas <[email protected]>

Author: eedugon

deploy-manage/security/_snippets/cluster-comparison.md

@@ -17,11 +17,11 @@ Select your deployment type below to see what's available and how implementation
 
 | Category | Security feature | Status | Notes |
 |------------------|------------|--------------|-------------|
-| **Communication** | TLS (HTTP Layer) | Fully managed | Automatically configured by Elastic |
-| | TLS (Transport Layer) | Fully managed | Automatically configured by Elastic |
+| **Communication** | TLS (HTTP layer) | Fully managed | Automatically configured by Elastic |
+| | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
 | **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
 | | Private link | Configurable | [Establish a secure VPC connection](/deploy-manage/security/private-link-traffic-filters.md) |
-| | Kubernetes Network Policies | N/A |  |
+| | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | Managed | You can [bring your own encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md) |
 | | Secure settings | Configurable | Automatically protected by Elastic |
 | | Saved object encryption | Fully managed | Automatically encrypted by Elastic |
@@ -34,11 +34,11 @@ Select your deployment type below to see what's available and how implementation
 
 | Category| Security feature | Status | Notes |
 |------------------|------------|--------------|-------------|
-| **Communication** | TLS (HTTP Layer) | Fully managed | Automatically configured by Elastic |
-| | TLS (Transport Layer) | Fully managed | Automatically configured by Elastic |
+| **Communication** | TLS (HTTP layer) | Fully managed | Automatically configured by Elastic |
+| | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
 | **Network** | IP traffic filtering | N/A | |
 | | Private link | N/A |  |
-| | Kubernetes Network Policies | N/A |  |
+| | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | Fully managed | Automatically encrypted by Elastic |
 | | Secure settings | N/A |  |
 | | Saved object encryption | Fully managed | Automatically encrypted by Elastic |
@@ -51,15 +51,15 @@ Select your deployment type below to see what's available and how implementation
 
 | Category| Security feature | Status | Notes |
 |------------------|------------|--------------|-------------|
-| **Communication** | TLS (HTTP Layer) | Managed | You can [configure custom certificates](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md) |
-| | TLS (Transport Layer) | Fully managed | Automatically configured by Elastic |
+| **Communication** | TLS (HTTP layer) | Managed | You can [configure custom certificates](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md) |
+| | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
 | **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
 | | Private link | N/A |  |
-| | Kubernetes Network Policies | N/A |  |
+| | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | N/A |  |
 | | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
 | | Saved object encryption | Configurable | [Enable encryption for saved objects](/deploy-manage/security/secure-saved-objects.md) |
-| **User Session** | Kibana Sessions | Configurable | [Customize session parameters](/deploy-manage/security/kibana-session-management.md) |
+| **User session** | {{kib}} sessions | Configurable | [Customize session parameters](/deploy-manage/security/kibana-session-management.md) |
 
 :::
 
@@ -68,15 +68,15 @@ Select your deployment type below to see what's available and how implementation
 
 | Category| Security feature | Status | Notes |
 |------------------|------------|--------------|-------------|
-| **Communication** | TLS (HTTP Layer) | Managed | [Multiple options](/deploy-manage/security/k8s-https-settings.md) |
-| | TLS (Transport Layer) | Managed | [Multiple options](/deploy-manage/security/k8s-transport-settings.md) |
+| **Communication** | TLS (HTTP layer) | Managed | [Multiple options](/deploy-manage/security/k8s-https-settings.md) for customization |
+| | TLS (Transport layer) | Managed | [Multiple options](/deploy-manage/security/k8s-transport-settings.md) for customization |
 | **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
 | | Private link | N/A |  |
-| | Kubernetes Network Policies | Configurable | [Apply network policies to your Pods](/deploy-manage/security/k8s-network-policies.md) |
+| | Kubernetes network policies | Configurable | [Apply network policies to your Pods](/deploy-manage/security/k8s-network-policies.md) |
 | **Data** | Encryption at rest | N/A |  |
 | | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/k8s-secure-settings.md) |
 | | Saved object encryption | Configurable | [Enable encryption for saved objects](/deploy-manage/security/secure-saved-objects.md) |
-| **User Session** | Kibana Sessions | Configurable | [Customize session parameters](/deploy-manage/security/kibana-session-management.md) |
+| **User session** | {{kib}} sessions | Configurable | [Customize session parameters](/deploy-manage/security/kibana-session-management.md) |
 
 :::
 
@@ -90,11 +90,11 @@ Select your deployment type below to see what's available and how implementation
 | | TLS (Transport Layer) | Configurable | [Initial security setup](/deploy-manage/security/self-setup.md) |
 | **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
 | | Private link | N/A |  |
-| | Kubernetes Network Policies | N/A |  |
+| | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | N/A |  |
 | | Keystore security | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
 | | Saved object encryption | Configurable | [Enable encryption for saved objects](/deploy-manage/security/secure-saved-objects.md) |
-| **User Session** | Kibana Sessions | Configurable | [Customize session parameters](/deploy-manage/security/kibana-session-management.md) |
+| **User session** | {{kib}} sessions | Configurable | [Customize session parameters](/deploy-manage/security/kibana-session-management.md) |
 
 :::
 ::::

deploy-manage/security/k8s-https-settings.md

@@ -12,10 +12,6 @@ mapped_urls:
 
 ## {{es}} certificates [k8s-tls-certificates]
 
-```{applies_to}
-deployment:
-    eck: all
-```
 
 :::{note}
 This section only covers TLS certificates for the HTTP layer. TLS certificates for the transport layer that are used for internal communications between Elasticsearch nodes are managed by ECK and cannot be changed. You can however set your own certificate authority for the [transport layer](/deploy-manage/security/k8s-transport-settings.md#k8s-transport-ca).

deploy-manage/security/kibana-es-mutual-tls.md

@@ -23,7 +23,7 @@ To [enroll {{kib}} with an {{es}} cluster](/deploy-manage/security/self-auto-set
 Using a PKI realm is a [subscription feature](https://www.elastic.co/subscriptions).
 ::::
 
-#### Configure {{kib}} and {{es}} to use mutual TLS authentication [_configure_kib_and_es_to_use_mutual_tls_authentication]
+## Configure {{kib}} and {{es}} to use mutual TLS authentication [_configure_kib_and_es_to_use_mutual_tls_authentication]
 
 If you haven’t already, start {{kib}} and connect it to {{es}} using the [enrollment token](/deploy-manage/security/self-auto-setup.md#stack-start-with-security).
 

deploy-manage/security/secure-cluster-communications.md

@@ -13,21 +13,21 @@ mapped_urls:
 % Scope: landing page for manually handling TLS certificates, and for information about TLS in Elastic Stack in general.
 # TLS encryption for cluster communications
 
-This page explains how to secure communications and setup TLS certificates between components in your {{stack}} deployment.
+This page explains how to secure communications and set up TLS certificates between components in your {{stack}} deployment.
 
-For {{ech}} and {{serverless-full}} deployments, communication security is fully managed by Elastic with no configuration required, including TLS certificates.
+For {{ech}} deployments and {{serverless-full}} projects, communication security is [fully managed by Elastic](/deploy-manage/security.md#managed-security-in-elastic-cloud) with no configuration required, including TLS certificates.
 
-For ECE, ECK, and self-managed deployments, this page provides specific configuration guidance to secure the various communication channels between components.
+For ECE, ECK, and self-managed deployments, some of this process can be automated, with opportunities for manual configuration depending on your requirements. This page provides specific configuration guidance to secure the various communication channels between components.
 
 :::{tip}
-For a complete comparison of security feature availability and responsibility by deployment type, see [Security features by deployment type](/deploy-manage/security.md#comparison-table).
+For a complete comparison of security feature availability and responsibility by deployment type, refer to [Security features by deployment type](/deploy-manage/security.md#comparison-table).
 :::
 
 ## Communication channels overview [communication-channels]
 
 Both {{es}} and {{kib}}, the core components of the {{stack}}, expose service endpoints that must be secured. {{es}} handles traffic at two levels:
 * The **transport layer** (defaults to port `9300`), used for internal communication between nodes in the cluster.
-* The **HTTP layer** (defaults to port `9200`), used by external clients — including Kibana — to send requests via the REST API.
+* The **HTTP layer** (defaults to port `9200`), used by external clients — including Kibana — to send requests using the REST API.
 
 Additionally, {{kib}} functions as a web server, exposing its own **HTTP endpoint** (defaults to port `5601`) to users, and also acts as a client when sending requests to {{es}}.
 
@@ -77,7 +77,7 @@ Transport Layer Security (TLS) is the name of an industry standard protocol for
 
 Transport Protocol is the name of the protocol that {{es}} nodes use to communicate with one another. This name is specific to {{es}} and distinguishes the transport port (default `9300`) from the HTTP port (default `9200`). Nodes communicate with one another using the transport port, and REST clients communicate with {{es}} using the HTTP port.
 
-Although the word *transport* appears in both contexts, they mean different things. It’s possible to apply TLS to both the {{es}} transport port and the HTTP port. We know that these overlapping terms can be confusing, so to clarify, in this scenario we’re applying TLS to the {{es}} transport port. In [](./set-up-basic-security-plus-https.md), we’ll apply TLS to the {{es}} HTTP port.
+Although the word *transport* appears in both contexts, they mean different things. It’s possible to apply TLS to both the {{es}} transport port and the HTTP port. We know that these overlapping terms can be confusing, so to clarify, in this scenario we’re applying TLS to the {{es}} transport port.
 ::::
 
 

deploy-manage/security/self-tls.md

@@ -10,9 +10,7 @@ applies_to:
 
 This section provides guidance on managing TLS certificates in self-managed deployments after the initial security setup. It covers tasks such as configuring mutual authentication, renewing certificates, and customizing supported TLS versions and cipher suites.
 
-::::{note}
 If you're looking to secure a new or existing cluster by setting up TLS for the first time, refer to [](./self-setup.md), which covers both the [automatic](./self-auto-setup.md) and [manual](./self-setup.md#manual-configuration) configuration procedures.
-::::
 
 The topics in this section focus on post-setup tasks:
 
@@ -21,7 +19,7 @@ The topics in this section focus on post-setup tasks:
 * [](./supported-ssltls-versions-by-jdk-version.md): Customize the list of supported SSL/TLS versions in your cluster.
 * [](./enabling-cipher-suites-for-stronger-encryption.md): Enable additional cipher suites for TLS communications, including those used with authentication providers.
 
-For an overview of the endpoints that need securing in {{es}} and {{kib}}, refer to [Communication channels](./secure-cluster-communications.md#communication-channels).
+For an overview of the endpoints that can be secured in {{es}} and {{kib}}, refer to [Communication channels](./secure-cluster-communications.md#communication-channels).
 
 ## Certificates lifecycle
 

deploy-manage/security/using-kibana-with-security.md

@@ -11,7 +11,7 @@ mapped_urls:
 
 This document describes security settings you may need to configure in self-managed deployments of {{kib}}. These settings help secure access, manage connections, and ensure consistent behavior across multiple instances.
 
-Additional {{kib}} security features that apply to all deployment types — such as session management, saved objects encryption, and audit logging — are covered in a separate section [at the end of this document](#additional-security-topics).
+Additional {{kib}} security features that apply to all deployment types, such as session management, saved objects encryption, and audit logging, are covered in a separate section [at the end of this document](#additional-security-topics).
 
 ## Configure encryption keys [security-configure-settings]