Merge branch 'main' into 514-cspm-typo-fix

Author: benironside

deploy-manage/deploy/cloud-on-k8s.md

@@ -80,11 +80,11 @@ Alpha, beta, and stable API versions follow the same [conventions used by Kubern
 
 ECK is compatible with the following Elastic Stack applications:
 
-* Elasticsearch, Kibana, APM Server: 6.8+, 7.1+, 8+
-* Enterprise Search: 7.7+, 8+
-* Beats: 7.0+, 8+
-* Elastic Agent: 7.10+ (standalone), 7.14+ (Fleet), 8+
-* Elastic Maps Server: 7.11+, 8+
+* Elasticsearch, Kibana, APM Server: 7.17+, 8+
+* Enterprise Search: 7.17+, 8+
+* Beats: 7.17+, 8+
+* Elastic Agent: 7.10+ (standalone), 7.17+ (Fleet), 8+
+* Elastic Maps Server: 7.17+, 8+
 * Logstash: 8.7+
 
 Elastic Stack application images for the OpenShift-certified Elasticsearch (ECK) Operator are only available from version 7.10 and later.

deploy-manage/deploy/cloud-on-k8s/configure-eck.md

@@ -12,7 +12,7 @@ mapped_pages:
 This page explains the various methods for configuring and applying ECK settings.
 
 ::::{tip}
-For a detailed list and description of all available settings in ECK, refer to [ECK configuration flags](asciidocalypse://docs/cloud-on-k8s/docs/reference/eck-configuration-flags.md).
+For a detailed list and description of all available settings in ECK, refer to [ECK configuration flags](cloud-on-k8s://reference/eck-configuration-flags.md).
 ::::
 
 By default, the ECK installation includes a [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) with an `eck.yaml` key where you can add, remove, or update configuration settings. This ConfigMap is mounted into the operator’s container as a file, and provided to the application through the `--config` flag.
@@ -56,7 +56,7 @@ If you installed ECK using the manifests and the commands listed in [Deploy ECK]
 
 You can update the ConfigMap directly using the command `kubectl edit configmap elastic-operator -n elastic-operator` or modify the installation manifests and reapply them with `kubectl apply -f <your-manifest-file.yaml>`.
 
-The following shows the default `elastic-operator` ConfigMap, for reference purposes. Refer to [ECK configuration flags](asciidocalypse://docs/cloud-on-k8s/docs/reference/eck-configuration-flags.md) for a complete list of available settings.
+The following shows the default `elastic-operator` ConfigMap, for reference purposes. Refer to [ECK configuration flags](cloud-on-k8s://reference/eck-configuration-flags.md) for a complete list of available settings.
 
 ```yaml
 apiVersion: v1

deploy-manage/deploy/cloud-on-k8s/elasticsearch-deployment-quickstart.md

@@ -44,7 +44,7 @@ The cluster that you deployed in this quickstart guide only allocates a persiste
 ::::
 
 
-For a full description of each `CustomResourceDefinition` (CRD), refer to the [*API Reference*](asciidocalypse://docs/cloud-on-k8s/docs/reference/k8s-api-reference.md) or view the CRD files in the [project repository](https://github.com/elastic/cloud-on-k8s/tree/2.16/config/crds). You can also retrieve information about a CRD from the cluster. For example, describe the {{es}} CRD specification with [`describe`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_describe/):
+For a full description of each `CustomResourceDefinition` (CRD), refer to the [*API Reference*](cloud-on-k8s://reference/api-docs.md) or view the CRD files in the [project repository](https://github.com/elastic/cloud-on-k8s/tree/2.16/config/crds). You can also retrieve information about a CRD from the cluster. For example, describe the {{es}} CRD specification with [`describe`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_describe/):
 
 ```sh
 kubectl describe crd elasticsearch

deploy-manage/deploy/cloud-on-k8s/k8s-service-mesh-linkerd.md

@@ -43,7 +43,7 @@ kubectl annotate namespace elastic-stack linkerd.io/inject=enabled
 
 Any Elasticsearch, Kibana, or APM Server resources deployed to a namespace with the above annotation will automatically join the mesh.
 
-Alternatively, if you only want specific resources to join the mesh, add the `linkerd.io/inject: enabled` annotation to the `podTemplate` (check [API documentation](asciidocalypse://docs/cloud-on-k8s/docs/reference/k8s-api-reference.md)) of the resource as follows:
+Alternatively, if you only want specific resources to join the mesh, add the `linkerd.io/inject: enabled` annotation to the `podTemplate` (check [API documentation](cloud-on-k8s://reference/api-docs.md)) of the resource as follows:
 
 ```yaml
 podTemplate:

deploy-manage/deploy/cloud-on-k8s/kibana-instance-quickstart.md

@@ -66,7 +66,7 @@ To deploy a simple [{{kib}}](/get-started/the-stack.md#stack-components-kibana)
     ```
 
 
-For a full description of each `CustomResourceDefinition` (CRD), refer to the [*API Reference*](asciidocalypse://docs/cloud-on-k8s/docs/reference/k8s-api-reference.md) or view the CRD files in the [project repository](https://github.com/elastic/cloud-on-k8s/tree/2.16/config/crds). You can also retrieve information about a CRD from the instance. For example, describe the {{kib}} CRD specification with [`describe`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_describe/):
+For a full description of each `CustomResourceDefinition` (CRD), refer to the [*API Reference*](cloud-on-k8s://reference/api-docs.md) or view the CRD files in the [project repository](https://github.com/elastic/cloud-on-k8s/tree/2.16/config/crds). You can also retrieve information about a CRD from the instance. For example, describe the {{kib}} CRD specification with [`describe`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_describe/):
 
 ```sh
 kubectl describe crd kibana

deploy-manage/deploy/cloud-on-k8s/troubleshooting-beats.md

@@ -25,7 +25,7 @@ When `kubectl` is used to modify a resource, it calculates the diff between the
 
 If you have configured a Beat to run as a `Deployment` and you are using a `hostPath` volume as the Beats data directory, you might encounter an error similar to the following:
 
-```shell script
+```shell
 ERROR   instance/beat.go:958    Exiting: data path already locked by another beat. Please make sure that multiple beats are not sharing the same data path (path.data).
 ```
 

deploy-manage/deploy/elastic-cloud/regions.md

@@ -12,7 +12,7 @@ A region is the geographic area where the data center of the cloud provider that
 Elastic Cloud Serverless handles all hosting details for you. You are unable to change the region after you create a project.
 
 ::::{note} 
-Currently, a limited number of Amazon Web Services (AWS) and Microsoft Azure regions are available. More regions for AWS and Azure, as well as Google Cloud Platform (GCP), will be added in the future.
+Currently, a limited number of Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) regions are available. More regions for AWS, Azure, and GCP, will be added in the future.
 
 ::::
 
@@ -39,4 +39,16 @@ The following Azure regions are currently available:
 
 | Region | Name |
 | :--- | :--- |
-| eastus | East US |
+| eastus | East US |
+
+## Google Cloud Platform (GCP) regions [regions-gcp-regions]
+
+```yaml {applies_to}
+serverless: preview
+```
+
+The following GCP regions are currently available:
+
+| Region | Name |
+| :--- | :--- |
+| us-central1 | Iowa |

deploy-manage/security.md

@@ -1,4 +1,7 @@
 ---
+applies_to:
+  deployment: all
+  serverless: ga
 mapped_urls:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/security-files.html
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-cluster.html
@@ -12,8 +15,6 @@ mapped_urls:
   - https://www.elastic.co/guide/en/cloud/current/ec-faq-technical.html
 ---
 
-# Security
-
 % SR: include this info somewhere in this section
 % {{ech}} doesn't support custom SSL certificates, which means that a custom CNAME for an {{ech}} endpoint such as *mycluster.mycompanyname.com* also is not supported.
 %
@@ -22,7 +23,7 @@ mapped_urls:
 % encryption at rest (EAR) is enabled in {{ech}} by default. We support EAR for both the data stored in your clusters and the snapshots we take for backup, on all cloud platforms and across all regions.
 % You can also bring your own key (BYOK) to encrypt your Elastic Cloud deployment data and snapshots. For more information, check [Encrypt your deployment with a customer-managed encryption key](../../../deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md).
 
-Note that the encryption happens at the file system level.
+% Note that the encryption happens at the file system level.
 
 % What needs to be done: Refine
 
@@ -54,15 +55,177 @@ $$$preserving-data-integrity$$$
 
 $$$maintaining-audit-trail$$$
 
-**This page is a work in progress.** The documentation team is working to combine content pulled from the following pages:
-
-* [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md)
-* [/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md)
-* [/raw-migrated-files/kibana/kibana/xpack-security.md](/raw-migrated-files/kibana/kibana/xpack-security.md)
-* [/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md](/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md)
-* [/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md](/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md)
-* [/raw-migrated-files/cloud/cloud-heroku/ech-security.md](/raw-migrated-files/cloud/cloud-heroku/ech-security.md)
-* [/raw-migrated-files/kibana/kibana/using-kibana-with-security.md](/raw-migrated-files/kibana/kibana/using-kibana-with-security.md)
-* [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md)
-* [/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md)
-* [/raw-migrated-files/cloud/cloud/ec-faq-technical.md](/raw-migrated-files/cloud/cloud/ec-faq-technical.md)
+:::{warning}
+**This page is a work in progress.** 
+:::
+
+
+% The documentation team is working to combine content pulled from the following pages:
+
+% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md)
+% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md)
+% * [/raw-migrated-files/kibana/kibana/xpack-security.md](/raw-migrated-files/kibana/kibana/xpack-security.md)
+% * [/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md](/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md)
+% * [/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md](/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md)
+% * [/raw-migrated-files/cloud/cloud-heroku/ech-security.md](/raw-migrated-files/cloud/cloud-heroku/ech-security.md)
+% * [/raw-migrated-files/kibana/kibana/using-kibana-with-security.md](/raw-migrated-files/kibana/kibana/using-kibana-with-security.md)
+% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md)
+% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md)
+% * [/raw-migrated-files/cloud/cloud/ec-faq-technical.md](/raw-migrated-files/cloud/cloud/ec-faq-technical.md)
+
+# Security
+
+This overview page helps you understand Elastic's security capabilities across different deployment types. You'll find:
+
+- Key security features for protecting your Elastic deployment
+- Security capabilities specific to each deployment type
+- Comparison tables showing feature availability and configurability by deployment type
+- Links to detailed implementation guides
+
+## Security overview
+
+An Elastic implementation comprises many moving parts: {{es}} nodes forming the cluster, {{kib}} instances, additional stack components such as Logstash and Beats, and various clients and integrations communicating with your deployment.
+
+To keep your data secured, Elastic offers comprehensive security features that:
+- Prevent unauthorized access to your deployment
+- Encrypt communications between components
+- Protect data at rest
+- Secure sensitive settings and saved objects
+
+:::{note}
+The availability and configurability of security features vary by deployment type. Refer to [Security by deployment type](#security-features-by-deployment-type) for a comparison table.
+:::
+
+## Security topics
+
+The documentation is organized into three main areas.
+
+On every page, you'll see deployment type indicators that show which content applies to specific deployment types. Focus on sections tagged with your deployment type and look for subsections specifically addressing your deployment model.
+
+### 1. Secure your orchestrator
+
+The [security of your orchestrator](security/secure-hosting-environment.md) forms the foundation of your overall security posture. This section covers environment-specific security controls:
+
+- [**Elastic Cloud Hosted and Serverless**](security/secure-your-elastic-cloud-organization.md)
+- [**Elastic Cloud Enterprise**](security/secure-your-elastic-cloud-enterprise-installation.md)
+- [**Elastic Cloud on Kubernetes**](security/secure-your-eck-installation.md)
+
+:::{note}
+There is no orchestration layer for self-managed deployments because you directly control the host environment. Refer to [](security/manually-configure-security-in-self-managed-cluster.md) to learn more about securing self-managed installations.
+:::
+
+### 2. Secure your deployments and clusters
+
+[Secure your deployments](security/secure-your-cluster-deployment.md) with features available across all deployment types:
+
+- [**Traffic filtering**](security/traffic-filtering.md): IP filtering, private links, and static IPs
+- [**Secure communications**](security/secure-cluster-communications.md): TLS configuration, certificates management
+- [**Data protection**](security/data-security.md): Encryption at rest, secure settings, saved objects
+- [**Session management**](security/kibana-session-management.md): Kibana session controls
+- [**FIPS 140-2 compliance**](security/fips-140-2.md): Federal security standards
+
+### 3. Secure your clients and integrations
+
+[Secure your clients and integrations](security/secure-clients-integrations.md) to ensure secure communication between your applications and Elastic:
+
+- [**Client security**](security/httprest-clients-security.md): Best practices for securely connecting applications to {{es}}
+- **Integration security**: Secure configuration for Beats, Logstash, and other integrations
+
+## Security features by deployment type
+
+Security feature availability varies by deployment type, with each feature having one of the following statuses:
+
+| **Status** | **Description** |
+|--------|-------------|
+| **Managed** | Handled automatically by Elastic with no user configuration needed |
+| **Configurable** | Built-in feature that needs your configuration (like IP filters or passwords) |
+| **Self-managed** | Infrastructure-level security you implement and maintain |
+| **N/A** | Not available for this deployment type |
+
+Select your deployment type below to see what's available and how implementation responsibilities are distributed:
+
+::::{tab-set}
+:group: deployment-type
+
+:::{tab-item} Elastic Cloud Hosted
+:sync: cloud-hosted
+
+| **Security Category** | **Security Feature** | **Status** | **Description** |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Managed | Automatically configured by Elastic |
+| | TLS (Transport Layer) | Managed | Automatically configured by Elastic |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | Configurable | Establish secure VPC connection |
+| | Static IPs | Configurable | Enable fixed IP addresses |
+| **Data** | Encryption at rest | Managed | Automatically encrypted by Elastic |
+| | Bring your own encryption key | Configurable | Implement customer-provided keys |
+| | Keystore security | Managed | Automatically protected by Elastic |
+| | Saved object encryption | Managed | Automatically encrypted by Elastic |
+| **User Session** | Kibana Sessions | Configurable | Customize session parameters |
+
+:::
+
+:::{tab-item} Serverless
+:sync: serverless
+
+| **Security Category** | **Security Feature** | **Status** | **Description** |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Managed | Automatically configured by Elastic |
+| | TLS (Transport Layer) | Managed | Automatically configured by Elastic |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | N/A | X |
+| | Static IPs | Configurable | Enable fixed IP addresses |
+| **Data** | Encryption at rest | Managed | Automatically encrypted by Elastic |
+| | Bring your own encryption key | N/A | X |
+| | Keystore security | Managed | Automatically protected by Elastic |
+| | Saved object encryption | Managed | Automatically encrypted by Elastic |
+| **User Session** | Kibana Sessions | Managed | Automatically configured by Elastic |
+
+:::
+
+:::{tab-item} ECE/ECK
+:sync: ece-eck
+
+| **Security Category** | **Security Feature** | **Status** | **Description** |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Configurable | Configure custom certificates |
+| | TLS (Transport Layer) | Managed | Automatically configured by Elastic |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | N/A | X |
+| | Static IPs | N/A | X |
+| **Data** | Encryption at rest | Self-managed | Implement at infrastructure level |
+| | Bring your own encryption key | N/A | X |
+| | Keystore security | Configurable | Configure secure settings storage |
+| | Saved object encryption | Configurable | Enable encryption for saved objects |
+| **User Session** | Kibana Sessions | Configurable | Customize session parameters |
+
+:::
+
+:::{tab-item} Self-managed
+:sync: self-managed
+
+| **Security Category** | **Security Feature** | **Status** | **Description** |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Self-managed | Implement and maintain certificates |
+| | TLS (Transport Layer) | Self-managed | Implement and maintain certificates |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | N/A | X |
+| | Static IPs | N/A | X |
+| **Data** | Encryption at rest | Self-managed | Implement at infrastructure level |
+| | Bring your own encryption key | N/A | X |
+| | Keystore security | Configurable | Configure secure settings storage |
+| | Saved object encryption | Configurable | Enable encryption for saved objects |
+| **User Session** | Kibana Sessions | Configurable | Customize session parameters |
+
+:::
+
+::::
+
+## Next steps
+
+Refer to the following sections for detailed instructions about securing your hosting environment:
+
+* [Elastic Cloud Hosted and Serverless security setup](/deploy-manage/security/secure-your-elastic-cloud-organization.md)
+* [Elastic Cloud Enterprise (ECE) security setup](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md)
+* [Elastic Cloud on Kubernetes (ECK) security setup](/deploy-manage/security/secure-your-eck-installation.md)
+* [Self-managed cluster security setup](/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md)

deploy-manage/security/data-security.md

@@ -0,0 +1,5 @@
+# Secure your data
+
+:::{warning}
+**This page is a work in progress.** 
+:::

deploy-manage/security/fips-140-2.md

@@ -4,7 +4,7 @@ mapped_urls:
   - https://www.elastic.co/guide/en/kibana/current/xpack-security-fips-140-2.html
 ---
 
-# FIPS 140-2
+# FIPS 140-2 compliance
 
 % What needs to be done: Refine