Merge branch 'main' into 586-siem-migration-guide

Author: natasha-moore-elastic

deploy-manage/deploy/cloud-on-k8s/configure-eck.md

@@ -12,7 +12,7 @@ mapped_pages:
 This page explains the various methods for configuring and applying ECK settings.
 
 ::::{tip}
-For a detailed list and description of all available settings in ECK, refer to [ECK configuration flags](asciidocalypse://docs/cloud-on-k8s/docs/reference/eck-configuration-flags.md).
+For a detailed list and description of all available settings in ECK, refer to [ECK configuration flags](cloud-on-k8s://reference/eck-configuration-flags.md).
 ::::
 
 By default, the ECK installation includes a [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) with an `eck.yaml` key where you can add, remove, or update configuration settings. This ConfigMap is mounted into the operator’s container as a file, and provided to the application through the `--config` flag.
@@ -56,7 +56,7 @@ If you installed ECK using the manifests and the commands listed in [Deploy ECK]
 
 You can update the ConfigMap directly using the command `kubectl edit configmap elastic-operator -n elastic-operator` or modify the installation manifests and reapply them with `kubectl apply -f <your-manifest-file.yaml>`.
 
-The following shows the default `elastic-operator` ConfigMap, for reference purposes. Refer to [ECK configuration flags](asciidocalypse://docs/cloud-on-k8s/docs/reference/eck-configuration-flags.md) for a complete list of available settings.
+The following shows the default `elastic-operator` ConfigMap, for reference purposes. Refer to [ECK configuration flags](cloud-on-k8s://reference/eck-configuration-flags.md) for a complete list of available settings.
 
 ```yaml
 apiVersion: v1

deploy-manage/deploy/cloud-on-k8s/elasticsearch-deployment-quickstart.md

@@ -44,7 +44,7 @@ The cluster that you deployed in this quickstart guide only allocates a persiste
 ::::
 
 
-For a full description of each `CustomResourceDefinition` (CRD), refer to the [*API Reference*](asciidocalypse://docs/cloud-on-k8s/docs/reference/k8s-api-reference.md) or view the CRD files in the [project repository](https://github.com/elastic/cloud-on-k8s/tree/2.16/config/crds). You can also retrieve information about a CRD from the cluster. For example, describe the {{es}} CRD specification with [`describe`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_describe/):
+For a full description of each `CustomResourceDefinition` (CRD), refer to the [*API Reference*](cloud-on-k8s://reference/api-docs.md) or view the CRD files in the [project repository](https://github.com/elastic/cloud-on-k8s/tree/2.16/config/crds). You can also retrieve information about a CRD from the cluster. For example, describe the {{es}} CRD specification with [`describe`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_describe/):
 
 ```sh
 kubectl describe crd elasticsearch

deploy-manage/deploy/cloud-on-k8s/k8s-service-mesh-linkerd.md

@@ -43,7 +43,7 @@ kubectl annotate namespace elastic-stack linkerd.io/inject=enabled
 
 Any Elasticsearch, Kibana, or APM Server resources deployed to a namespace with the above annotation will automatically join the mesh.
 
-Alternatively, if you only want specific resources to join the mesh, add the `linkerd.io/inject: enabled` annotation to the `podTemplate` (check [API documentation](asciidocalypse://docs/cloud-on-k8s/docs/reference/k8s-api-reference.md)) of the resource as follows:
+Alternatively, if you only want specific resources to join the mesh, add the `linkerd.io/inject: enabled` annotation to the `podTemplate` (check [API documentation](cloud-on-k8s://reference/api-docs.md)) of the resource as follows:
 
 ```yaml
 podTemplate:

deploy-manage/deploy/cloud-on-k8s/kibana-instance-quickstart.md

@@ -66,7 +66,7 @@ To deploy a simple [{{kib}}](/get-started/the-stack.md#stack-components-kibana)
     ```
 
 
-For a full description of each `CustomResourceDefinition` (CRD), refer to the [*API Reference*](asciidocalypse://docs/cloud-on-k8s/docs/reference/k8s-api-reference.md) or view the CRD files in the [project repository](https://github.com/elastic/cloud-on-k8s/tree/2.16/config/crds). You can also retrieve information about a CRD from the instance. For example, describe the {{kib}} CRD specification with [`describe`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_describe/):
+For a full description of each `CustomResourceDefinition` (CRD), refer to the [*API Reference*](cloud-on-k8s://reference/api-docs.md) or view the CRD files in the [project repository](https://github.com/elastic/cloud-on-k8s/tree/2.16/config/crds). You can also retrieve information about a CRD from the instance. For example, describe the {{kib}} CRD specification with [`describe`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_describe/):
 
 ```sh
 kubectl describe crd kibana

deploy-manage/deploy/elastic-cloud/regions.md

@@ -12,7 +12,7 @@ A region is the geographic area where the data center of the cloud provider that
 Elastic Cloud Serverless handles all hosting details for you. You are unable to change the region after you create a project.
 
 ::::{note} 
-Currently, a limited number of Amazon Web Services (AWS) and Microsoft Azure regions are available. More regions for AWS and Azure, as well as Google Cloud Platform (GCP), will be added in the future.
+Currently, a limited number of Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) regions are available. More regions for AWS, Azure, and GCP, will be added in the future.
 
 ::::
 
@@ -39,4 +39,16 @@ The following Azure regions are currently available:
 
 | Region | Name |
 | :--- | :--- |
-| eastus | East US |
+| eastus | East US |
+
+## Google Cloud Platform (GCP) regions [regions-gcp-regions]
+
+```yaml {applies_to}
+serverless: preview
+```
+
+The following GCP regions are currently available:
+
+| Region | Name |
+| :--- | :--- |
+| us-central1 | Iowa |

deploy-manage/security.md

@@ -1,4 +1,7 @@
 ---
+applies_to:
+  deployment: all
+  serverless: ga
 mapped_urls:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/security-files.html
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-cluster.html
@@ -12,8 +15,6 @@ mapped_urls:
   - https://www.elastic.co/guide/en/cloud/current/ec-faq-technical.html
 ---
 
-# Security
-
 % SR: include this info somewhere in this section
 % {{ech}} doesn't support custom SSL certificates, which means that a custom CNAME for an {{ech}} endpoint such as *mycluster.mycompanyname.com* also is not supported.
 %
@@ -22,7 +23,7 @@ mapped_urls:
 % encryption at rest (EAR) is enabled in {{ech}} by default. We support EAR for both the data stored in your clusters and the snapshots we take for backup, on all cloud platforms and across all regions.
 % You can also bring your own key (BYOK) to encrypt your Elastic Cloud deployment data and snapshots. For more information, check [Encrypt your deployment with a customer-managed encryption key](../../../deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md).
 
-Note that the encryption happens at the file system level.
+% Note that the encryption happens at the file system level.
 
 % What needs to be done: Refine
 
@@ -54,15 +55,122 @@ $$$preserving-data-integrity$$$
 
 $$$maintaining-audit-trail$$$
 
-**This page is a work in progress.** The documentation team is working to combine content pulled from the following pages:
-
-* [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md)
-* [/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md)
-* [/raw-migrated-files/kibana/kibana/xpack-security.md](/raw-migrated-files/kibana/kibana/xpack-security.md)
-* [/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md](/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md)
-* [/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md](/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md)
-* [/raw-migrated-files/cloud/cloud-heroku/ech-security.md](/raw-migrated-files/cloud/cloud-heroku/ech-security.md)
-* [/raw-migrated-files/kibana/kibana/using-kibana-with-security.md](/raw-migrated-files/kibana/kibana/using-kibana-with-security.md)
-* [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md)
-* [/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md)
-* [/raw-migrated-files/cloud/cloud/ec-faq-technical.md](/raw-migrated-files/cloud/cloud/ec-faq-technical.md)
+:::{warning}
+**This page is a work in progress.** 
+:::
+
+
+% The documentation team is working to combine content pulled from the following pages:
+
+% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md)
+% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md)
+% * [/raw-migrated-files/kibana/kibana/xpack-security.md](/raw-migrated-files/kibana/kibana/xpack-security.md)
+% * [/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md](/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md)
+% * [/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md](/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md)
+% * [/raw-migrated-files/cloud/cloud-heroku/ech-security.md](/raw-migrated-files/cloud/cloud-heroku/ech-security.md)
+% * [/raw-migrated-files/kibana/kibana/using-kibana-with-security.md](/raw-migrated-files/kibana/kibana/using-kibana-with-security.md)
+% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md)
+% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md)
+% * [/raw-migrated-files/cloud/cloud/ec-faq-technical.md](/raw-migrated-files/cloud/cloud/ec-faq-technical.md)
+
+# Security
+
+This section covers how to secure your Elastic environment. Learn how to implement TLS encryption, network security controls, and data protection measures.
+
+## Security overview
+
+An Elastic implementation comprises many moving parts: {es} nodes forming the cluster, {kib} instances, additional stack components such as Logstash and Beats, and various clients and integrations communicating with your deployment.
+
+To keep your data secured, Elastic offers comprehensive security features that:
+- Prevent unauthorized access to your deployment
+- Encrypt communications between components
+- Protect data at rest
+- Secure sensitive settings and saved objects
+
+Security requirements and capabilities vary by deployment. Features may be managed automatically by Elastic, require configuration, or must be fully self-managed. Refer to [Security by deployment type](#security-by-deployment-type) for details.
+
+::::{tip}
+See the [Deployment overview](/deploy-manage/deploy.md) to understand your options for deploying Elastic.
+::::
+
+### Security by deployment type
+
+Security features have one of these statuses across deployment types:
+
+| Status | Description |
+|--------|-------------|
+| **Managed** | Handled automatically by Elastic with no user configuration needed |
+| **Configurable** | Built-in feature that needs your configuration (like IP filters or passwords) |
+| **Self-managed** | Infrastructure-level security you implement and maintain |
+| **N/A** | Not available for this deployment type |
+
+#### Communication security
+
+| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed |
+|------------------|------------|--------------|-----|-----|--------------|
+| **TLS (HTTP Layer)** | Managed | Managed | Configurable | Configurable | Self-managed |
+| **TLS (Transport Layer)** | Managed | Managed | Managed | Managed | Self-managed |
+
+#### Network security
+
+| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed |
+|------------------|------------|--------------|-----|-----|--------------|
+| **IP traffic filtering** | Configurable | Configurable | Configurable | Configurable | Configurable |
+| **Private link** | N/A | Configurable | N/A | N/A | N/A |
+| **Static IPs** | Configurable | Configurable | N/A | N/A | N/A |
+
+#### Data security
+
+| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed |
+|------------------|------------|--------------|-----|-----|--------------|
+| **Encryption at rest** | Managed | Managed | Self-managed | Self-managed | Self-managed |
+| **Bring your own encryption key** | N/A | Configurable | N/A | N/A | N/A |
+| **Keystore security** | Managed | Managed | Configurable | Configurable | Configurable |
+| **Saved object encryption** | Managed | Managed | Configurable | Configurable | Configurable |
+
+#### User session security
+
+| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed |
+|------------------|------------|--------------|-----|-----|--------------|
+| **Kibana Sessions** | Managed | Configurable | Configurable | Configurable | Configurable |
+
+### Using this documentation
+
+Throughout this security documentation, you'll see deployment type indicators that show which content applies to specific deployment types. Each section clearly identifies which deployment types it applies to, and deployment-specific details are separated within each topic.
+
+To get the most relevant information for your environment, focus on sections tagged with your deployment type and look for subsections specifically addressing your deployment model.
+
+## Security topics
+
+This security documentation is organized into four main areas:
+
+% TODO: Add links to the sections below
+
+### 1. Secure your hosting environment
+
+The security of your hosting environment forms the foundation of your overall security posture. This section covers environment-specific security controls:
+
+- **Elastic Cloud Hosted and Serverless**: Organization-level SSO, role-based access control, and cloud API keys
+- **Elastic Cloud Enterprise**: TLS certificates, role-based access control, and cloud API keys
+- **Self-managed environments**: TLS certificates, HTTPS configuration
+
+### 2. Secure your deployments and clusters
+
+Protect your deployments with features available across all deployment types:
+
+- **Authentication and access controls**: User management, API keys, authentication protocols, and traffic filtering
+- **Data protection**: Encryption, sensitive settings, and document-level security
+- **Monitoring and compliance**: Audit logging and security best practices
+
+### 3. Secure your user accounts
+
+Individual user security helps prevent unauthorized access:
+
+- **Multi-factor authentication**: Add an extra layer of security to your login process
+
+### 4. Secure your clients and integrations
+
+Ensure secure communication between your applications and Elastic:
+
+- **Client security**: Best practices for securely connecting applications to {es}
+- **Integration security**: Secure configuration for Beats, Logstash, and other integrations

deploy-manage/security/data-security.md

@@ -0,0 +1,5 @@
+# Secure your data
+
+:::{warning}
+**This page is a work in progress.** 
+:::

deploy-manage/security/fips-140-2.md

@@ -4,7 +4,7 @@ mapped_urls:
   - https://www.elastic.co/guide/en/kibana/current/xpack-security-fips-140-2.html
 ---
 
-# FIPS 140-2
+# FIPS 140-2 compliance
 
 % What needs to be done: Refine