working on reviews

Author: eedugon

deploy-manage/security/_snippets/eck-http.md

@@ -0,0 +1,3 @@
+HTTP TLS is automatically enabled for {{es}} and {{kib}} using self-signed certificates, with [several options available for customization](/deploy-manage/security/k8s-https-settings.md), including custom certificates and domain names.
+
+{{kib}} instances are automatically configured to connect securely to {{es}}, without requiring manual setup.

deploy-manage/security/_snippets/eck-lifecycle.md

@@ -0,0 +1,5 @@
+ECK provides flexible options for managing SSL certificates in your deployments, including automatic certificate generation and rotation, integration with external tools like `cert-manager`, or using your own custom certificates. Custom HTTP certificates require manual management.
+
+ECK automatically rotates any certificates and CAs that were generated by the operator and are under its management.
+
+For certificate management configuration options, refer to [ECK configuration flags](cloud-on-k8s://reference/eck-configuration-flags.md).

deploy-manage/security/_snippets/eck-transport.md

@@ -0,0 +1 @@
+{{es}} transport security and TLS certificates are automatically configured by the operator, but you can still [customize its service and CA certificates](/deploy-manage/security/k8s-transport-settings.md).

deploy-manage/security/eck-tls.md

@@ -15,18 +15,15 @@ Refer to [Communication channels](./secure-cluster-communications.md#communicati
 
 ## {{es}} transport layer configuration
 
-{{es}} transport security and TLS certificates are automatically configured by the operator, but you can still [customize its service and CA certificates](/deploy-manage/security/k8s-transport-settings.md).
+:::{include} ./_snippets/eck-transport.md
+:::
 
 ## {{es}} and {{kib}} HTTP configuration
 
-HTTP TLS is automatically enabled for {{es}} and {{kib}} using self-signed certificates, with [several options available for customization](./k8s-https-settings.md), including custom certificates and domain names.
-
-{{kib}} instances are automatically configured to connect securely to {{es}}, without requiring manual setup.
+:::{include} ./_snippets/eck-http.md
+:::
 
 ## Certificates lifecycle
 
-ECK provides flexible options for managing SSL certificates in your deployments, including automatic certificate generation and rotation, integration with external tools like `cert-manager`, or using your own custom certificates. Custom HTTP certificates require manual management.
-
-ECK automatically rotates any certificates and CAs that were generated by the operator and are under its management.
-
-For certificate management configuration options, refer to [ECK configuration flags](cloud-on-k8s://reference/eck-configuration-flags.md).
+:::{include} ./_snippets/eck-lifecycle.md
+:::

deploy-manage/security/install-stack-demo-secure.md

@@ -8,7 +8,8 @@ mapped_urls:
 
 # Tutorial: Securing a self-managed {{stack}} [install-stack-demo-secure]
 
-TBD: This one feels duplicate (it comes from elastic-stack original book)
+% This doc feels duplicate (it comes from elastic-stack original book), although it includes an end to end guidance and offers different examples for certificates generation
+% we have to decide what to do with this at a later stage
 
 This tutorial is a follow-on to [installing a self-managed {{stack}}](/deploy-manage/deploy/self-managed.md) with a multi-node {{es}} cluster, {{kib}}, {{fleet-server}} and {{agent}}. In a production environment, it’s recommended after completing the {{kib}} setup to proceed directly to this tutorial to configure your SSL certificates. These steps guide you through that process, and then describe how to configure {{fleet-server}} and {{agent}} with the certificates in place.
 

deploy-manage/security/k8s-https-settings.md

@@ -10,13 +10,14 @@ mapped_urls:
 
 # Manage HTTP certificates on ECK
 
-## {{es}} certificates [k8s-tls-certificates]
-
+ECK offers several options for securing the HTTP endpoints of {{es}} and {{kib}}. By default, the operator generates a dedicated CA per deployment, and issues individual certificates for each instance. Alternatively, you can supply your own certificates or integrate with external solutions like `cert-manager`.
 
 :::{note}
-This section only covers TLS certificates for the HTTP layer. TLS certificates for the transport layer that are used for internal communications between Elasticsearch nodes are managed by ECK and cannot be changed. You can however set your own certificate authority for the [transport layer](/deploy-manage/security/k8s-transport-settings.md#k8s-transport-ca).
+This section only covers TLS certificates for the HTTP layer. TLS certificates for the transport layer that are used for internal communications between {{es}} nodes are managed by ECK and cannot be changed. You can however [set your own certificate authority for the transport layer](/deploy-manage/security/k8s-transport-settings.md#k8s-transport-ca).
 :::
 
+## {{es}} certificates [k8s-tls-certificates]
+
 By default, the operator manages a self-signed certificate with a custom CA for each resource. The CA, the certificate and the private key are each stored in a separate `Secret`.
 
 ```sh
@@ -198,9 +199,13 @@ spec:
 
 ## Kibana HTTP configuration in ECK [k8s-kibana-http-configuration]
 
+By default, ECK creates a `ClusterIP` [Service](https://kubernetes.io/docs/concepts/services-networking/service/) and associates it with the {{kib}} deployment.
+
+If you need to expose {{kib}} externally or customize the service settings, ECK provides flexible options, including support for load balancers, custom DNS/IP SANs, and user-provided certificates.
+
 ### Load balancer settings and TLS SANs [k8s-kibana-http-publish]
 
-By default a `ClusterIP` [Service](https://kubernetes.io/docs/concepts/services-networking/service/) is created and associated with the {{kib}} deployment. If you want to expose {{kib}} externally with a [load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer), it is recommended to include a custom DNS name or IP in the self-generated certificate.
+If you want to expose {{kib}} externally with a [load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer), it is recommended to include a custom DNS name or IP in the self-generated certificate.
 
 ```yaml
 apiVersion: kibana.k8s.elastic.co/v1
@@ -226,7 +231,7 @@ spec:
 
 ### Provide your own certificate [k8s-kibana-http-custom-tls]
 
-If you want to use your own certificate, the required configuration is identical to {{es}}. Refer to [setup your own {{es}} certificate](#k8s-setting-up-your-own-certificate).
+If you want to use your own certificate, the required configuration is identical to {{es}}. Refer to [setup your own {{es}} certificate](#k8s-setting-up-your-own-certificate) for more information.
 
 ## Disable TLS [k8s-disable-tls]
 

deploy-manage/security/secure-cluster-communications.md

@@ -13,15 +13,22 @@ mapped_urls:
 % Scope: landing page for manually handling TLS certificates, and for information about TLS in Elastic Stack in general.
 # TLS encryption for cluster communications
 
-This page explains how to secure communications and set up TLS certificates between components in your {{stack}} deployment.
+This page explains how to secure communications and set up TLS certificates in your {{stack}} deployments.
 
 For {{ech}} deployments and {{serverless-full}} projects, communication security is [fully managed by Elastic](/deploy-manage/security.md#managed-security-in-elastic-cloud) with no configuration required, including TLS certificates.
 
 For ECE, ECK, and self-managed deployments, some of this process can be automated, with opportunities for manual configuration depending on your requirements. This page provides specific configuration guidance to secure the various communication channels between components.
 
-:::{tip}
 For a complete comparison of security feature availability and responsibility by deployment type, refer to [Security features by deployment type](/deploy-manage/security.md#comparison-table).
-:::
+
+::::{admonition} Understanding transport contexts
+The term *transport* can be confusing in {{es}} because it's used in two different contexts:
+- **Transport Layer Security (TLS)** is an industry-standard protocol that secures network communication. It's the modern name for SSL, and the Elastic documentation uses the terms TLS and SSL interchangeably.
+- In {{es}}, the **transport layer** refers to internal node-to-node communication, which occurs over port 9300. This communication uses the [transport interface](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md), which implements a binary protocol specific to {{es}}.
+
+Keep this distinction in mind when configuring security settings.
+::::
+
 
 ## Communication channels overview [communication-channels]
 
@@ -37,7 +44,7 @@ To ensure secure operation, it’s important to understand the communication cha
 |-------------|-----------------|--------------------|
 | [{{es}} transport layer](#encrypt-internode-communication) | Communication between {{es}} nodes within a cluster | Mutual TLS/SSL required for multi-node clusters |
 | [{{es}} HTTP layer](#encrypt-http-communication) | Communication between external clients and {{es}} through the REST API | TLS/SSL optional (but recommended) |
-| [{{kib}} HTTP layer](#encrypt-http-communication) | Communication between external browsers and {{kib}} through the REST API | TLS/SSL optional (but recommended) |
+| [{{kib}} HTTP layer](#encrypt-http-communication) | Communication between external browsers or REST clients and {{kib}} | TLS/SSL optional (but recommended) |
 
 ### Transport layer security [encrypt-internode-communication]
 
@@ -62,7 +69,10 @@ The way that transport layer security is managed depends on your deployment type
 
 :::{tab-item} ECK
 :sync: eck
-{{es}} transport security and TLS certificates are automatically configured by the operator, but you can still [customize its service and CA certificates](/deploy-manage/security/k8s-transport-settings.md).
+
+:::{include} ./_snippets/eck-transport.md
+:::
+
 :::
 
 :::{tab-item} Self-managed
@@ -72,16 +82,6 @@ The way that transport layer security is managed depends on your deployment type
 
 ::::
 
-::::{admonition} Understanding transport contexts
-Transport Layer Security (TLS) is the name of an industry standard protocol for applying security controls (such as encryption) to network communications. TLS is the modern name for what used to be called Secure Sockets Layer (SSL). The {{es}} documentation uses the terms TLS and SSL interchangeably.
-
-Transport Protocol is the name of the protocol that {{es}} nodes use to communicate with one another. This name is specific to {{es}} and distinguishes the transport port (default `9300`) from the HTTP port (default `9200`). Nodes communicate with one another using the transport port, and REST clients communicate with {{es}} using the HTTP port.
-
-Although the word *transport* appears in both contexts, they mean different things. It’s possible to apply TLS to both the {{es}} transport port and the HTTP port. We know that these overlapping terms can be confusing, so to clarify, in this scenario we’re applying TLS to the {{es}} transport port.
-::::
-
-
-
 ### HTTP layer security [encrypt-http-communication]
 
 The HTTP layer includes the service endpoints exposed by both {{es}} and {{kib}}, supporting communications such as REST API requests, browser access to {{kib}}, and {{kib}}’s own traffic to {{es}}. Securing these endpoints helps prevent unauthorized access and protects sensitive data in transit.
@@ -116,9 +116,9 @@ HTTP TLS for deployments is managed at the platform proxy level. Refer to these
 ::::{tab-item} ECK
 :sync: eck
 
-HTTP TLS is automatically enabled for {{es}} and {{kib}} using self-signed certificates, with [several options available for customization](./k8s-https-settings.md), including custom certificates and domain names.
+:::{include} ./_snippets/eck-http.md
+:::
 
-{{kib}} instances are automatically configured to connect securely to {{es}}, without requiring manual setup.
 ::::
 
 ::::{tab-item} Self-managed
@@ -159,9 +159,9 @@ In ECE, the platform automatically renews internal certificates. However, you mu
 :::{tab-item} ECK
 :sync: eck
 
-ECK provides flexible options for managing SSL certificates in your deployments, including automatic certificate generation and rotation, integration with external tools like `cert-manager`, or using your own custom certificates. Custom HTTP certificates require manual management.
+:::{include} ./_snippets/eck-lifecycle.md
+:::
 
-TBD, add links to cert validity settings and cert configuration
 :::
 
 :::{tab-item} Self-managed

deploy-manage/security/self-auto-setup.md

@@ -18,6 +18,10 @@ mapped_pages:
 * [Download](https://www.elastic.co/downloads/elasticsearch) and unpack the `elasticsearch` package distribution for your environment.
 * [Download](https://www.elastic.co/downloads/kibana) and unpack the `kibana` package distribution for your environment.
 
+::::{note}
+This guide assumes a `.tar.gz` installation of {{es}} and {{kib}} on Linux.
+For instructions tailored to other installation packages (such as DEB, RPM, Docker, or macOS), refer to the [{{es}}](/deploy-manage/deploy/self-managed/installing-elasticsearch.md#elasticsearch-install-packages) and [{{kib}}](/deploy-manage/deploy/self-managed/install-kibana.md#install) installation guides.
+::::
 
 ## Start {{es}} and enroll {{kib}} with security enabled [stack-start-with-security]
 

deploy-manage/security/self-tls.md

@@ -14,7 +14,7 @@ If you're looking to secure a new or existing cluster by setting up TLS for the
 
 The topics in this section focus on post-setup tasks:
 
-* [](./kibana-es-mutual-tls.md) (**optional**): Strengthen security by requiring {{kib}} to use a client certificate when connecting to {{es}}.
+* [](./kibana-es-mutual-tls.md): Strengthen security by requiring {{kib}} to use a client certificate when connecting to {{es}}.
 * [](./updating-certificates.md): Renew or replace existing TLS certificates before they expire.
 * [](./supported-ssltls-versions-by-jdk-version.md): Customize the list of supported SSL/TLS versions in your cluster.
 * [](./enabling-cipher-suites-for-stronger-encryption.md): Enable additional cipher suites for TLS communications, including those used with authentication providers.

deploy-manage/security/using-kibana-with-security.md

@@ -36,9 +36,9 @@ When {{kib}} traffic is balanced across multiple instances connected to the same
 
 The {{kib}} server can instruct browsers to enable additional security controls using HTTP headers.
 
-1. Enable HTTP Strict-Transport-Security.
+1. Enable `HTTP Strict Transport Security (HSTS)`.
 
-    Use [`strictTransportSecurity`](https://www.elastic.co/guide/en/kibana/current/settings.html#server-securityResponseHeaders-strictTransportSecurity) to ensure that browsers will only attempt to access {{kib}} with SSL/TLS encryption. This is designed to prevent manipulator-in-the-middle attacks. To configure this with a lifetime of one year in your `kibana.yml`:
+    Use [`strictTransportSecurity`](https://www.elastic.co/guide/en/kibana/current/settings.html#server-securityResponseHeaders-strictTransportSecurity) to ensure that browsers will only attempt to access [{{kib}} with SSL/TLS encryption](./set-up-basic-security-plus-https.md#encrypt-kibana-browser). This is designed to prevent manipulator-in-the-middle attacks. To configure this with a lifetime of one year in your `kibana.yml`:
 
     ```js
     server.securityResponseHeaders.strictTransportSecurity: "max-age=31536000"
@@ -76,6 +76,7 @@ The following {{kib}} security features are not covered in this document because
 
 * [Session management](./kibana-session-management.md)
 * [Saved objects encryption](./secure-saved-objects.md)
+* [Secure settings](./secure-settings.md)
 * [Security events audit logging](./logging-configuration/security-event-audit-logging.md)
 
 For more details, refer to [](./secure-your-cluster-deployment.md).