elastic
diff --git a/‎deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md‎
Lines changed: 1 addition & 1 deletion b/‎deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎deploy-manage/security.md‎
Lines changed: 48 additions & 242 deletions b/‎deploy-manage/security.md‎
Lines changed: 48 additions & 242 deletions
diff --git a/‎deploy-manage/security/_snippets/audit-logging.md‎
Lines changed: 5 additions & 0 deletions b/‎deploy-manage/security/_snippets/audit-logging.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎deploy-manage/security/_snippets/cluster-communication-network.md‎
Lines changed: 7 additions & 0 deletions b/‎deploy-manage/security/_snippets/cluster-communication-network.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎deploy-manage/security/_snippets/cluster-comparison.md‎
Lines changed: 86 additions & 0 deletions b/‎deploy-manage/security/_snippets/cluster-comparison.md‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎deploy-manage/security/_snippets/cluster-data.md‎
Lines changed: 9 additions & 0 deletions b/‎deploy-manage/security/_snippets/cluster-data.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎deploy-manage/security/_snippets/cluster-user-session.md‎
Lines changed: 1 addition & 0 deletions b/‎deploy-manage/security/_snippets/cluster-user-session.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎deploy-manage/security/_snippets/complete-security.md‎
Lines changed: 8 additions & 0 deletions b/‎deploy-manage/security/_snippets/complete-security.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎deploy-manage/security/data-security.md‎
Lines changed: 9 additions & 19 deletions b/‎deploy-manage/security/data-security.md‎
Lines changed: 9 additions & 19 deletions
diff --git a/‎deploy-manage/security/elastic-cloud-static-ips.md‎
Lines changed: 5 additions & 3 deletions b/‎deploy-manage/security/elastic-cloud-static-ips.md‎
Lines changed: 5 additions & 3 deletions
@@ -119,7 +119,7 @@ Currently you can’t use SSO to login directly from {{ecloud}} into Kibana endp
 
 Kibana does not currently support restoring a snapshot of their indices across Elastic Cloud deployments.
 
-* [Kibana uses encryption keys](/deploy-manage/security/secure-your-cluster-deployment.md#security-configure-settings) in various places, ranging from encrypting data in some areas of reporting, alerts, actions, connector tokens, ingest outputs used in Fleet and Synthetics monitoring to user sessions.
+* [Kibana uses encryption keys](/deploy-manage/security/secure-your-cluster-deployment.md) in various places, ranging from encrypting data in some areas of reporting, alerts, actions, connector tokens, ingest outputs used in Fleet and Synthetics monitoring to user sessions.
 * Currently, there is not a way to retrieve the values of Kibana encryption keys, or set them in the target deployment before restoring a snapshot. As a result, once a snapshot is restored, Kibana will not be able to decrypt the data required for some features to function properly in the target deployment.
 * If you have already restored a snapshot across deployments and now have broken Kibana saved objects in the target deployment, you will have to recreate all broken configurations and objects, or create a new setup in the target deployment instead of using snapshot restore.
 
 
@@ -0,0 +1,5 @@
+Audit logging is a powerful feature that helps you monitor and track security-related events within the {{stack}}. By enabling audit logs, you can gain visibility into authentication attempts, authorization decisions, and other system activity.
+
+Audit logging also provides forensic evidence in the event of an attack, and can be enabled independently for {{es}} and {{kib}}.
+
+[Learn how to enable audit logging](/deploy-manage/security/logging-configuration/security-event-audit-logging.md).
@@ -0,0 +1,7 @@
+* [Manage TLS certificates](/deploy-manage/security/secure-cluster-communications.md): TLS certificates apply security controls to network communications. Elastic uses TLS certificates to secure communications in two places:
+  * **The HTTP layer**: Used for communication between your cluster or deployment and the internet.
+  * **The transport layer**: Used mainly for inter-node communications, and in certain cases for cluster to cluster communication.
+  * In self-managed {{es}} clusters, you can also [Configure Kibana and Elasticsearch to use mutual TLS](/deploy-manage/security/secure-http-communications.md#elasticsearch-mutual-tls).
+* [Enable cipher suites for stronger encryption](/deploy-manage/security/enabling-cipher-suites-for-stronger-encryption.md): The TLS and SSL protocols use a cipher suite that determines the strength of encryption used to protect the data. You may want to enable the use of additional cipher suites, so you can use different cipher suites for your TLS communications or communications with authentication providers.
+* [Restrict connections using traffic filtering](/deploy-manage/security/traffic-filtering.md): Traffic filtering allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. Restrict access based on IP addresses or CIDR ranges, or secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
+* [Allow or deny {{ech}} IP ranges](/deploy-manage/security/elastic-cloud-static-ips.md): {{ecloud}} publishes a list of IP addresses used by its {{ech}} services for both incoming and outgoing traffic. Users can use these lists to configure their network firewalls as needed to allow or restrict traffic related to {{ech}} services.
@@ -0,0 +1,86 @@
+Security feature availability varies by deployment type, with each feature having one of the following statuses:
+
+| Status | Description |
+|--------|-------------|
+| **Managed** | Handled automatically by Elastic with no user configuration needed |
+| **Configurable** | Built-in feature that needs your configuration (like IP filters or passwords) |
+| **Self-managed** | Infrastructure-level security you implement and maintain |
+| **N/A** | Not available for this deployment type |
+
+Select your deployment type below to see what's available and how implementation responsibilities are distributed:
+
+::::{tab-set}
+:group: deployment-type
+
+:::{tab-item} {{ech}}
+:sync: cloud-hosted
+
+| Category | Security feature | Status | Description |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Managed | Automatically configured by Elastic |
+| | TLS (Transport Layer) | Managed | Automatically configured by Elastic |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | Configurable | Establish secure VPC connection |
+| | Static IPs | Configurable | Enable fixed IP addresses |
+| **Data** | Encryption at rest | Managed | Automatically encrypted by Elastic |
+| | Bring your own encryption key | Configurable | Implement customer-provided keys |
+| | Keystore security | Managed | Automatically protected by Elastic |
+| | Saved object encryption | Managed | Automatically encrypted by Elastic |
+| **User Session** | Kibana Sessions | Configurable | Customize session parameters |
+
+:::
+
+:::{tab-item} {{serverless-full}}
+:sync: serverless
+
+| Category| Security feature | Status | Description |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Managed | Automatically configured by Elastic |
+| | TLS (Transport Layer) | Managed | Automatically configured by Elastic |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | N/A | X |
+| | Static IPs | Configurable | Enable fixed IP addresses |
+| **Data** | Encryption at rest | Managed | Automatically encrypted by Elastic |
+| | Bring your own encryption key | N/A | X |
+| | Keystore security | Managed | Automatically protected by Elastic |
+| | Saved object encryption | Managed | Automatically encrypted by Elastic |
+| **User Session** | Kibana Sessions | Managed | Automatically configured by Elastic |
+
+:::
+
+:::{tab-item} ECE/ECK
+:sync: ece-eck
+
+| Category| Security feature | Status | Description |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Configurable | Configure custom certificates |
+| | TLS (Transport Layer) | Managed | Automatically configured by Elastic |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | N/A | X |
+| | Static IPs | N/A | X |
+| **Data** | Encryption at rest | Self-managed | Implement at infrastructure level |
+| | Bring your own encryption key | N/A | X |
+| | Keystore security | Configurable | Configure secure settings storage |
+| | Saved object encryption | Configurable | Enable encryption for saved objects |
+| **User Session** | Kibana Sessions | Configurable | Customize session parameters |
+
+:::
+
+:::{tab-item} Self-managed
+:sync: self-managed
+
+| Category| Security feature | Status | Description |
+|------------------|------------|--------------|-------------|
+| **Communication** | TLS (HTTP Layer) | Self-managed | Implement and maintain certificates |
+| | TLS (Transport Layer) | Self-managed | Implement and maintain certificates |
+| **Network** | IP traffic filtering | Configurable | Configure IP-based access restrictions |
+| | Private link | N/A | X |
+| | Static IPs | N/A | X |
+| **Data** | Encryption at rest | Self-managed | Implement at infrastructure level |
+| | Bring your own encryption key | N/A | X |
+| | Keystore security | Configurable | Configure secure settings storage |
+| | Saved object encryption | Configurable | Enable encryption for saved objects |
+| **User Session** | Kibana Sessions | Configurable | Customize session parameters |
+
+:::
+::::
@@ -0,0 +1,9 @@
+* [Secure your settings](/deploy-manage/security/secure-settings.md): Some of the settings that you configure in Elastic are sensitive, such as passwords, and relying on file system permissions to protect these settings is insufficient. Learn how to configure secure settings in the {{es}} keystore or {{kib}} keystore.
+* [Secure saved objects](/deploy-manage/security/secure-saved-objects.md): {{kib}} stores entities such as dashboards, visualizations, alerts, actions, and advanced settings as saved objects, which are kept in a dedicated, internal {{es}} index. If such an object includes sensitive information, for example a PagerDuty integration key or email server credentials used by the alert action, {{kib}} encrypts it and makes sure it cannot be accidentally leaked or tampered with. You can configure and rotate the saved object encryption key for additional security.
+* [Encrypt data at rest](/deploy-manage/security/data-security.md): By default, {{ecloud}} already encrypts your {{ech}} deployment data, Serverless project data, and snapshots at rest. If you’re using ECH, then you can reinforce this mechanism by providing your own encryption key, also known as [Bring Your Own Key (BYOK)](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md). 
+    
+    ::::{note}
+    Other deployment types don’t implement encryption at rest out of the box. For self-managed clusters, to implement encryption at rest, the hosts running the cluster must be configured with disk-level encryption, such as `dm-crypt`. In addition, snapshot targets must ensure that data is encrypted at rest as well.
+
+    Configuring `dm-crypt` or similar technologies is outside the scope of this documentation, and issues related to disk encryption are outside the scope of support.
+    ::::
@@ -0,0 +1 @@
+[Manage {{kib}} sessions](/deploy-manage/security/kibana-session-management.md) to control the timeout and lifespan of logged-in sessions to {{kib}}, as well as the number of concurrent sessions each user can have.
@@ -0,0 +1,8 @@
+::::{note}
+As part of your overall security strategy, you can also do the following:
+
+* Prevent unauthorized access with [password protection and role-based access control](/deploy-manage/users-roles.md).
+* Control access to dashboards and other saved objects in your UI using [Spaces](/deploy-manage/manage-spaces.md).
+* Connect a local cluster to a [remote cluster](/deploy-manage/remote-clusters.md) to enable [cross-cluster replication](/deploy-manage/tools/cross-cluster-replication.md) and [cross-cluster search](/solutions/search/cross-cluster-search.md).
+* Manage [API keys](/deploy-manage/api-keys.md) used for programmatic access to Elastic.
+::::
@@ -2,38 +2,28 @@
 applies_to:
   deployment:
     ess: ga
-    ece: ga
-    eck: ga
-    self: ga
   serverless: ga
 ---
 
 # Encrypt your deployment data
 
-(orphan now, we should put this content somewhere)
+{{ech}} deployments and {{serverless-full}} projects are already encrypted at rest by default. This includes their data, objects, and settings. 
 
-Add another layer of security by defining custom encryption rules for your cluster's data, {{kib}} saved objects, and settings.
+For {{serverless-full}} projects, security is fully-managed by Elastic. 
 
-**In {{ecloud}}**:
+For {{ech}} deployments, instead of the default, Elastic-managed encryption, you can choose to use a [customer-managed encryption key](encrypt-deployment-with-customer-managed-encryption-key.md) to encrypt your {{ech}} deployments.
 
-{{ech}} deployments and serverless projects are already encrypted at rest by default. This includes their data, objects, and settings. For serverless projects, security is fully-managed by Elastic. For {{ech}} deployments, some settings are available for you to customize the default security measures in place:
-
-- Instead of the default, Elastic-managed encryption, you can choose to use a [customer-managed encryption key](encrypt-deployment-with-customer-managed-encryption-key.md) from one of our supported providers' KMS to encrypt your {{ech}} deployments.
-- Store sensitive settings using the [{{es}} keystore](secure-settings.md).
-
-**In {{ece}}, {{eck}} and self-managed installations**:
-
-There is no encryption at rest out of the box for deployments orchestrated using [{{ece}}](secure-your-elastic-cloud-enterprise-installation.md) and [{{eck}}](secure-your-eck-installation.md), and for [self-managed clusters](manually-configure-security-in-self-managed-cluster.md). You must instead configure disk-level encryption on your hosts. 
 
 :::{note}
+There is no encryption at rest out of the box for deployments orchestrated using [{{ece}}](secure-your-elastic-cloud-enterprise-installation.md) and [{{eck}}](secure-your-eck-installation.md), or for [self-managed clusters](manually-configure-security-in-self-managed-cluster.md). You must instead configure disk-level encryption on your hosts. 
+
 Configuring dm-crypt or similar technologies is outside the scope of the Elastic documentation, and issues related to disk encryption are outside the scope of support.
 :::
 
-However, some native features are available for you to protect sensitive data and objects:
+
+:::{tip}
+As an alternative to or in addition to encryption at rest, you can also use the following features to encrypt sensitive data and objects: 
 
 - Store sensitive settings using the [{{es}} or {{kib}} keystores](secure-settings.md).
 - Enable [encryption for {{kib}} saved objects](secure-saved-objects.md).
-- Customize [{{kib}} session parameters](kibana-session-management.md).
-
-
-
+:::
@@ -8,10 +8,12 @@ mapped_pages:
 
 # {{ecloud}} Static IPs [ec-static-ips]
 
-{{ecloud}} provides a range of static IP addresses that enable you to allow or deny IP ranges. There are two types of static IP addresses, [ingress](#ec-ingress) and [egress](#ec-egress), and they each have their own set of use cases. In general, static IPs can be used to introduce network controls (for example, firewall rules) for traffic that goes to and from {{ecloud}} deployments over the Internet. Use of static IPs is not applicable to private cloud service provider connections (for example, AWS/Azure PrivateLink, GCP Private Service Connect). It is important to note that static IP addresses are [subject to change](#ec-warning), and not all [cloud provider regions](#ec-regions) are currently fully supported for ingress and egress static IPs.
+{{ecloud}} provides a range of static IP addresses that enable you to allow or deny IP ranges. There are two types of static IP addresses, [ingress](#ec-ingress) and [egress](#ec-egress), and they each have their own set of use cases. In general, static IPs can be used to introduce network controls (for example, firewall rules) for traffic that goes to and from {{ecloud}} deployments over the Internet. Use of static IPs is not applicable to private cloud service provider connections (for example, AWS/Azure PrivateLink, GCP Private Service Connect). 
 
+Static IP addresses are [subject to change](#ec-warning), and not all [cloud provider regions](#ec-regions) are currently fully supported for ingress and egress static IPs. For this reason, we generally do not recommend that you use firewall rules to allow or restrict certain IP ranges. Consider using [private link](/deploy-manage/security/private-link-traffic-filters.md) traffic filters for deployment endpoints on {{ech}}. However, in situations where using Private Link services do not meet requirements (for example, secure traffic **from** {{ecloud}}), static IP ranges can be used.
 
-## Ingress Static IPs: Traffic To {{ecloud}} [ec-ingress] 
+
+## Ingress Static IPs: Traffic to {{ecloud}} [ec-ingress] 
 
 Suitable usage of ingress static IPs to introduce network controls:
 
@@ -118,7 +120,7 @@ Not suitable usage of egress static IPs to introduce network controls:
 ::::{warning} 
 :name: ec-warning
 
-Static IP ranges are subject to change. You will need to update your firewall rules when they change to prevent service disruptions. We will announce changes at least 8 weeks in advance (see [example](https://status.elastic.co/incidents/1xs411x77wgh)). Please subscribe to the [{{ecloud}} Status Page](https://status.elastic.co/) to remain up to date with any changes to the Static IP ranges which you will need to update at your side.
+Static IP ranges are subject to change. You will need to update your firewall rules when they change to prevent service disruptions. We will announce changes at least 8 weeks in advance (see [example](https://status.elastic.co/incidents/1xs411x77wgh)). Please subscribe to the [{{ecloud}} status page](https://status.elastic.co/) to remain up to date with any changes to the Static IP ranges which you will need to update at your side.
 ::::
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+[Manage {{kib}} sessions](/deploy-manage/security/kibana-session-management.md) to control the timeout and lifespan of logged-in sessions to {{kib}}, as well as the number of concurrent sessions each user can have.`