From 0181c9fc3b1b3eeef3c9841172239abacf6a2a27 Mon Sep 17 00:00:00 2001 From: Florent Le Borgne Date: Fri, 7 Mar 2025 18:27:23 +0100 Subject: [PATCH 1/5] basic structure --- deploy-manage/security.md | 55 ++++++++++++++++++- deploy-manage/security/data-security.md | 1 + deploy-manage/security/fips-140-2.md | 2 +- ...figure-security-in-self-managed-cluster.md | 29 +++++++++- .../security/secure-hosting-environment.md | 18 ++++++ .../security/secure-your-eck-installation.md | 27 +++++++++ ...r-elastic-cloud-enterprise-installation.md | 44 +++++++++++---- .../secure-your-elastic-cloud-organization.md | 30 ++++++++++ .../security/secure-your-personal-account.md | 9 +++ deploy-manage/toc.yml | 49 ++++++++++------- 10 files changed, 227 insertions(+), 37 deletions(-) create mode 100644 deploy-manage/security/data-security.md create mode 100644 deploy-manage/security/secure-hosting-environment.md create mode 100644 deploy-manage/security/secure-your-eck-installation.md create mode 100644 deploy-manage/security/secure-your-elastic-cloud-organization.md create mode 100644 deploy-manage/security/secure-your-personal-account.md diff --git a/deploy-manage/security.md b/deploy-manage/security.md index 589190a663..59ba2aa064 100644 --- a/deploy-manage/security.md +++ b/deploy-manage/security.md @@ -1,4 +1,7 @@ --- +applies_to: + deployment: all + serverless: all mapped_urls: - https://www.elastic.co/guide/en/elasticsearch/reference/current/security-files.html - https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-cluster.html @@ -52,4 +55,54 @@ $$$maintaining-audit-trail$$$ * [/raw-migrated-files/cloud/cloud-heroku/ech-security.md](/raw-migrated-files/cloud/cloud-heroku/ech-security.md) * [/raw-migrated-files/kibana/kibana/using-kibana-with-security.md](/raw-migrated-files/kibana/kibana/using-kibana-with-security.md) * [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md) -* [/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md) \ No newline at end of file +* [/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md) + +An Elastic implementation comprises many moving parts. There are the Elasticsearch nodes that form the cluster, Kibana instances, additional stack components such as Logstash and Beats, and clients and integrations all communicating with your cluster. + +To keep your data secured, Elastic offers security features that prevent bad actors from tampering with your data, and encrypt communications to, from, and within your cluster. Regardless of your deployment type, Elastic sets up certain security features for you automatically. + +In this section, you’ll learn about how to manage basic Elastic security features. You’ll also learn how to implement advanced security measures. + +As part of your overall security strategy, you can also do the following: + +- Prevent unauthorized access with [password protection and role-based access control]. +- Maintain an [audit trail] for security-related events. +- Control access to dashboards and other saved objects in your UI using [Spaces]. +- Connect a local cluster to a [remote cluster] to enable cross-cluster replication and search. +- Manage [API keys] used for programmatic access to Elastic. + + + +Keeping your Elastic installation and data safe generally means: + +- Securing the hosting environment where your Elastic products are deployed. + - self-managed + - TLS certificates + - HTTPS + - ECE + - TLS certificates + - Cloud RBAC + - ECH and Serverless + - SSO + - Role-based access control +- Securing the deployments and clusters within that environment. + - Authentication and access + - `elastic` power user, built-in and system user passwords + - Deployment-level authentication protocols (SAML, OpenID Connect, Kerberos, JWT) + - Trust for cross-cluster communication + - Traffic and IP filtering + - Using the Elasticsearch keystore for sensitive settings + - [ECH only] Encryption using a customer-managed encryption key + - Keeping deployments up to date + - Audit logging + - Index and document-level permissions + - Kibana security + - Kibana sessions management + - Spaces + - Saved object security +- Securing your own account and access to the environment and deployments. + - [ECH only] Multifactor authentication + - User API keys +- Securing clients and integrations connected to your environment's clusters. + + diff --git a/deploy-manage/security/data-security.md b/deploy-manage/security/data-security.md new file mode 100644 index 0000000000..04f85f5caf --- /dev/null +++ b/deploy-manage/security/data-security.md @@ -0,0 +1 @@ +# Data security \ No newline at end of file diff --git a/deploy-manage/security/fips-140-2.md b/deploy-manage/security/fips-140-2.md index def22c70c7..f2b71557a7 100644 --- a/deploy-manage/security/fips-140-2.md +++ b/deploy-manage/security/fips-140-2.md @@ -4,7 +4,7 @@ mapped_urls: - https://www.elastic.co/guide/en/kibana/current/xpack-security-fips-140-2.html --- -# FIPS 140-2 +# FIPS 140-2 compliance % What needs to be done: Refine diff --git a/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md b/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md index 6a02f33975..3dfe414679 100644 --- a/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md +++ b/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md @@ -1,4 +1,8 @@ --- +navigation_title: Self-managed +applies_to: + deployment: + self: ga mapped_pages: - https://www.elastic.co/guide/en/elasticsearch/reference/current/manually-configure-security.html --- @@ -15,8 +19,9 @@ If you configure security manually *before* starting your {{es}} nodes, the auto :alt: Elastic Security layers ::: +## Common security scenarios -## Minimal security ({{es}} Development) [security-minimal-overview] +### Minimal security ({{es}} Development) [security-minimal-overview] If you’ve been working with {{es}} and want to enable security on your existing, unsecured cluster, start here. You’ll set passwords for the built-in users to prevent unauthorized access to your local cluster, and also configure password authentication for {{kib}}. @@ -28,7 +33,7 @@ The minimal security scenario is not sufficient for [production mode](../deploy/ [Set up minimal security](set-up-minimal-security.md) -## Basic security ({{es}} + {{kib}}) [security-basic-overview] +### Basic security ({{es}} + {{kib}}) [security-basic-overview] This scenario configures TLS for communication between nodes. This security layer requires that nodes verify security certificates, which prevents unauthorized nodes from joining your {{es}} cluster. @@ -37,7 +42,7 @@ Your external HTTP traffic between {{es}} and {{kib}} won’t be encrypted, but [Set up basic security](secure-cluster-communications.md) -## Basic security plus secured HTTPS traffic ({{stack}}) [security-basic-https-overview] +### Basic security plus secured HTTPS traffic ({{stack}}) [security-basic-https-overview] This scenario builds on the one for basic security and secures all HTTP traffic with TLS. In addition to configuring TLS on the transport interface of your {{es}} cluster, you configure TLS on the HTTP interface for both {{es}} and {{kib}}. @@ -50,6 +55,24 @@ You then configure {{kib}} and Beats to communicate with {{es}} using TLS so tha [Set up basic security plus HTTPS traffic](secure-http-communications.md) +## Considerations + +### TLS certificate management + +TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks. + +On **self-managed** installations, you manage certificates for both HTTP and transport layers. + +### Network security + +Control which systems can access your Elastic deployment through traffic filtering and network controls: + +- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges. + +## Next step: secure your deployments and clusters + +This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on your installation. Refer to [](secure-your-cluster-deployment.md). + diff --git a/deploy-manage/security/secure-hosting-environment.md b/deploy-manage/security/secure-hosting-environment.md new file mode 100644 index 0000000000..b2aa884010 --- /dev/null +++ b/deploy-manage/security/secure-hosting-environment.md @@ -0,0 +1,18 @@ +--- +applies_to: + deployment: all + serverless: ga +--- + +# Secure your hosting environment + +Whether you're running Elastic on {{ecloud}}, through an {{ece}} or {{eck}} orchestrator, or self-managed on your own premises, it is critical that you secure the layer responsible for deploying and hosting your Elastic products. + +This section covers security measures specific to: + +- [{{ecloud}}](secure-your-elastic-cloud-organization.md) +- [{{ece}}](secure-your-elastic-cloud-enterprise-installation.md) +- [{{eck}}](secure-your-eck-installation.md) +- [Self-managed](manually-configure-security-in-self-managed-cluster.md) + +Learn how to manage security certificates, configure TLS versions, and implement additional security controls at the environment level. diff --git a/deploy-manage/security/secure-your-eck-installation.md b/deploy-manage/security/secure-your-eck-installation.md new file mode 100644 index 0000000000..e88835a3f9 --- /dev/null +++ b/deploy-manage/security/secure-your-eck-installation.md @@ -0,0 +1,27 @@ +--- +navigation_title: "{{eck}}" +applies_to: + deployment: + eck: ga +--- + +# Secure your {{eck}} installation [eck-securing-considerations] + +**This page is a work in progress.** + +## TLS certificate management + +TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks. + +With **{{eck}}**, you manage HTTP layer certificates. The transport layer is managed by ECK. + +## Network security + +Control which systems can access your Elastic deployment through traffic filtering and network controls: + +- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges. + +## Next step: secure your deployments and clusters + +This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on your installation. Refer to [](secure-your-cluster-deployment.md). + diff --git a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md index 227b8c4f44..824b351494 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md +++ b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md @@ -1,38 +1,56 @@ --- +navigation_title: "{{ece}}" +applies_to: + deployment: + ece: ga mapped_pages: - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-securing-considerations.html --- # Secure your Elastic Cloud Enterprise installation [ece-securing-considerations] -Elastic Cloud Enterprise can run on shared and less secure environments, but you should be aware of some limitations when deploying our product. +**This page is a work in progress.** +When securing your {{ece}} installation, consider the following: -### Users with admin privileges [ece_users_with_admin_privileges] +## TLS certificate management -In Elastic Cloud Enterprise 3.8.1, every user who can manage your installation through the Cloud UI or the RESTful API is a user with admin privileges. This includes both the `admin` user and the `readonly` user that get created when you install ECE on your first host. Initially, only the `admin` user has the required privileges to make changes to resources on ECE. +TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks. -[Role-based access control](../users-roles/cloud-enterprise-orchestrator/manage-users-roles.md) for Elastic Cloud Enterprise allows you to connect multiple users or user groups to the platform. +With {{ece}}, you manage proxy certificates for the HTTP layer. The transport layer is managed by ECE. Refer to [](secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md). -All Elasticsearch clusters come with X-Pack security features and support role-based access control. To learn more, check [Secure Your Clusters](../users-roles/cluster-or-deployment-auth.md). +## Network security + +Control which systems can access your Elastic deployment through traffic filtering and network controls: +- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges. +- **Trust for cross-cluster operations**. Define which environments your {{ece}} installation can connect to and receive connections from. For more details on cross-cluster operations and the required settings, refer to [](/deploy-manage/remote-clusters.md). -### Clusters share the same resources [ece_clusters_share_the_same_resources] +$$$ece_clusters_share_the_same_resources$$$ +:::{note} +Clusters share the same resources The Elasticsearch clusters you create on Elastic Cloud Enterprise share the same resources. It is currently not possible to run a specific cluster on entirely dedicated hardware not shared by other clusters. +::: + +## Users with admin privileges [ece_users_with_admin_privileges] + +In Elastic Cloud Enterprise, every user who can manage your installation through the Cloud UI or the RESTful API is a user with admin privileges. This includes both the `admin` user and the `readonly` user that get created when you install ECE on your first host. Initially, only the `admin` user has the required privileges to make changes to resources on ECE. + +[Role-based access control](../users-roles/cloud-enterprise-orchestrator/manage-users-roles.md) for Elastic Cloud Enterprise allows you to connect multiple users or user groups to the platform. + +All Elasticsearch clusters come with X-Pack security features and support role-based access control. To learn more, check [Secure Your Clusters](../users-roles/cluster-or-deployment-auth.md). -### Encryption [ece_encryption] +## Encryption [ece_encryption] Elastic Cloud Enterprise does not implement encryption at rest out of the box. To ensure encryption at rest for all data managed by Elastic Cloud Enterprise, the hosts running Elastic Cloud Enterprise must be configured with disk-level encryption, such as dm-crypt. In addition, snapshot targets must ensure that data is encrypted at rest as well. Configuring dm-crypt or similar technologies is outside the scope of the Elastic Cloud Enterprise documentation, and issues related to disk encryption are outside the scope of support. -Elastic Cloud Enterprise provides full encryption of all network traffic by default when using Elasticsearch 6.0 or higher. +Elastic Cloud Enterprise provides full encryption of all network traffic by default. -TLS is supported when interacting with the RESTful API of Elastic Cloud Enterprise and for the proxy layer that routes user requests to clusters of all versions. Internally, our administrative services also ensure transport-level encryption. - -In Elasticsearch versions lower than 6.0, traffic between nodes in a cluster and between proxies and the clusters is *not* encrypted. +TLS is supported when interacting with the [RESTful API of Elastic Cloud Enterprise](https://www.elastic.co/docs/api/doc/cloud-enterprise/) and for the proxy layer that routes user requests to clusters of all versions. Internally, our administrative services also ensure transport-level encryption. ## Attack vectors versus separation of roles [ece-securing-vectors] @@ -45,3 +63,7 @@ Elastic Cloud Enterprise is designed to ensure that an allocator has access only Security comes in layers, and running separate services on separate infrastructure is the last layer of defense, on top of other security features like the JVM security manager, system call filtering, and running nodes in isolated containers with no shared secrets. +## Next step: secure your deployments and clusters + +This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on your installation. Refer to [](secure-your-cluster-deployment.md). + diff --git a/deploy-manage/security/secure-your-elastic-cloud-organization.md b/deploy-manage/security/secure-your-elastic-cloud-organization.md new file mode 100644 index 0000000000..647b1f3ffa --- /dev/null +++ b/deploy-manage/security/secure-your-elastic-cloud-organization.md @@ -0,0 +1,30 @@ +--- +navigation_title: "{{ecloud}}" +applies_to: + deployment: + ess: ga + serverless: ga +--- + +# Secure your Elastic Cloud organization [ec-securing-considerations] + +**This page is a work in progress.** + +## TLS certificate management + +TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks. + +For your **{{ech}}** deployments and serverless projects hosted on {{ecloud}}, TLS certificates are managed automatically. + +## Network security + +Control which systems can access your Elastic deployment through traffic filtering and network controls: + +- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges. +- **Private link filters**: Secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect. +- **Static IPs**: Use static IP addresses for predictable firewall rules. + + +## Next step: secure your deployments and clusters + +This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on your installation. Refer to [](secure-your-cluster-deployment.md). diff --git a/deploy-manage/security/secure-your-personal-account.md b/deploy-manage/security/secure-your-personal-account.md new file mode 100644 index 0000000000..6f91ccb69b --- /dev/null +++ b/deploy-manage/security/secure-your-personal-account.md @@ -0,0 +1,9 @@ +--- +applies_to: + deployment: all + serverless: ga +--- + +# Secure your personal account + +**This page is a work in progress.** \ No newline at end of file diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml index 809b55934c..a998c570de 100644 --- a/deploy-manage/toc.yml +++ b/deploy-manage/toc.yml @@ -512,17 +512,25 @@ toc: - file: remote-clusters/remote-clusters-settings.md - file: remote-clusters/eck-remote-clusters.md - file: security.md - children: - - file: security/secure-your-elastic-cloud-enterprise-installation.md + children: + - file: security/secure-hosting-environment.md children: - - file: security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md - - file: security/secure-your-elastic-cloud-enterprise-installation/allow-x509-certificates-signed-with-sha-1.md - - file: security/secure-your-elastic-cloud-enterprise-installation/configure-tls-version.md + - file: security/secure-your-elastic-cloud-organization.md + - file: security/secure-your-elastic-cloud-enterprise-installation.md + children: + - file: security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md + - file: security/secure-your-elastic-cloud-enterprise-installation/allow-x509-certificates-signed-with-sha-1.md + - file: security/secure-your-elastic-cloud-enterprise-installation/configure-tls-version.md + - file: security/secure-your-eck-installation.md + - file: security/manually-configure-security-in-self-managed-cluster.md + children: + - file: security/set-up-minimal-security.md + - file: security/set-up-basic-security.md + - file: security/set-up-basic-security-plus-https.md - file: security/secure-your-cluster-deployment.md children: - file: security/secure-endpoints.md children: - - file: security/secure-http-communications.md - file: security/traffic-filtering.md children: - file: security/ip-traffic-filtering.md @@ -534,31 +542,30 @@ toc: - file: security/claim-traffic-filter-link-id-ownership-through-api.md - file: security/manage-traffic-filtering-through-api.md - file: security/elastic-cloud-static-ips.md - - file: security/kibana-session-management.md - file: security/secure-cluster-communications.md children: + - file: security/secure-http-communications.md - file: security/security-certificates-keys.md children: - file: security/updating-certificates.md children: - file: security/same-ca.md - file: security/different-ca.md - - file: security/secure-clients-integrations.md + - file: security/supported-ssltls-versions-by-jdk-version.md + - file: security/data-security.md children: - - file: security/httprest-clients-security.md - - file: security/encrypt-deployment.md - children: - - file: security/encrypt-deployment-with-customer-managed-encryption-key.md - - file: security/secure-settings.md - - file: security/secure-saved-objects.md - - file: security/manually-configure-security-in-self-managed-cluster.md - children: - - file: security/set-up-minimal-security.md - - file: security/set-up-basic-security.md - - file: security/set-up-basic-security-plus-https.md - - file: security/enabling-cipher-suites-for-stronger-encryption.md - - file: security/supported-ssltls-versions-by-jdk-version.md + - file: security/encrypt-deployment.md + children: + - file: security/encrypt-deployment-with-customer-managed-encryption-key.md + - file: security/enabling-cipher-suites-for-stronger-encryption.md + - file: security/secure-settings.md + - file: security/secure-saved-objects.md + - file: security/kibana-session-management.md - file: security/fips-140-2.md + - file: security/secure-your-personal-account.md + - file: security/secure-clients-integrations.md + children: + - file: security/httprest-clients-security.md - file: users-roles.md children: - file: users-roles/cloud-organization.md From ca0b25ebd695389e2931e5a1473ad59b6c2deb48 Mon Sep 17 00:00:00 2001 From: Florent Le Borgne Date: Mon, 10 Mar 2025 12:03:11 +0100 Subject: [PATCH 2/5] structure updates --- .../security}/install-stack-demo-secure.md | 36 ++++++++--------- ...figure-security-in-self-managed-cluster.md | 6 ++- deploy-manage/security/secure-endpoints.md | 31 --------------- .../secure-your-cluster-deployment.md | 39 ++++++++++++++++++- .../security/secure-your-eck-installation.md | 2 +- ...r-elastic-cloud-enterprise-installation.md | 21 ++++------ .../secure-your-elastic-cloud-organization.md | 12 +++--- deploy-manage/security/traffic-filtering.md | 22 +++-------- deploy-manage/toc.yml | 18 ++++----- 9 files changed, 89 insertions(+), 98 deletions(-) rename {raw-migrated-files/stack-docs/elastic-stack => deploy-manage/security}/install-stack-demo-secure.md (93%) delete mode 100644 deploy-manage/security/secure-endpoints.md diff --git a/raw-migrated-files/stack-docs/elastic-stack/install-stack-demo-secure.md b/deploy-manage/security/install-stack-demo-secure.md similarity index 93% rename from raw-migrated-files/stack-docs/elastic-stack/install-stack-demo-secure.md rename to deploy-manage/security/install-stack-demo-secure.md index 532be43c13..3743d67216 100644 --- a/raw-migrated-files/stack-docs/elastic-stack/install-stack-demo-secure.md +++ b/deploy-manage/security/install-stack-demo-secure.md @@ -1,6 +1,6 @@ # Tutorial 2: Securing a self-managed {{stack}} [install-stack-demo-secure] -This tutorial is a follow-on to [Tutorial 1: Installing a self-managed {{stack}}](../../../deploy-manage/deploy/self-managed/installing-elasticsearch.md). The first tutorial describes how to configure a multi-node {{es}} cluster and then set up {{kib}}, followed by {{fleet-server}} and {{agent}}. In a production environment, it’s recommended after completing the {{kib}} setup to proceed directly to this tutorial to configure your SSL certificates. These steps guide you through that process, and then describe how to configure {{fleet-server}} and {{agent}} with the certificates in place. +This tutorial is a follow-on to [Tutorial 1: Installing a self-managed {{stack}}](../deploy/self-managed/installing-elasticsearch.md). The first tutorial describes how to configure a multi-node {{es}} cluster and then set up {{kib}}, followed by {{fleet-server}} and {{agent}}. In a production environment, it’s recommended after completing the {{kib}} setup to proceed directly to this tutorial to configure your SSL certificates. These steps guide you through that process, and then describe how to configure {{fleet-server}} and {{agent}} with the certificates in place. **Securing the {{stack}}** @@ -8,22 +8,22 @@ Beginning with Elastic 8.0, security is enabled in the {{stack}} by default, mea For traffic to be encrypted between {{es}} cluster nodes and between {{kib}} and {{es}}, SSL certificates must be created for the transport ({{es}} inter-node communication) and HTTP (for the {{es}} REST API) layers. Similarly, when setting up {{fleet-server}} you’ll generate and configure a new certificate bundle, and then {{elastic-agent}} uses the generated certificates to communicate with both {{fleet-server}} and {{es}}. The process to set things up is as follows: -* [Prerequisites and assumptions](../../../deploy-manage/security/secure-your-cluster-deployment.md#install-stack-demo-secure-prereqs) -* [Step 1: Generate a new self-signed CA certificate](../../../deploy-manage/security/secure-your-cluster-deployment.md#install-stack-demo-secure-ca) -* [Step 2: Generate a new certificate for the transport layer](../../../deploy-manage/security/secure-your-cluster-deployment.md#install-stack-demo-secure-transport) -* [Step 3: Generate new certificate(s) for the HTTP layer](../../../deploy-manage/security/secure-your-cluster-deployment.md#install-stack-demo-secure-http) -* [Step 4: Configure security on additional {{es}} nodes](../../../deploy-manage/security/secure-your-cluster-deployment.md#install-stack-demo-secure-second-node) -* [Step 5: Generate server-side and client-side certificates for {{kib}}](../../../deploy-manage/security/secure-your-cluster-deployment.md#install-stack-demo-secure-kib-es) -* [Step 6: Install {{fleet}} with SSL certificates configured](../../../deploy-manage/security/secure-your-cluster-deployment.md#install-stack-demo-secure-fleet) -* [Step 7: Install {{agent}}](../../../deploy-manage/security/secure-your-cluster-deployment.md#install-stack-demo-secure-agent) -* [Step 8: View your system data](../../../deploy-manage/security/secure-your-cluster-deployment.md#install-stack-demo-secure-view-data) +* [Prerequisites and assumptions](secure-your-cluster-deployment.md#install-stack-demo-secure-prereqs) +* [Step 1: Generate a new self-signed CA certificate](secure-your-cluster-deployment.md#install-stack-demo-secure-ca) +* [Step 2: Generate a new certificate for the transport layer](secure-your-cluster-deployment.md#install-stack-demo-secure-transport) +* [Step 3: Generate new certificate(s) for the HTTP layer](../../raw-migrated-files/stack-docs/deploy-manage/security/secure-your-cluster-deployment.md#install-stack-demo-secure-http) +* [Step 4: Configure security on additional {{es}} nodes](secure-your-cluster-deployment.md#install-stack-demo-secure-second-node) +* [Step 5: Generate server-side and client-side certificates for {{kib}}](secure-your-cluster-deployment.md#install-stack-demo-secure-kib-es) +* [Step 6: Install {{fleet}} with SSL certificates configured](secure-your-cluster-deployment.md#install-stack-demo-secure-fleet) +* [Step 7: Install {{agent}}](secure-your-cluster-deployment.md#install-stack-demo-secure-agent) +* [Step 8: View your system data](secure-your-cluster-deployment.md#install-stack-demo-secure-view-data) It should take between one and two hours to complete these steps. ## Prerequisites and assumptions [install-stack-demo-secure-prereqs] -Before starting, you’ll need to have set up an on-premises {{es}} cluster with {{kib}}, following the steps in [Tutorial 1: Installing a self-managed {{stack}}](../../../deploy-manage/deploy/self-managed/installing-elasticsearch.md). +Before starting, you’ll need to have set up an on-premises {{es}} cluster with {{kib}}, following the steps in [Tutorial 1: Installing a self-managed {{stack}}](../deploy/self-managed/installing-elasticsearch.md). The examples in this guide use RPM packages to install the {{stack}} components on hosts running Red Hat Enterprise Linux 8. The steps for other install methods and operating systems are similar, and can be found in the documentation linked from each section. @@ -40,7 +40,7 @@ In a production environment you would typically use the CA certificate from your sudo systemctl stop elasticsearch.service ``` -2. Generate a CA certificate using the provided certificate utility, `elasticsearch-certutil`. Note that the location of the utility depends on the installation method you used to install {{es}}. Refer to [elasticsearch-certutil](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md) for the command details and to [Update security certificates with a different CA](../../../deploy-manage/security/different-ca.md) for details about the procedure as a whole. +2. Generate a CA certificate using the provided certificate utility, `elasticsearch-certutil`. Note that the location of the utility depends on the installation method you used to install {{es}}. Refer to [elasticsearch-certutil](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md) for the command details and to [Update security certificates with a different CA](different-ca.md) for details about the procedure as a whole. Run the following command. When prompted, specify a unique name for the output file, such as `elastic-stack-ca.zip`: @@ -77,7 +77,7 @@ In a production environment you would typically use the CA certificate from your 6. From the `/etc/elasticsearch/certs/ca/` directory, import the newly created CA certificate into the {{es}} truststore. This step ensures that your cluster trusts the new CA certificate. ::::{note} - On a new installation a new keystore and truststore are created automatically. If you’re running these steps on an existing {{es}} installation and you know the password to the keystore and the truststore, follow the instructions in [Update security certificates with a different CA](../../../deploy-manage/security/different-ca.md) to import the CA certificate. + On a new installation a new keystore and truststore are created automatically. If you’re running these steps on an existing {{es}} installation and you know the password to the keystore and the truststore, follow the instructions in [Update security certificates with a different CA](different-ca.md) to import the CA certificate. :::: @@ -131,7 +131,7 @@ This guide assumes the use of self-signed certificates, but the process to impor ::::{important} If you’re running these steps on a production cluster that already contains data: - * In a cluster with multiple {{es}} nodes, before proceeding you first need to perform a [Rolling restart](../../../deploy-manage/maintenance/start-stop-services/full-cluster-restart-rolling-restart-procedures.md#restart-cluster-rolling) beginning with the node where you’re updating the keystore. Stop at the `Perform any needed changes` step, and then proceed to the next step in this guide. + * In a cluster with multiple {{es}} nodes, before proceeding you first need to perform a [Rolling restart](../maintenance/start-stop-services/full-cluster-restart-rolling-restart-procedures.md#restart-cluster-rolling) beginning with the node where you’re updating the keystore. Stop at the `Perform any needed changes` step, and then proceed to the next step in this guide. * In a single node cluster, always stop {{es}} before proceeding. :::: @@ -227,7 +227,7 @@ Now that communication between {{es}} nodes (the transport layer) has been secur ``` 2. When prompted, confirm that the settings are correct. - 3. Add the network IP address that clients can use to connect to the first {{es}} node. This is the same value that’s described in Step 2 of [Tutorial 1: Installing a self-managed {{stack}}](../../../deploy-manage/deploy/self-managed/installing-elasticsearch.md), for example `10.128.0.84`: + 3. Add the network IP address that clients can use to connect to the first {{es}} node. This is the same value that’s described in Step 2 of [Tutorial 1: Installing a self-managed {{stack}}](../deploy/self-managed/installing-elasticsearch.md), for example `10.128.0.84`: ```shell 10.128.0.84 @@ -506,7 +506,7 @@ Now that the security is configured for the first {{es}} node, some steps need t ## Step 5: Generate server-side and client-side certificates for {{kib}} [install-stack-demo-secure-kib-es] -Now that the transport and HTTP layers are configured with encryption using the new certificates, there are two more tasks that must be accomplished for end-to-end connectivity to {{es}}: Set up certificates for encryption between {{kib}} and {{es}}, and between the client browser and {{kib}}. For additional details about any of these steps, refer to [Mutual TLS authentication between {{kib}} and {{es}}](../../../deploy-manage/security/secure-cluster-communications.md) and [Encrypt traffic between your browser and {{kib}}](../../../deploy-manage/security/set-up-basic-security-plus-https.md#encrypt-kibana-browser). +Now that the transport and HTTP layers are configured with encryption using the new certificates, there are two more tasks that must be accomplished for end-to-end connectivity to {{es}}: Set up certificates for encryption between {{kib}} and {{es}}, and between the client browser and {{kib}}. For additional details about any of these steps, refer to [Mutual TLS authentication between {{kib}} and {{es}}](secure-cluster-communications.md) and [Encrypt traffic between your browser and {{kib}}](set-up-basic-security-plus-https.md#encrypt-kibana-browser). 1. In Step 3, when you generated a new certificate for the HTTP layer, the process created an archive `elasticsearch-ssl-http.zip`. @@ -617,7 +617,7 @@ Now that the transport and HTTP layers are configured with encryption using the Open a web browser to the external IP address of the Kibana host machine: `https://:5601`. Note that the URL should use the `https` and not the `http` protocol. -15. Log in using the `elastic` user and password that you configured in Step 1 of [Tutorial 1: Installing a self-managed {{stack}}](../../../deploy-manage/deploy/self-managed/installing-elasticsearch.md). +15. Log in using the `elastic` user and password that you configured in Step 1 of [Tutorial 1: Installing a self-managed {{stack}}](../deploy/self-managed/installing-elasticsearch.md). Congratulations! You’ve successfully updated the SSL certificates between {{es}} and {{kib}}. @@ -884,6 +884,6 @@ Congratulations! You’ve successfully configured security for {{es}}, {{kib}}, ## What’s next? [_whats_next] -* Do you have data ready to ingest into your newly set up {{stack}}? Learn how to [add data to Elasticsearch](../../../manage-data/ingest.md). +* Do you have data ready to ingest into your newly set up {{stack}}? Learn how to [add data to Elasticsearch](../../manage-data/ingest.md). * Use [Elastic {{observability}}](https://www.elastic.co/observability) to unify your logs, infrastructure metrics, uptime, and application performance data. * Want to protect your endpoints from security threats? Try [{{elastic-sec}}](https://www.elastic.co/security). Adding endpoint protection is just another integration that you add to the agent policy! diff --git a/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md b/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md index 3dfe414679..3e6df55ce6 100644 --- a/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md +++ b/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md @@ -21,6 +21,10 @@ If you configure security manually *before* starting your {{es}} nodes, the auto ## Common security scenarios +Even with security enabled, never expose {{es}} to public internet traffic. Using an application to sanitize requests to {{es}} still poses risks, such as a malicious user writing [`_search`](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-search) requests that could overwhelm an {{es}} cluster and bring it down. Keep {{es}} as isolated as possible, preferably behind a firewall and a VPN. Any internet-facing applications should run pre-canned aggregations, or not run aggregations at all. + +While you absolutely shouldn’t expose {{es}} directly to the internet, you also shouldn’t expose {{es}} directly to users. Instead, use an intermediary application to make requests on behalf of users. This implementation allows you to track user behaviors, such as can submit requests, and to which specific nodes in the cluster. For example, you can implement an application that accepts a search term from a user and funnels it through a [`simple_query_string`](elasticsearch://reference/query-languages/query-dsl-simple-query-string-query.md) query. + ### Minimal security ({{es}} Development) [security-minimal-overview] If you’ve been working with {{es}} and want to enable security on your existing, unsecured cluster, start here. You’ll set passwords for the built-in users to prevent unauthorized access to your local cluster, and also configure password authentication for {{kib}}. @@ -71,7 +75,7 @@ Control which systems can access your Elastic deployment through traffic filteri ## Next step: secure your deployments and clusters -This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on your installation. Refer to [](secure-your-cluster-deployment.md). +This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on this environment. Refer to [](secure-your-cluster-deployment.md). diff --git a/deploy-manage/security/secure-endpoints.md b/deploy-manage/security/secure-endpoints.md deleted file mode 100644 index 6e89c619de..0000000000 --- a/deploy-manage/security/secure-endpoints.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/elasticsearch/reference/current/es-security-principles.html ---- - -# Secure endpoints [es-security-principles] - -Protecting your {{es}} cluster and the data it contains is of utmost importance. Implementing a defense in depth strategy provides multiple layers of security to help safeguard your system. The following principles provide a foundation for running {{es}} in a secure manner that helps to mitigate attacks on your system at multiple levels. - - -## Run {{es}} with security enabled [security-run-with-security] - -Never run an {{es}} cluster without security enabled. This principle cannot be overstated. Running {{es}} without security leaves your cluster exposed to anyone who can send network traffic to {{es}}, permitting these individuals to download, modify, or delete any data in your cluster. [Start the {{stack}} with security enabled](../deploy/self-managed/installing-elasticsearch.md) or [manually configure security](manually-configure-security-in-self-managed-cluster.md) to prevent unauthorized access to your clusters and ensure that internode communication is secure. - - -## Run {{es}} with a dedicated non-root user [security-not-root-user] - -Never try to run {{es}} as the `root` user, which would invalidate any defense strategy and permit a malicious user to do **anything** on your server. You must create a dedicated, unprivileged user to run {{es}}. By default, the `rpm`, `deb`, `docker`, and Windows packages of {{es}} contain an `elasticsearch` user with this scope. - - -## Protect {{es}} from public internet traffic [security-protect-cluster-traffic] - -Even with security enabled, never expose {{es}} to public internet traffic. Using an application to sanitize requests to {{es}} still poses risks, such as a malicious user writing [`_search`](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-search) requests that could overwhelm an {{es}} cluster and bring it down. Keep {{es}} as isolated as possible, preferably behind a firewall and a VPN. Any internet-facing applications should run pre-canned aggregations, or not run aggregations at all. - -While you absolutely shouldn’t expose {{es}} directly to the internet, you also shouldn’t expose {{es}} directly to users. Instead, use an intermediary application to make requests on behalf of users. This implementation allows you to track user behaviors, such as can submit requests, and to which specific nodes in the cluster. For example, you can implement an application that accepts a search term from a user and funnels it through a [`simple_query_string`](elasticsearch://reference/query-languages/query-dsl-simple-query-string-query.md) query. - - -## Implement role based access control [security-create-appropriate-users] - -[Define roles](../users-roles/cluster-or-deployment-auth/defining-roles.md) for your users and [assign appropriate privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to ensure that users have access only to the resources that they need. This process determines whether the user behind an incoming request is allowed to run that request. - diff --git a/deploy-manage/security/secure-your-cluster-deployment.md b/deploy-manage/security/secure-your-cluster-deployment.md index 6e487f539c..c8aa6d60c0 100644 --- a/deploy-manage/security/secure-your-cluster-deployment.md +++ b/deploy-manage/security/secure-your-cluster-deployment.md @@ -45,4 +45,41 @@ $$$security-configure-settings$$$ * [/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md) * [/raw-migrated-files/kibana/kibana/using-kibana-with-security.md](/raw-migrated-files/kibana/kibana/using-kibana-with-security.md) -* [/raw-migrated-files/stack-docs/elastic-stack/install-stack-demo-secure.md](/raw-migrated-files/stack-docs/elastic-stack/install-stack-demo-secure.md) \ No newline at end of file +* [/raw-migrated-files/stack-docs/elastic-stack/install-stack-demo-secure.md](/deploy-manage/security/install-stack-demo-secure.md) + +Protecting your {{es}} cluster and the data it contains is of utmost importance. Implementing a defense in depth strategy provides multiple layers of security to help safeguard your system. + +:::{important} +Never run an {{es}} cluster without security enabled. This principle cannot be overstated. Running {{es}} without security leaves your cluster exposed to anyone who can send network traffic to {{es}}, permitting these individuals to download, modify, or delete any data in your cluster. +::: + +To secure your clusters and deployments, consider the following: + +## Network access + +Control which systems can access your Elastic deployments and clusters through traffic filtering and network controls: + +- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges. +- **Private link filters**: Secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect. +- **Static IPs**: Use static IP addresses for predictable firewall rules. + + +## Cluster communication + +- **HTTP and HTTPs** +- **TLS certificates and keys** + + +## Data and objects security + +- **Bring your own encryption key** +- **Elasticsearch keystore** +- **Kibana saved objects** + +## User roles and sessions + +[Define roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) for your users and [assign appropriate privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to ensure that users have access only to the resources that they need. This process determines whether the user behind an incoming request is allowed to run that request. + +:::{important} +Never try to run {{es}} as the `root` user, which would invalidate any defense strategy and permit a malicious user to do **anything** on your server. You must create a dedicated, unprivileged user to run {{es}}. By default, the `rpm`, `deb`, `docker`, and Windows packages of {{es}} contain an `elasticsearch` user with this scope. +::: diff --git a/deploy-manage/security/secure-your-eck-installation.md b/deploy-manage/security/secure-your-eck-installation.md index e88835a3f9..47de5af885 100644 --- a/deploy-manage/security/secure-your-eck-installation.md +++ b/deploy-manage/security/secure-your-eck-installation.md @@ -23,5 +23,5 @@ Control which systems can access your Elastic deployment through traffic filteri ## Next step: secure your deployments and clusters -This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on your installation. Refer to [](secure-your-cluster-deployment.md). +This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on this environment. Refer to [](secure-your-cluster-deployment.md). diff --git a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md index 824b351494..91aa5e1d72 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md +++ b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md @@ -19,19 +19,6 @@ TLS certificates apply security controls to network communications. They encrypt With {{ece}}, you manage proxy certificates for the HTTP layer. The transport layer is managed by ECE. Refer to [](secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md). -## Network security - -Control which systems can access your Elastic deployment through traffic filtering and network controls: - -- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges. -- **Trust for cross-cluster operations**. Define which environments your {{ece}} installation can connect to and receive connections from. For more details on cross-cluster operations and the required settings, refer to [](/deploy-manage/remote-clusters.md). - -$$$ece_clusters_share_the_same_resources$$$ -:::{note} -Clusters share the same resources - -The Elasticsearch clusters you create on Elastic Cloud Enterprise share the same resources. It is currently not possible to run a specific cluster on entirely dedicated hardware not shared by other clusters. -::: ## Users with admin privileges [ece_users_with_admin_privileges] @@ -63,7 +50,13 @@ Elastic Cloud Enterprise is designed to ensure that an allocator has access only Security comes in layers, and running separate services on separate infrastructure is the last layer of defense, on top of other security features like the JVM security manager, system call filtering, and running nodes in isolated containers with no shared secrets. +## Hardware isolation +$$$ece_clusters_share_the_same_resources$$$ + +The Elasticsearch clusters you create on Elastic Cloud Enterprise share the same resources. It is currently not possible to run a specific cluster on entirely dedicated hardware not shared by other clusters. + + ## Next step: secure your deployments and clusters -This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on your installation. Refer to [](secure-your-cluster-deployment.md). +This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on this environment. Refer to [](secure-your-cluster-deployment.md). diff --git a/deploy-manage/security/secure-your-elastic-cloud-organization.md b/deploy-manage/security/secure-your-elastic-cloud-organization.md index 647b1f3ffa..e3c0d5d21c 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-organization.md +++ b/deploy-manage/security/secure-your-elastic-cloud-organization.md @@ -16,15 +16,15 @@ TLS certificates apply security controls to network communications. They encrypt For your **{{ech}}** deployments and serverless projects hosted on {{ecloud}}, TLS certificates are managed automatically. -## Network security +## Access control -Control which systems can access your Elastic deployment through traffic filtering and network controls: +Define which users can access your {{ecloud}} organization using the following methods: -- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges. -- **Private link filters**: Secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect. -- **Static IPs**: Use static IP addresses for predictable firewall rules. +- [SSO](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md) +- [Role-based access control](/deploy-manage/users-roles/cloud-organization/manage-users.md) +- [Cloud API keys](/deploy-manage/api-keys/elastic-cloud-api-keys.md) ## Next step: secure your deployments and clusters -This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on your installation. Refer to [](secure-your-cluster-deployment.md). +This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on this environment. Refer to [](secure-your-cluster-deployment.md). diff --git a/deploy-manage/security/traffic-filtering.md b/deploy-manage/security/traffic-filtering.md index 58c1312a10..7f82feefdd 100644 --- a/deploy-manage/security/traffic-filtering.md +++ b/deploy-manage/security/traffic-filtering.md @@ -5,22 +5,10 @@ mapped_urls: - https://www.elastic.co/guide/en/cloud-heroku/current/ech-traffic-filtering-deployment-configuration.html --- -# Traffic filtering +# Secure network access -% What needs to be done: Refine +Never expose {{es}} to unwanted internet traffic. Using an application to sanitize requests to {{es}} still poses risks, such as a malicious user writing [`_search`](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-search) requests that could overwhelm an {{es}} cluster and bring it down. Depending on your environment, consider the following: -% GitHub issue: https://github.com/elastic/docs-projects/issues/346 - -% Use migrated content from existing pages that map to this page: - -% - [ ] ./raw-migrated-files/cloud/cloud-enterprise/ece-traffic-filtering-deployment-configuration.md -% - [ ] ./raw-migrated-files/cloud/cloud/ec-traffic-filtering-deployment-configuration.md -% - [ ] ./raw-migrated-files/cloud/cloud-heroku/ech-traffic-filtering-deployment-configuration.md - -⚠️ **This page is a work in progress.** ⚠️ - -The documentation team is working to combine content pulled from the following pages: - -* [/raw-migrated-files/cloud/cloud-enterprise/ece-traffic-filtering-deployment-configuration.md](/raw-migrated-files/cloud/cloud-enterprise/ece-traffic-filtering-deployment-configuration.md) -* [/raw-migrated-files/cloud/cloud/ec-traffic-filtering-deployment-configuration.md](/raw-migrated-files/cloud/cloud/ec-traffic-filtering-deployment-configuration.md) -* [/raw-migrated-files/cloud/cloud-heroku/ech-traffic-filtering-deployment-configuration.md](/raw-migrated-files/cloud/cloud-heroku/ech-traffic-filtering-deployment-configuration.md) \ No newline at end of file +- **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges. +- **Private link filters**: Secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect. +- **Elastic Cloud static IPs**: Use static IP addresses for predictable firewall rules. diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml index f16e49720a..a660e07e6f 100644 --- a/deploy-manage/toc.yml +++ b/deploy-manage/toc.yml @@ -489,20 +489,20 @@ toc: - file: security/set-up-minimal-security.md - file: security/set-up-basic-security.md - file: security/set-up-basic-security-plus-https.md + - file: security/install-stack-demo-secure.md - file: security/secure-your-cluster-deployment.md children: - - file: security/secure-endpoints.md + - file: security/traffic-filtering.md children: - - file: security/traffic-filtering.md + - file: security/ip-traffic-filtering.md children: - - file: security/ip-traffic-filtering.md - - file: security/private-link-traffic-filters.md - children: - - file: security/aws-privatelink-traffic-filters.md - - file: security/azure-private-link-traffic-filters.md - - file: security/gcp-private-service-connect-traffic-filters.md - - file: security/claim-traffic-filter-link-id-ownership-through-api.md - file: security/manage-traffic-filtering-through-api.md + - file: security/private-link-traffic-filters.md + children: + - file: security/aws-privatelink-traffic-filters.md + - file: security/azure-private-link-traffic-filters.md + - file: security/gcp-private-service-connect-traffic-filters.md + - file: security/claim-traffic-filter-link-id-ownership-through-api.md - file: security/elastic-cloud-static-ips.md - file: security/secure-cluster-communications.md children: From 7130d94bb81219f7f9874846cc63645a82b92bd1 Mon Sep 17 00:00:00 2001 From: Florent Le Borgne Date: Mon, 10 Mar 2025 12:37:16 +0100 Subject: [PATCH 3/5] add wip --- deploy-manage/security/data-security.md | 6 +++++- deploy-manage/security/install-stack-demo-secure.md | 6 +++--- deploy-manage/security/secure-clients-integrations.md | 5 +++++ deploy-manage/security/secure-hosting-environment.md | 4 ++++ deploy-manage/security/secure-your-eck-installation.md | 5 ++++- .../secure-your-elastic-cloud-enterprise-installation.md | 5 ++++- .../security/secure-your-elastic-cloud-organization.md | 5 ++++- deploy-manage/security/secure-your-personal-account.md | 4 +++- deploy-manage/security/traffic-filtering.md | 5 +++++ deploy-manage/users-roles.md | 2 +- raw-migrated-files/toc.yml | 1 - 11 files changed, 38 insertions(+), 10 deletions(-) diff --git a/deploy-manage/security/data-security.md b/deploy-manage/security/data-security.md index 04f85f5caf..1226f922c7 100644 --- a/deploy-manage/security/data-security.md +++ b/deploy-manage/security/data-security.md @@ -1 +1,5 @@ -# Data security \ No newline at end of file +# Secure your data + +:::{warning} +**This page is a work in progress.** +::: diff --git a/deploy-manage/security/install-stack-demo-secure.md b/deploy-manage/security/install-stack-demo-secure.md index 3743d67216..0241474ad0 100644 --- a/deploy-manage/security/install-stack-demo-secure.md +++ b/deploy-manage/security/install-stack-demo-secure.md @@ -11,7 +11,7 @@ For traffic to be encrypted between {{es}} cluster nodes and between {{kib}} and * [Prerequisites and assumptions](secure-your-cluster-deployment.md#install-stack-demo-secure-prereqs) * [Step 1: Generate a new self-signed CA certificate](secure-your-cluster-deployment.md#install-stack-demo-secure-ca) * [Step 2: Generate a new certificate for the transport layer](secure-your-cluster-deployment.md#install-stack-demo-secure-transport) -* [Step 3: Generate new certificate(s) for the HTTP layer](../../raw-migrated-files/stack-docs/deploy-manage/security/secure-your-cluster-deployment.md#install-stack-demo-secure-http) +* [Step 3: Generate new certificate(s) for the HTTP layer](secure-your-cluster-deployment.md#install-stack-demo-secure-http) * [Step 4: Configure security on additional {{es}} nodes](secure-your-cluster-deployment.md#install-stack-demo-secure-second-node) * [Step 5: Generate server-side and client-side certificates for {{kib}}](secure-your-cluster-deployment.md#install-stack-demo-secure-kib-es) * [Step 6: Install {{fleet}} with SSL certificates configured](secure-your-cluster-deployment.md#install-stack-demo-secure-fleet) @@ -23,7 +23,7 @@ It should take between one and two hours to complete these steps. ## Prerequisites and assumptions [install-stack-demo-secure-prereqs] -Before starting, you’ll need to have set up an on-premises {{es}} cluster with {{kib}}, following the steps in [Tutorial 1: Installing a self-managed {{stack}}](../deploy/self-managed/installing-elasticsearch.md). +Before starting, you’ll need to have set up an on-premises {{es}} cluster with {{kib}}, following the steps in [Tutorial 1: Installing a self-managed {{stack}}](/deploy/self-managed/installing-elasticsearch.md). The examples in this guide use RPM packages to install the {{stack}} components on hosts running Red Hat Enterprise Linux 8. The steps for other install methods and operating systems are similar, and can be found in the documentation linked from each section. @@ -874,7 +874,7 @@ View your system metrics data: 2. In the query field, search for `Metrics System`. 3. Select the `[Metrics System] Host overview` link. The {{kib}} Dashboard opens with visualizations of host metrics including CPU usage, memory usage, running processes, and more. - :::{image} ../../../images/elastic-stack-install-stack-metrics-dashboard.png + :::{image} /images/elastic-stack-install-stack-metrics-dashboard.png :alt: The System metrics host overview showing CPU usage, memory usage, and other visualizations ::: diff --git a/deploy-manage/security/secure-clients-integrations.md b/deploy-manage/security/secure-clients-integrations.md index e63862420f..59bf4b700f 100644 --- a/deploy-manage/security/secure-clients-integrations.md +++ b/deploy-manage/security/secure-clients-integrations.md @@ -5,6 +5,11 @@ mapped_pages: # Secure clients and integrations [security-clients-integrations] +:::{warning} +**This page is a work in progress.** +::: + + You will need to update the configuration for several [clients](httprest-clients-security.md) to work with a secured {{es}} cluster. The {{es}} {{security-features}} enable you to secure your {{es}} cluster. But {{es}} itself is only one product within the {{stack}}. It is often the case that other products in the {{stack}} are connected to the cluster and therefore need to be secured as well, or at least communicate with the cluster in a secured way: diff --git a/deploy-manage/security/secure-hosting-environment.md b/deploy-manage/security/secure-hosting-environment.md index b2aa884010..856fa3cc05 100644 --- a/deploy-manage/security/secure-hosting-environment.md +++ b/deploy-manage/security/secure-hosting-environment.md @@ -6,6 +6,10 @@ applies_to: # Secure your hosting environment +:::{warning} +**This page is a work in progress.** +::: + Whether you're running Elastic on {{ecloud}}, through an {{ece}} or {{eck}} orchestrator, or self-managed on your own premises, it is critical that you secure the layer responsible for deploying and hosting your Elastic products. This section covers security measures specific to: diff --git a/deploy-manage/security/secure-your-eck-installation.md b/deploy-manage/security/secure-your-eck-installation.md index 47de5af885..fd73ced7ab 100644 --- a/deploy-manage/security/secure-your-eck-installation.md +++ b/deploy-manage/security/secure-your-eck-installation.md @@ -7,7 +7,10 @@ applies_to: # Secure your {{eck}} installation [eck-securing-considerations] -**This page is a work in progress.** +:::{warning} +**This page is a work in progress.** +::: + ## TLS certificate management diff --git a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md index 91aa5e1d72..2751b2b93d 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md +++ b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md @@ -9,7 +9,10 @@ mapped_pages: # Secure your Elastic Cloud Enterprise installation [ece-securing-considerations] -**This page is a work in progress.** +:::{warning} +**This page is a work in progress.** +::: + When securing your {{ece}} installation, consider the following: diff --git a/deploy-manage/security/secure-your-elastic-cloud-organization.md b/deploy-manage/security/secure-your-elastic-cloud-organization.md index e3c0d5d21c..3d35179fea 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-organization.md +++ b/deploy-manage/security/secure-your-elastic-cloud-organization.md @@ -8,7 +8,10 @@ applies_to: # Secure your Elastic Cloud organization [ec-securing-considerations] -**This page is a work in progress.** +:::{warning} +**This page is a work in progress.** +::: + ## TLS certificate management diff --git a/deploy-manage/security/secure-your-personal-account.md b/deploy-manage/security/secure-your-personal-account.md index 6f91ccb69b..bde06e2a39 100644 --- a/deploy-manage/security/secure-your-personal-account.md +++ b/deploy-manage/security/secure-your-personal-account.md @@ -6,4 +6,6 @@ applies_to: # Secure your personal account -**This page is a work in progress.** \ No newline at end of file +:::{warning} +**This page is a work in progress.** +::: diff --git a/deploy-manage/security/traffic-filtering.md b/deploy-manage/security/traffic-filtering.md index 7f82feefdd..3eb12320d8 100644 --- a/deploy-manage/security/traffic-filtering.md +++ b/deploy-manage/security/traffic-filtering.md @@ -7,6 +7,11 @@ mapped_urls: # Secure network access +:::{warning} +**This page is a work in progress.** +::: + + Never expose {{es}} to unwanted internet traffic. Using an application to sanitize requests to {{es}} still poses risks, such as a malicious user writing [`_search`](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-search) requests that could overwhelm an {{es}} cluster and bring it down. Depending on your environment, consider the following: - **IP traffic filtering**: Restrict access based on IP addresses or CIDR ranges. diff --git a/deploy-manage/users-roles.md b/deploy-manage/users-roles.md index 8059b7bd7e..f1442ed89f 100644 --- a/deploy-manage/users-roles.md +++ b/deploy-manage/users-roles.md @@ -21,7 +21,7 @@ The methods that you use to authenticate users and control access depends on the Preventing unauthorized access is only one element of a complete security strategy. To secure your Elastic environment, you can also do the following: * Restrict the nodes and clients that can connect to the cluster using [traffic filters](/deploy-manage/security/traffic-filtering.md). -* Take steps to maintain your data integrity and confidentiality by [encrypting HTTP and inter-node communications](/deploy-manage/security/secure-endpoints.md), as well as [encrypting your data at rest](/deploy-manage/security/encrypt-deployment.md). +* Take steps to maintain your data integrity and confidentiality by [encrypting HTTP and inter-node communications](/deploy-manage/security/secure-cluster-communications.md), as well as [encrypting your data at rest](/deploy-manage/security/encrypt-deployment.md). * Maintain an [audit trail](/deploy-manage/monitor/logging-configuration/security-event-audit-logging.md) for security-related events. * Control access to dashboards and other saved objects in your UI using [{{kib}} spaces](/deploy-manage/manage-spaces.md). * Connect your cluster to a [remote cluster](/deploy-manage/remote-clusters.md) to enable cross-cluster replication and search. diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 383d1c2ee1..6322a82255 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -290,7 +290,6 @@ toc: - file: stack-docs/elastic-stack/index.md children: - file: stack-docs/elastic-stack/air-gapped-install.md - - file: stack-docs/elastic-stack/install-stack-demo-secure.md - file: stack-docs/elastic-stack/installing-stack-demo-self.md - file: stack-docs/elastic-stack/overview.md - file: stack-docs/elastic-stack/upgrade-elastic-stack-for-elastic-cloud.md From 2913d840efffd9fc49799d50c9ebe3f140e1e116 Mon Sep 17 00:00:00 2001 From: Florent Le Borgne Date: Mon, 10 Mar 2025 12:45:37 +0100 Subject: [PATCH 4/5] link --- deploy-manage/security/install-stack-demo-secure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/security/install-stack-demo-secure.md b/deploy-manage/security/install-stack-demo-secure.md index 0241474ad0..c6e2a55a34 100644 --- a/deploy-manage/security/install-stack-demo-secure.md +++ b/deploy-manage/security/install-stack-demo-secure.md @@ -1,6 +1,6 @@ # Tutorial 2: Securing a self-managed {{stack}} [install-stack-demo-secure] -This tutorial is a follow-on to [Tutorial 1: Installing a self-managed {{stack}}](../deploy/self-managed/installing-elasticsearch.md). The first tutorial describes how to configure a multi-node {{es}} cluster and then set up {{kib}}, followed by {{fleet-server}} and {{agent}}. In a production environment, it’s recommended after completing the {{kib}} setup to proceed directly to this tutorial to configure your SSL certificates. These steps guide you through that process, and then describe how to configure {{fleet-server}} and {{agent}} with the certificates in place. +This tutorial is a follow-on to [Tutorial 1: Installing a self-managed {{stack}}](/deploy-manage/deploy/self-managed.md). The first tutorial describes how to configure a multi-node {{es}} cluster and then set up {{kib}}, followed by {{fleet-server}} and {{agent}}. In a production environment, it’s recommended after completing the {{kib}} setup to proceed directly to this tutorial to configure your SSL certificates. These steps guide you through that process, and then describe how to configure {{fleet-server}} and {{agent}} with the certificates in place. **Securing the {{stack}}** From e68968d9f91c30de7ea99b816bf932f9c155087d Mon Sep 17 00:00:00 2001 From: Florent Le Borgne Date: Mon, 10 Mar 2025 12:49:23 +0100 Subject: [PATCH 5/5] more links --- deploy-manage/security/install-stack-demo-secure.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deploy-manage/security/install-stack-demo-secure.md b/deploy-manage/security/install-stack-demo-secure.md index c6e2a55a34..62c9d0dccf 100644 --- a/deploy-manage/security/install-stack-demo-secure.md +++ b/deploy-manage/security/install-stack-demo-secure.md @@ -23,7 +23,7 @@ It should take between one and two hours to complete these steps. ## Prerequisites and assumptions [install-stack-demo-secure-prereqs] -Before starting, you’ll need to have set up an on-premises {{es}} cluster with {{kib}}, following the steps in [Tutorial 1: Installing a self-managed {{stack}}](/deploy/self-managed/installing-elasticsearch.md). +Before starting, you’ll need to have set up an on-premises {{es}} cluster with {{kib}}, following the steps in [Tutorial 1: Installing a self-managed {{stack}}](/deploy-manage/deploy/self-managed.md). The examples in this guide use RPM packages to install the {{stack}} components on hosts running Red Hat Enterprise Linux 8. The steps for other install methods and operating systems are similar, and can be found in the documentation linked from each section. @@ -227,7 +227,7 @@ Now that communication between {{es}} nodes (the transport layer) has been secur ``` 2. When prompted, confirm that the settings are correct. - 3. Add the network IP address that clients can use to connect to the first {{es}} node. This is the same value that’s described in Step 2 of [Tutorial 1: Installing a self-managed {{stack}}](../deploy/self-managed/installing-elasticsearch.md), for example `10.128.0.84`: + 3. Add the network IP address that clients can use to connect to the first {{es}} node. This is the same value that’s described in Step 2 of [Tutorial 1: Installing a self-managed {{stack}}](/deploy-manage/deploy/self-managed.md), for example `10.128.0.84`: ```shell 10.128.0.84 @@ -617,7 +617,7 @@ Now that the transport and HTTP layers are configured with encryption using the Open a web browser to the external IP address of the Kibana host machine: `https://:5601`. Note that the URL should use the `https` and not the `http` protocol. -15. Log in using the `elastic` user and password that you configured in Step 1 of [Tutorial 1: Installing a self-managed {{stack}}](../deploy/self-managed/installing-elasticsearch.md). +15. Log in using the `elastic` user and password that you configured in Step 1 of [Tutorial 1: Installing a self-managed {{stack}}](/deploy-manage/deploy/self-managed.md). Congratulations! You’ve successfully updated the SSL certificates between {{es}} and {{kib}}.