diff --git a/deploy-manage/security/secure-your-elastic-cloud-organization.md b/deploy-manage/security/secure-your-elastic-cloud-organization.md index 3d35179fea..97827bea9b 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-organization.md +++ b/deploy-manage/security/secure-your-elastic-cloud-organization.md @@ -8,26 +8,32 @@ applies_to: # Secure your Elastic Cloud organization [ec-securing-considerations] -:::{warning} -**This page is a work in progress.** -::: +This section covers security settings for your {{ecloud}} organization, the platform for managing {{ech}} deployments and serverless projects. +**Managed by Elastic** -## TLS certificate management +As a managed service, Elastic automatically handles a [number of security features](https://www.elastic.co/cloud/security#details) with no configuration required: -TLS certificates apply security controls to network communications. They encrypt data in transit, verify the identity of connecting parties, and help prevent man-in-the-middle attacks. +- **TLS encrypted communication** is provided in the default configuration. Elasticsearch nodes communicate using TLS. +- **Encryption at rest**. By default, all of your {{ecloud}} resources are encrypted at rest. Note that you can choose to encrypt your {{ech}} deployments [using your own encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md). +- **Cluster isolation**. Elasticsearch nodes run in isolated containers, configured according to the principle of least privilege, and with restrictions on system calls and allowed root operations. -For your **{{ech}}** deployments and serverless projects hosted on {{ecloud}}, TLS certificates are managed automatically. +**Additional organization-level security settings** -## Access control +To reinforce the security of your organization, consider implementing the following measures: -Define which users can access your {{ecloud}} organization using the following methods: +- **Network security**. Control which systems can access your Elastic deployments and projects through traffic filtering and network controls: + - [**IP traffic filtering**](/deploy-manage/security/ip-traffic-filtering.md): Restrict access based on IP addresses or CIDR ranges. + - [**Private link filters**](/deploy-manage/security/private-link-traffic-filters.md): Secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect. + - [**Static IPs**](/deploy-manage/security/elastic-cloud-static-ips.md): Use static IP addresses for predictable firewall rules. +- **Access control** + - [**Organization-level SSO**](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md). Note that for {{ech}} deployments, you can also configure SSO at the [deployment level](/deploy-manage/users-roles/cluster-or-deployment-auth.md). + - [**Cloud role-based access control**](/deploy-manage/users-roles/cloud-organization/manage-users.md): Define the roles of users who have access to your organization and its resources. Note that for {{ech}} deployments, you can also [manage non-cloud users and roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md). + - [**Cloud API keys**](/deploy-manage/api-keys/elastic-cloud-api-keys.md): Manage API keys used for programmatic access to [{{ecloud}}](https://www.elastic.co/docs/api/doc/cloud/) and [{{ecloud}} serverless](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless/) APIs. -- [SSO](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md) -- [Role-based access control](/deploy-manage/users-roles/cloud-organization/manage-users.md) -- [Cloud API keys](/deploy-manage/api-keys/elastic-cloud-api-keys.md) -## Next step: secure your deployments and clusters +**Additional deployment-level security settings** + +While serverless projects are fully managed and secured by Elastic, additional security settings are available for you to configure individually for your {{ech}} deployments. Refer to [](secure-your-cluster-deployment.md) for more information. -This section covered security principles and options at the environment level. You can take further measures individually for each deployment or cluster that you're running on this environment. Refer to [](secure-your-cluster-deployment.md).