elastic · eedugon · Mar 13, 2025 · Mar 13, 2025 · Mar 13, 2025 · Mar 13, 2025
@@ -12,7 +12,7 @@ If you already looked at the [Elasticsearch on ECK](elasticsearch-configuration.
 
 * [Customize the Pod configuration](#k8s-kibana-pod-configuration)
 * [Customize the product configuration](#k8s-kibana-configuration)
-* [Manage HTTP settings](k8s-kibana-http-configuration.md)
+* [Manage HTTP settings](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-configuration)
 * [Use secure settings](k8s-kibana-secure-settings.md)
 * [Install {{kib}} plugins](k8s-kibana-plugins.md)
 

@@ -22,11 +22,11 @@ The following sections describe how to customize a {{kib}} deployment to suit yo
     * [Scaling out a {{kib}} deployment](k8s-kibana-advanced-configuration.md#k8s-kibana-scaling)
 
 * [Secure settings](k8s-kibana-secure-settings.md)
-* [HTTP Configuration](k8s-kibana-http-configuration.md)
+* [HTTP Configuration](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-configuration)
 
-    * [Load balancer settings and TLS SANs](k8s-kibana-http-configuration.md#k8s-kibana-http-publish)
-    * [Provide your own certificate](k8s-kibana-http-configuration.md#k8s-kibana-http-custom-tls)
-    * [Disable TLS](k8s-kibana-http-configuration.md#k8s-kibana-http-disable-tls)
+    * [Load balancer settings and TLS SANs](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-publish)
+    * [Provide your own certificate](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-custom-tls)
+    * [Disable TLS](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-disable-tls)
     * [Install {{kib}} plugins](k8s-kibana-plugins.md)
 
 * [Autoscaling stateless applications](../../autoscaling/autoscaling-in-eck.md#k8s-stateless-autoscaling): Use [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) for {{kib}} or other stateless applications.

@@ -1,11 +1,12 @@
 ---
+applies_to:
+  self: ga
 navigation_title: "With a different CA"
 mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/update-node-certs-different.html
 ---
 
 
-
 # Different CA [update-node-certs-different]
 
 

@@ -2,6 +2,8 @@
 applies_to:
   deployment:
     self: ga
+mapped_urls:
+  - https://www.elastic.co/guide/en/elastic-stack/current/install-stack-demo-secure.html
 ---
 
 # Tutorial: Securing a self-managed {{stack}} [install-stack-demo-secure]
@@ -14,15 +16,15 @@ Since {{stack}} 8.0, security is enabled by default, meaning that traffic betwee
 
 For traffic to be encrypted between {{es}} cluster nodes and between {{kib}} and {{es}}, SSL certificates must be created for the transport ({{es}} inter-node communication) and HTTP (for the {{es}} REST API) layers. Similarly, when setting up {{fleet-server}} you’ll generate and configure a new certificate bundle, and then {{elastic-agent}} uses the generated certificates to communicate with both {{fleet-server}} and {{es}}. The process to set things up is as follows:
 
-* [Prerequisites and assumptions](secure-your-cluster-deployment.md#install-stack-demo-secure-prereqs)
-* [Step 1: Generate a new self-signed CA certificate](secure-your-cluster-deployment.md#install-stack-demo-secure-ca)
-* [Step 2: Generate a new certificate for the transport layer](secure-your-cluster-deployment.md#install-stack-demo-secure-transport)
-* [Step 3: Generate new certificate(s) for the HTTP layer](secure-your-cluster-deployment.md#install-stack-demo-secure-http)
-* [Step 4: Configure security on additional {{es}} nodes](secure-your-cluster-deployment.md#install-stack-demo-secure-second-node)
-* [Step 5: Generate server-side and client-side certificates for {{kib}}](secure-your-cluster-deployment.md#install-stack-demo-secure-kib-es)
-* [Step 6: Install {{fleet}} with SSL certificates configured](secure-your-cluster-deployment.md#install-stack-demo-secure-fleet)
-* [Step 7: Install {{agent}}](secure-your-cluster-deployment.md#install-stack-demo-secure-agent)
-* [Step 8: View your system data](secure-your-cluster-deployment.md#install-stack-demo-secure-view-data)
+* [Prerequisites and assumptions](#install-stack-demo-secure-prereqs)
+* [Step 1: Generate a new self-signed CA certificate](#install-stack-demo-secure-ca)
+* [Step 2: Generate a new certificate for the transport layer](#install-stack-demo-secure-transport)
+* [Step 3: Generate new certificate(s) for the HTTP layer](#install-stack-demo-secure-http)
+* [Step 4: Configure security on additional {{es}} nodes](#install-stack-demo-secure-second-node)
+* [Step 5: Generate server-side and client-side certificates for {{kib}}](#install-stack-demo-secure-kib-es)
+* [Step 6: Install {{fleet}} with SSL certificates configured](#install-stack-demo-secure-fleet)
+* [Step 7: Install {{agent}}](#install-stack-demo-secure-agent)
+* [Step 8: View your system data](#install-stack-demo-secure-view-data)
 
 It should take between one and two hours to complete these steps.
 

@@ -15,32 +15,40 @@ This page describes important aspects to consider and common end-to-end scenario
 
 Security needs vary depending on whether you’re developing locally on your laptop or securing all communications in a production environment. Regardless of where you’re deploying the {{stack}} ("ELK"), running a secure cluster is incredibly important to protect your data. That’s why security is [enabled and configured by default](../deploy/self-managed/installing-elasticsearch.md) since {{es}} 8.0.
 
-If you want to enable security on an existing, unsecured cluster, use your own Certificate Authority (CA), or would rather manually configure security, the following scenarios provide steps for configuring TLS on the transport layer, plus securing HTTPS traffic if you want it.
+## Security principles
 
-If you configure security manually *before* starting your {{es}} nodes, the auto-configuration process will respect your security configuration. You can adjust your TLS configuration at any time, such as [updating node certificates](updating-certificates.md).
+### Run {{es}} with security enabled [security-run-with-security]
 
-:::{image} ../../images/elasticsearch-reference-elastic-security-overview.png
-:alt: Elastic Security layers
-:::
+Never run an {{es}} cluster without security enabled. This principle cannot be overstated. Running {{es}} without security leaves your cluster exposed to anyone who can send network traffic to {{es}}, permitting these individuals to download, modify, or delete any data in your cluster. [Start the {{stack}} with security enabled](/deploy-manage/security/security-certificates-keys.md) or [manually configure security](/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md) to prevent unauthorized access to your clusters and ensure that internode communication is secure.
 
-## Common security scenarios
+### Run {{es}} with a dedicated non-root user [security-not-root-user]
+
+Never try to run {{es}} as the `root` user, which would invalidate any defense strategy and permit a malicious user to do **anything** on your server. You must create a dedicated, unprivileged user to run {{es}}. By default, the `rpm`, `deb`, `docker`, and Windows packages of {{es}} contain an `elasticsearch` user with this scope.
+
+### Protect {{es}} from public internet traffic [security-protect-cluster-traffic]
 
 Even with security enabled, never expose {{es}} to public internet traffic. Using an application to sanitize requests to {{es}} still poses risks, such as a malicious user writing [`_search`](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-search) requests that could overwhelm an {{es}} cluster and bring it down. Keep {{es}} as isolated as possible, preferably behind a firewall and a VPN. Any internet-facing applications should run pre-canned aggregations, or not run aggregations at all.
 
-While you absolutely shouldn’t expose {{es}} directly to the internet, you also shouldn’t expose {{es}} directly to users. Instead, use an intermediary application to make requests on behalf of users. This implementation allows you to track user behaviors, such as can submit requests, and to which specific nodes in the cluster. For example, you can implement an application that accepts a search term from a user and funnels it through a [`simple_query_string`](elasticsearch://reference/query-languages/query-dsl-simple-query-string-query.md) query.
+### Implement role based access control [security-create-appropriate-users]
 
-### Minimal security ({{es}} Development) [security-minimal-overview]
+[Define roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) for your users and [assign appropriate privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to ensure that users have access only to the resources that they need. This process determines whether the user behind an incoming request is allowed to run that request.
 
-If you’ve been working with {{es}} and want to enable security on your existing, unsecured cluster, start here. You’ll set passwords for the built-in users to prevent unauthorized access to your local cluster, and also configure password authentication for {{kib}}.
+## Common security scenarios
+
+:::{image} ../../images/elasticsearch-reference-elastic-security-overview.png
+:alt: Elastic Security layers
+:::
+
+### Minimal security ({{es}} Development) [security-minimal-overview]
 
 ::::{important}
 The minimal security scenario is not sufficient for [production mode](../deploy/self-managed/bootstrap-checks.md#dev-vs-prod-mode) clusters. If your cluster has multiple nodes, you must enable minimal security and then [configure Transport Layer Security (TLS)](secure-cluster-communications.md) between nodes.
 ::::
 
+If you’ve been working with {{es}} and want to enable security on your existing, unsecured cluster, start here. You’ll set passwords for the built-in users to prevent unauthorized access to your local cluster, and also configure password authentication for {{kib}}.
 
 [Set up minimal security](set-up-minimal-security.md)
 
-
 ### Basic security ({{es}} + {{kib}}) [security-basic-overview]
 
 This scenario configures TLS for communication between nodes. This security layer requires that nodes verify security certificates, which prevents unauthorized nodes from joining your {{es}} cluster.
@@ -49,7 +57,6 @@ Your external HTTP traffic between {{es}} and {{kib}} won’t be encrypted, but
 
 [Set up basic security](secure-cluster-communications.md)
 
-
 ### Basic security plus secured HTTPS traffic ({{stack}}) [security-basic-https-overview]
 
 This scenario builds on the one for basic security and secures all HTTP traffic with TLS. In addition to configuring TLS on the transport interface of your {{es}} cluster, you configure TLS on the HTTP interface for both {{es}} and {{kib}}.
@@ -58,13 +65,11 @@ This scenario builds on the one for basic security and secures all HTTP traffic
 If you need mutual (bidirectional) TLS on the HTTP layer, then you’ll need to configure mutual authenticated encryption.
 ::::
 
-
 You then configure {{kib}} and Beats to communicate with {{es}} using TLS so that all communications are encrypted. This level of security is strong, and ensures that any communications in and out of your cluster are secure.
 
 [Set up basic security plus HTTPS traffic](secure-http-communications.md)
 
 
-
 ## Cases when security auto configuration is skipped [stack-skip-auto-configuration]
 
 When you start {{es}} for the first time, the node startup process tries to automatically configure security for you. The process runs some checks to determine:
@@ -109,9 +114,3 @@ The following settings are incompatible with security auto configuration. If any
     Exceptions are when `discovery.type` is set to `single-node`, or when `cluster.initial_master_nodes` exists but contains only the name of the current node.
 
     ::::
-
-
-
-
-
-
@@ -1,4 +1,6 @@
 ---
+applies_to:
+  self: ga
 navigation_title: "With the same CA"
 mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/update-node-certs-same.html