Security
ECE ECK Elastic Cloud Hosted Self Managed Serverless
An Elastic implementation comprises many moving parts: Elasticsearch nodes forming the cluster, Kibana instances, additional stack components such as Logstash and Beats, and various clients and integrations, all communicating with your cluster.
To keep your data secured, Elastic offers security features that prevent bad actors from tampering with your data, and encrypt communications to, from, and within your cluster. Regardless of your deployment type, Elastic sets up certain security features for you automatically.
The availability and configurability of security features vary by deployment type. On every page, you'll see deployment type indicators that show which content applies to specific deployment types. Focus on sections tagged with your deployment type and look for subsections specifically addressing your deployment model. You can also review a comparison table showing feature availability and configurability by deployment type.
As part of your overall security strategy, you can also do the following:
- Prevent unauthorized access with password protection and role-based access control.
- Control access to dashboards and other saved objects in your UI using Spaces.
- Connect a local cluster to a remote cluster to enable cross-cluster replication and cross-cluster search.
- Manage API keys used for programmatic access to Elastic.
Elastic Cloud Hosted Serverless
Elastic Cloud has built-in security. For example, HTTPS communications between Elastic Cloud and the internet, as well as inter-node communications, are secured automatically, and cluster data is encrypted at rest.
In Elastic Cloud Hosted, you can augment these Security features in the following ways:
- Configure traffic filtering to prevent unauthorized access to your deployments.
- Encrypt your deployment with a customer-managed encryption key.
- Secure your settings using Elasticsearch and Kibana keystores.
- Use the list of Elastic Cloud static IPs to allow or restrict communications in your infrastructure.
Elastic Cloud Hosted doesn't support custom SSL certificates, which means that a custom CNAME for an Elastic Cloud Hosted endpoint such as mycluster.mycompanyname.com also is not supported.
Serverless projects are fully managed and secured by Elastic, and do not have any configurable Security features at the project level.
Refer to Elastic Cloud security for more details about Elastic security and privacy programs.
ECE ECK
When running Elastic Stack applications on Elastic Cloud Enterprise or Elastic Cloud on Kubernetes, you must also secure the orchestration layer responsible for deploying and managing your Elastic products.
Learn about securing the following components:
Elastic secures your Elastic Cloud orchestrator for you.
ECE ECK Elastic Cloud Hosted Self Managed
You can configure the following aspects of your Elastic cluster or deployment to maintain and enhance security:
- Manage TLS certificates: TLS certificates apply security controls to network communications. Elastic uses TLS certificates to secure communications in two places:
- The HTTP layer: Used for communication between your cluster or deployment and the internet.
- The transport layer: Used mainly for inter-node communications, and in certain cases for cluster to cluster communication.
- In self-managed Elasticsearch clusters, you can also Configure Kibana and Elasticsearch to use mutual TLS.
- Enable cipher suites for stronger encryption: The TLS and SSL protocols use a cipher suite that determines the strength of encryption used to protect the data. You may want to enable the use of additional cipher suites, so you can use different cipher suites for your TLS communications or communications with authentication providers.
- Restrict connections using traffic filtering: Traffic filtering allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. Restrict access based on IP addresses or CIDR ranges, or secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
- Allow or deny Elastic Cloud Hosted IP ranges: Elastic Cloud publishes a list of IP addresses used by its Elastic Cloud Hosted services for both incoming and outgoing traffic. Users can use these lists to configure their network firewalls as needed to allow or restrict traffic related to Elastic Cloud Hosted services.
Secure your settings: Some of the settings that you configure in Elastic are sensitive, such as passwords, and relying on file system permissions to protect these settings is insufficient. Learn how to configure secure settings in the Elasticsearch keystore or Kibana keystore.
Secure saved objects: Kibana stores entities such as dashboards, visualizations, alerts, actions, and advanced settings as saved objects, which are kept in a dedicated, internal Elasticsearch index. If such an object includes sensitive information, for example a PagerDuty integration key or email server credentials used by the alert action, Kibana encrypts it and makes sure it cannot be accidentally leaked or tampered with. You can configure and rotate the saved object encryption key for additional security.
Encrypt data at rest: By default, Elastic Cloud already encrypts your Elastic Cloud Hosted deployment data, Serverless project data, and snapshots at rest. If you’re using ECH, then you can reinforce this mechanism by providing your own encryption key, also known as Bring Your Own Key (BYOK).
NoteOther deployment types don’t implement encryption at rest out of the box. For self-managed clusters, to implement encryption at rest, the hosts running the cluster must be configured with disk-level encryption, such as
dm-crypt. In addition, snapshot targets must ensure that data is encrypted at rest as well.Configuring
dm-cryptor similar technologies is outside the scope of this documentation, and issues related to disk encryption are outside the scope of support.
Manage Kibana sessions to control the timeout and lifespan of logged-in sessions to Kibana, as well as the number of concurrent sessions each user can have.
Audit logging is a powerful feature that helps you monitor and track security-related events within the Elastic Stack. By enabling audit logs, you can gain visibility into authentication attempts, authorization decisions, and other system activity.
Audit logging also provides forensic evidence in the event of an attack, and can be enabled independently for Elasticsearch and Kibana.
Learn how to enable audit logging.
Security feature availability varies by deployment type, with each feature having one of the following statuses:
| Status | Description |
|---|---|
| Managed | Handled automatically by Elastic with no user configuration needed |
| Configurable | Built-in feature that needs your configuration (like IP filters or passwords) |
| Self-managed | Infrastructure-level security you implement and maintain |
| N/A | Not available for this deployment type |
Select your deployment type below to see what's available and how implementation responsibilities are distributed:
| Category | Security feature | Status | Description |
|---|---|---|---|
| Communication | TLS (HTTP Layer) | Managed | Automatically configured by Elastic |
| TLS (Transport Layer) | Managed | Automatically configured by Elastic | |
| Network | IP traffic filtering | Configurable | Configure IP-based access restrictions |
| Private link | Configurable | Establish secure VPC connection | |
| Static IPs | Configurable | Enable fixed IP addresses | |
| Data | Encryption at rest | Managed | Automatically encrypted by Elastic |
| Bring your own encryption key | Configurable | Implement customer-provided keys | |
| Keystore security | Managed | Automatically protected by Elastic | |
| Saved object encryption | Managed | Automatically encrypted by Elastic | |
| User Session | Kibana Sessions | Configurable | Customize session parameters |
| Category | Security feature | Status | Description |
|---|---|---|---|
| Communication | TLS (HTTP Layer) | Managed | Automatically configured by Elastic |
| TLS (Transport Layer) | Managed | Automatically configured by Elastic | |
| Network | IP traffic filtering | Configurable | Configure IP-based access restrictions |
| Private link | N/A | X | |
| Static IPs | Configurable | Enable fixed IP addresses | |
| Data | Encryption at rest | Managed | Automatically encrypted by Elastic |
| Bring your own encryption key | N/A | X | |
| Keystore security | Managed | Automatically protected by Elastic | |
| Saved object encryption | Managed | Automatically encrypted by Elastic | |
| User Session | Kibana Sessions | Managed | Automatically configured by Elastic |
| Category | Security feature | Status | Description |
|---|---|---|---|
| Communication | TLS (HTTP Layer) | Configurable | Configure custom certificates |
| TLS (Transport Layer) | Managed | Automatically configured by Elastic | |
| Network | IP traffic filtering | Configurable | Configure IP-based access restrictions |
| Private link | N/A | X | |
| Static IPs | N/A | X | |
| Data | Encryption at rest | Self-managed | Implement at infrastructure level |
| Bring your own encryption key | N/A | X | |
| Keystore security | Configurable | Configure secure settings storage | |
| Saved object encryption | Configurable | Enable encryption for saved objects | |
| User Session | Kibana Sessions | Configurable | Customize session parameters |
| Category | Security feature | Status | Description |
|---|---|---|---|
| Communication | TLS (HTTP Layer) | Self-managed | Implement and maintain certificates |
| TLS (Transport Layer) | Self-managed | Implement and maintain certificates | |
| Network | IP traffic filtering | Configurable | Configure IP-based access restrictions |
| Private link | N/A | X | |
| Static IPs | N/A | X | |
| Data | Encryption at rest | Self-managed | Implement at infrastructure level |
| Bring your own encryption key | N/A | X | |
| Keystore security | Configurable | Configure secure settings storage | |
| Saved object encryption | Configurable | Enable encryption for saved objects | |
| User Session | Kibana Sessions | Configurable | Customize session parameters |
The Elasticsearch security features enable you to secure your Elasticsearch cluster. However, for a complete security strategy, you must secure other applications in the Elastic Stack, as well as communications between Elasticsearch and other Elastic Stack components.
Review security topics for other Elastic Stack components.
If you use HTTP clients or integrations to communicate with Elasticsearch, then you also need to secure communications between the clients or integrations and Elasticsearch.
There are security limitations that apply to the usage of some Elasticsearch features or resources. Depending on your organization's security requirements, you might want to restrict, adjust, or find workaround or alternatives for some of these features and resources.