Secure your cluster or deployment
ECE ECK Elastic Cloud Hosted Self Managed
It's important to protect your Elasticsearch cluster and the data it contains. Implementing a defense in depth strategy provides multiple layers of security to help safeguard your system.
As part of your overall security strategy, you can also do the following:
- Prevent unauthorized access with password protection and role-based access control.
- Control access to dashboards and other saved objects in your UI using Spaces.
- Connect a local cluster to a remote cluster to enable cross-cluster replication and cross-cluster search.
- Manage API keys used for programmatic access to Elastic.
- Never run an Elasticsearch cluster without security enabled. This principle cannot be overstated. Running Elasticsearch without security leaves your cluster exposed to anyone who can send network traffic to Elasticsearch, permitting these individuals to download, modify, or delete any data in your cluster.
- Never try to run Elasticsearch as the
rootuser, which would invalidate any defense strategy and permit a malicious user to do anything on your server. You must create a dedicated, unprivileged user to run Elasticsearch. By default, therpm,deb,docker, and Windows packages of Elasticsearch contain anelasticsearchuser with this scope.
You must secure other Elastic Stack components, as well as client and integration communications, separately.
You can configure the following aspects of your Elastic cluster or deployment to maintain and enhance security:
- Manage TLS certificates: TLS certificates apply security controls to network communications. Elastic uses TLS certificates to secure communications in two places:
- The HTTP layer: Used for communication between your cluster or deployment and the internet.
- The transport layer: Used mainly for inter-node communications, and in certain cases for cluster to cluster communication.
- In self-managed Elasticsearch clusters, you can also Configure Kibana and Elasticsearch to use mutual TLS.
- Enable cipher suites for stronger encryption: The TLS and SSL protocols use a cipher suite that determines the strength of encryption used to protect the data. You may want to enable the use of additional cipher suites, so you can use different cipher suites for your TLS communications or communications with authentication providers.
- Restrict connections using traffic filtering: Traffic filtering allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. Restrict access based on IP addresses or CIDR ranges, or secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
- Allow or deny Elastic Cloud Hosted IP ranges: Elastic Cloud publishes a list of IP addresses used by its Elastic Cloud Hosted services for both incoming and outgoing traffic. Users can use these lists to configure their network firewalls as needed to allow or restrict traffic related to Elastic Cloud Hosted services.
Secure your settings: Some of the settings that you configure in Elastic are sensitive, such as passwords, and relying on file system permissions to protect these settings is insufficient. Learn how to configure secure settings in the Elasticsearch keystore or Kibana keystore.
Secure saved objects: Kibana stores entities such as dashboards, visualizations, alerts, actions, and advanced settings as saved objects, which are kept in a dedicated, internal Elasticsearch index. If such an object includes sensitive information, for example a PagerDuty integration key or email server credentials used by the alert action, Kibana encrypts it and makes sure it cannot be accidentally leaked or tampered with. You can configure and rotate the saved object encryption key for additional security.
Encrypt data at rest: By default, Elastic Cloud already encrypts your Elastic Cloud Hosted deployment data, Serverless project data, and snapshots at rest. If you’re using ECH, then you can reinforce this mechanism by providing your own encryption key, also known as Bring Your Own Key (BYOK).
NoteOther deployment types don’t implement encryption at rest out of the box. For self-managed clusters, to implement encryption at rest, the hosts running the cluster must be configured with disk-level encryption, such as
dm-crypt. In addition, snapshot targets must ensure that data is encrypted at rest as well.Configuring
dm-cryptor similar technologies is outside the scope of this documentation, and issues related to disk encryption are outside the scope of support.
Manage Kibana sessions to control the timeout and lifespan of logged-in sessions to Kibana, as well as the number of concurrent sessions each user can have.
Audit logging is a powerful feature that helps you monitor and track security-related events within the Elastic Stack. By enabling audit logs, you can gain visibility into authentication attempts, authorization decisions, and other system activity.
Audit logging also provides forensic evidence in the event of an attack, and can be enabled independently for Elasticsearch and Kibana.
Learn how to enable audit logging.
Since Elasticsearch 8.0, security is enabled and configured by default. However, security auto configuration might be skipped in certain scenarios. In these cases, you can manually configure security.
ECK Self Managed
The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), titled "Security Requirements for Cryptographic Modules" is a U.S. government computer security standard used to approve cryptographic modules. You can run a self-managed cluster or Elastic Cloud on Kubernetes cluster in FIPS-compliant mode:
Security feature availability varies by deployment type, with each feature having one of the following statuses:
| Status | Description |
|---|---|
| Managed | Handled automatically by Elastic with no user configuration needed |
| Configurable | Built-in feature that needs your configuration (like IP filters or passwords) |
| Self-managed | Infrastructure-level security you implement and maintain |
| N/A | Not available for this deployment type |
Select your deployment type below to see what's available and how implementation responsibilities are distributed:
| Category | Security feature | Status | Description |
|---|---|---|---|
| Communication | TLS (HTTP Layer) | Managed | Automatically configured by Elastic |
| TLS (Transport Layer) | Managed | Automatically configured by Elastic | |
| Network | IP traffic filtering | Configurable | Configure IP-based access restrictions |
| Private link | Configurable | Establish secure VPC connection | |
| Static IPs | Configurable | Enable fixed IP addresses | |
| Data | Encryption at rest | Managed | Automatically encrypted by Elastic |
| Bring your own encryption key | Configurable | Implement customer-provided keys | |
| Keystore security | Managed | Automatically protected by Elastic | |
| Saved object encryption | Managed | Automatically encrypted by Elastic | |
| User Session | Kibana Sessions | Configurable | Customize session parameters |
| Category | Security feature | Status | Description |
|---|---|---|---|
| Communication | TLS (HTTP Layer) | Managed | Automatically configured by Elastic |
| TLS (Transport Layer) | Managed | Automatically configured by Elastic | |
| Network | IP traffic filtering | Configurable | Configure IP-based access restrictions |
| Private link | N/A | X | |
| Static IPs | Configurable | Enable fixed IP addresses | |
| Data | Encryption at rest | Managed | Automatically encrypted by Elastic |
| Bring your own encryption key | N/A | X | |
| Keystore security | Managed | Automatically protected by Elastic | |
| Saved object encryption | Managed | Automatically encrypted by Elastic | |
| User Session | Kibana Sessions | Managed | Automatically configured by Elastic |
| Category | Security feature | Status | Description |
|---|---|---|---|
| Communication | TLS (HTTP Layer) | Configurable | Configure custom certificates |
| TLS (Transport Layer) | Managed | Automatically configured by Elastic | |
| Network | IP traffic filtering | Configurable | Configure IP-based access restrictions |
| Private link | N/A | X | |
| Static IPs | N/A | X | |
| Data | Encryption at rest | Self-managed | Implement at infrastructure level |
| Bring your own encryption key | N/A | X | |
| Keystore security | Configurable | Configure secure settings storage | |
| Saved object encryption | Configurable | Enable encryption for saved objects | |
| User Session | Kibana Sessions | Configurable | Customize session parameters |
| Category | Security feature | Status | Description |
|---|---|---|---|
| Communication | TLS (HTTP Layer) | Self-managed | Implement and maintain certificates |
| TLS (Transport Layer) | Self-managed | Implement and maintain certificates | |
| Network | IP traffic filtering | Configurable | Configure IP-based access restrictions |
| Private link | N/A | X | |
| Static IPs | N/A | X | |
| Data | Encryption at rest | Self-managed | Implement at infrastructure level |
| Bring your own encryption key | N/A | X | |
| Keystore security | Configurable | Configure secure settings storage | |
| Saved object encryption | Configurable | Enable encryption for saved objects | |
| User Session | Kibana Sessions | Configurable | Customize session parameters |