From a27e4c93ac7ab72e794803a33c18ae7ead844b68 Mon Sep 17 00:00:00 2001 From: Liam Thompson Date: Fri, 7 Mar 2025 12:37:12 +0100 Subject: [PATCH 1/7] Add deploy-managed security landing page --- deploy-manage/security.md | 131 +++++++++++++++++++++++++++++++++----- 1 file changed, 116 insertions(+), 15 deletions(-) diff --git a/deploy-manage/security.md b/deploy-manage/security.md index b085b550c1..eadcfca500 100644 --- a/deploy-manage/security.md +++ b/deploy-manage/security.md @@ -1,4 +1,7 @@ --- +applies_to: + deployment: all + serverless: ga mapped_urls: - https://www.elastic.co/guide/en/elasticsearch/reference/current/security-files.html - https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-cluster.html @@ -12,8 +15,6 @@ mapped_urls: - https://www.elastic.co/guide/en/cloud/current/ec-faq-technical.html --- -# Security - % SR: include this info somewhere in this section % {{ech}} doesn't support custom SSL certificates, which means that a custom CNAME for an {{ech}} endpoint such as *mycluster.mycompanyname.com* also is not supported. % @@ -22,7 +23,7 @@ mapped_urls: % encryption at rest (EAR) is enabled in {{ech}} by default. We support EAR for both the data stored in your clusters and the snapshots we take for backup, on all cloud platforms and across all regions. % You can also bring your own key (BYOK) to encrypt your Elastic Cloud deployment data and snapshots. For more information, check [Encrypt your deployment with a customer-managed encryption key](../../../deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md). -Note that the encryption happens at the file system level. +% Note that the encryption happens at the file system level. % What needs to be done: Refine @@ -54,15 +55,115 @@ $$$preserving-data-integrity$$$ $$$maintaining-audit-trail$$$ -**This page is a work in progress.** The documentation team is working to combine content pulled from the following pages: - -* [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md) -* [/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md) -* [/raw-migrated-files/kibana/kibana/xpack-security.md](/raw-migrated-files/kibana/kibana/xpack-security.md) -* [/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md](/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md) -* [/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md](/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md) -* [/raw-migrated-files/cloud/cloud-heroku/ech-security.md](/raw-migrated-files/cloud/cloud-heroku/ech-security.md) -* [/raw-migrated-files/kibana/kibana/using-kibana-with-security.md](/raw-migrated-files/kibana/kibana/using-kibana-with-security.md) -* [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md) -* [/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md) -* [/raw-migrated-files/cloud/cloud/ec-faq-technical.md](/raw-migrated-files/cloud/cloud/ec-faq-technical.md) \ No newline at end of file +:::{warning} +**This page is a work in progress.** +::: + + +% The documentation team is working to combine content pulled from the following pages: + +% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md) +% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md) +% * [/raw-migrated-files/kibana/kibana/xpack-security.md](/raw-migrated-files/kibana/kibana/xpack-security.md) +% * [/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md](/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md) +% * [/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md](/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md) +% * [/raw-migrated-files/cloud/cloud-heroku/ech-security.md](/raw-migrated-files/cloud/cloud-heroku/ech-security.md) +% * [/raw-migrated-files/kibana/kibana/using-kibana-with-security.md](/raw-migrated-files/kibana/kibana/using-kibana-with-security.md) +% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md) +% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md) +% * [/raw-migrated-files/cloud/cloud/ec-faq-technical.md](/raw-migrated-files/cloud/cloud/ec-faq-technical.md) + +# Security + +This section covers how to secure your Elastic Stack at the infrastructure and communication levels. Learn how to implement TLS encryption, network security controls, and data protection measures. + +## Security overview + +An Elastic implementation comprises many moving parts: {es} nodes forming the cluster, {kib} instances, additional stack components such as Logstash and Beats, and various clients and integrations communicating with your deployment. + +To keep your data secured, Elastic offers comprehensive security features that: +- Prevent unauthorized access to your deployment +- Encrypt communications between components +- Protect data at rest +- Secure configuration settings and saved objects + +Different deployment types have different security requirements and capabilities. Some security features are managed automatically, while others require manual configuration depending on your deployment type. + +::::{tip} +See the [Deployment overview](/deploy-manage/deploy.md) to understand your options for deploying Elastic. +:::: + +### Security by deployment type + +#### Communication security + +| **Security Feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | +|------------------|------------|--------------|-----|-----|--------------| +| **TLS (HTTP Layer)** | ✓ Managed | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Manual | +| **TLS (Transport Layer)** | ✓ Managed | ✓ Managed | ✓ Managed | ✓ Managed | ✓ Manual | + +#### Network security + +| **Security Feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | +|------------------|------------|--------------|-----|-----|--------------| +| **IP Traffic Filtering** | ✓ Available | ✓ Available | ✓ Available | ✓ Available | ✓ Available | +| **Private Link** | ✗ N/A | ✓ Available | ✗ N/A | ✗ N/A | ✗ N/A | +| **Static IPs** | ✓ Available | ✓ Available | ✗ N/A | ✗ N/A | ✗ N/A | + +#### Data security + +| **Security Feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | +|------------------|------------|--------------|-----|-----|--------------| +| **Encryption at Rest** | ✓ Default | ✓ Default | ✗ Manual | ✗ Manual | ✗ Manual | +| **BYOK/CMEK** | ✗ N/A | ✓ Available | ✗ N/A | ✗ N/A | ✗ N/A | +| **Keystore Security** | ✓ Available | ✓ Available | ✓ Available | ✓ Available | ✓ Available | +| **Saved Object Encryption** | ✓ Available | ✓ Available | ✓ Available | ✓ Available | ✓ Available | + +#### User session security + +| **Security Feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | +|------------------|------------|--------------|-----|-----|--------------| +| **Kibana Sessions** | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Configurable | ✓ Configurable | + +### Using this documentation + +Throughout this security documentation, you'll see deployment type indicators that show which content applies to specific deployment types. Each section clearly identifies which deployment types it applies to, and deployment-specific details are separated within each topic. + +To get the most relevant information for your environment, focus on sections tagged with your deployment type and look for subsections specifically addressing your deployment model. + +## Security topics + +This security documentation is organized into four main areas: + +% TODO: Add links to the sections below + +### 1. Secure your hosting environment + +The security of your hosting environment forms the foundation of your overall security posture. This section covers environment-specific security controls: + +- **Self-managed environments**: TLS certificates, HTTPS configuration +- **Elastic Cloud Enterprise**: TLS certificates, Cloud RBAC +- **Elastic Cloud Hosted and Serverless**: Organization-level SSO, role-based access control, and cloud API keys + +### 2. Secure your deployments and clusters + +Protect your deployments with features available across all deployment types: + +- **Authentication and access controls**: User management, authentication protocols, and traffic filtering +- **Data protection**: Encryption, sensitive settings, and document-level security +- **Monitoring and compliance**: Audit logging and security best practices + +### 3. Secure your user accounts + +Individual user security helps prevent unauthorized access: + +- **Multi-factor authentication**: Add an extra layer of security to your login process +- **API key management**: Secure programmatic access to Elastic resources + +### 4. Secure your clients and integrations + +Ensure secure communication between your applications and Elastic: + +- **Client security**: Best practices for securely connecting applications to {es} +- **Integration security**: Secure configuration for Beats, Logstash, and other integrations + From 9f48d07f284b802434e4e41ca8aef7c5353ff0d4 Mon Sep 17 00:00:00 2001 From: Liam Thompson Date: Fri, 7 Mar 2025 12:42:04 +0100 Subject: [PATCH 2/7] sentence case heading --- deploy-manage/security.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy-manage/security.md b/deploy-manage/security.md index eadcfca500..6a6f564130 100644 --- a/deploy-manage/security.md +++ b/deploy-manage/security.md @@ -97,14 +97,14 @@ See the [Deployment overview](/deploy-manage/deploy.md) to understand your optio #### Communication security -| **Security Feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | +| **Security feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| | **TLS (HTTP Layer)** | ✓ Managed | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Manual | | **TLS (Transport Layer)** | ✓ Managed | ✓ Managed | ✓ Managed | ✓ Managed | ✓ Manual | #### Network security -| **Security Feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | +| **Security feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| | **IP Traffic Filtering** | ✓ Available | ✓ Available | ✓ Available | ✓ Available | ✓ Available | | **Private Link** | ✗ N/A | ✓ Available | ✗ N/A | ✗ N/A | ✗ N/A | @@ -112,7 +112,7 @@ See the [Deployment overview](/deploy-manage/deploy.md) to understand your optio #### Data security -| **Security Feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | +| **Security feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| | **Encryption at Rest** | ✓ Default | ✓ Default | ✗ Manual | ✗ Manual | ✗ Manual | | **BYOK/CMEK** | ✗ N/A | ✓ Available | ✗ N/A | ✗ N/A | ✗ N/A | @@ -121,7 +121,7 @@ See the [Deployment overview](/deploy-manage/deploy.md) to understand your optio #### User session security -| **Security Feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | +| **Security feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| | **Kibana Sessions** | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Configurable | ✓ Configurable | From 8368e3391ff0b0071a8c68c979aa6f87adef2ff9 Mon Sep 17 00:00:00 2001 From: Liam Thompson <32779855+leemthompo@users.noreply.github.com> Date: Mon, 10 Mar 2025 11:00:28 +0100 Subject: [PATCH 3/7] Apply fixes from code review Co-authored-by: florent-leborgne --- deploy-manage/security.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/deploy-manage/security.md b/deploy-manage/security.md index 6a6f564130..5b2511a047 100644 --- a/deploy-manage/security.md +++ b/deploy-manage/security.md @@ -75,7 +75,7 @@ $$$maintaining-audit-trail$$$ # Security -This section covers how to secure your Elastic Stack at the infrastructure and communication levels. Learn how to implement TLS encryption, network security controls, and data protection measures. +This section covers how to secure your Elastic environment. Learn how to implement TLS encryption, network security controls, and data protection measures. ## Security overview @@ -85,7 +85,7 @@ To keep your data secured, Elastic offers comprehensive security features that: - Prevent unauthorized access to your deployment - Encrypt communications between components - Protect data at rest -- Secure configuration settings and saved objects +- Secure sensitive settings and saved objects Different deployment types have different security requirements and capabilities. Some security features are managed automatically, while others require manual configuration depending on your deployment type. @@ -97,14 +97,14 @@ See the [Deployment overview](/deploy-manage/deploy.md) to understand your optio #### Communication security -| **Security feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | +| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| | **TLS (HTTP Layer)** | ✓ Managed | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Manual | | **TLS (Transport Layer)** | ✓ Managed | ✓ Managed | ✓ Managed | ✓ Managed | ✓ Manual | #### Network security -| **Security feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | +| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| | **IP Traffic Filtering** | ✓ Available | ✓ Available | ✓ Available | ✓ Available | ✓ Available | | **Private Link** | ✗ N/A | ✓ Available | ✗ N/A | ✗ N/A | ✗ N/A | @@ -112,7 +112,7 @@ See the [Deployment overview](/deploy-manage/deploy.md) to understand your optio #### Data security -| **Security feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | +| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| | **Encryption at Rest** | ✓ Default | ✓ Default | ✗ Manual | ✗ Manual | ✗ Manual | | **BYOK/CMEK** | ✗ N/A | ✓ Available | ✗ N/A | ✗ N/A | ✗ N/A | @@ -141,15 +141,15 @@ This security documentation is organized into four main areas: The security of your hosting environment forms the foundation of your overall security posture. This section covers environment-specific security controls: -- **Self-managed environments**: TLS certificates, HTTPS configuration -- **Elastic Cloud Enterprise**: TLS certificates, Cloud RBAC - **Elastic Cloud Hosted and Serverless**: Organization-level SSO, role-based access control, and cloud API keys +- **Elastic Cloud Enterprise**: TLS certificates, role-based access control, and cloud API keys +- **Self-managed environments**: TLS certificates, HTTPS configuration ### 2. Secure your deployments and clusters Protect your deployments with features available across all deployment types: -- **Authentication and access controls**: User management, authentication protocols, and traffic filtering +- **Authentication and access controls**: User management, API keys, authentication protocols, and traffic filtering - **Data protection**: Encryption, sensitive settings, and document-level security - **Monitoring and compliance**: Audit logging and security best practices @@ -158,7 +158,6 @@ Protect your deployments with features available across all deployment types: Individual user security helps prevent unauthorized access: - **Multi-factor authentication**: Add an extra layer of security to your login process -- **API key management**: Secure programmatic access to Elastic resources ### 4. Secure your clients and integrations From afda62a02f368e195ded53bda9ea08bc9022900d Mon Sep 17 00:00:00 2001 From: Liam Thompson <32779855+leemthompo@users.noreply.github.com> Date: Mon, 10 Mar 2025 11:02:16 +0100 Subject: [PATCH 4/7] More suggestions from code review Co-authored-by: florent-leborgne --- deploy-manage/security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy-manage/security.md b/deploy-manage/security.md index 5b2511a047..8d651d28a8 100644 --- a/deploy-manage/security.md +++ b/deploy-manage/security.md @@ -115,13 +115,13 @@ See the [Deployment overview](/deploy-manage/deploy.md) to understand your optio | **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| | **Encryption at Rest** | ✓ Default | ✓ Default | ✗ Manual | ✗ Manual | ✗ Manual | -| **BYOK/CMEK** | ✗ N/A | ✓ Available | ✗ N/A | ✗ N/A | ✗ N/A | +| **Bring your own encryption key** | ✗ N/A | ✓ Available | ✗ N/A | ✗ N/A | ✗ N/A | | **Keystore Security** | ✓ Available | ✓ Available | ✓ Available | ✓ Available | ✓ Available | | **Saved Object Encryption** | ✓ Available | ✓ Available | ✓ Available | ✓ Available | ✓ Available | #### User session security -| **Security feature** | Serverless | Elastic Cloud | ECE | ECK | Self-managed | +| **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| | **Kibana Sessions** | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Configurable | ✓ Configurable | From f0f7a9e193089ee12cffefd5e99caf1aeabd4fdf Mon Sep 17 00:00:00 2001 From: Liam Thompson Date: Mon, 10 Mar 2025 11:15:10 +0100 Subject: [PATCH 5/7] Clarify Encry@rest, availability terms in table --- deploy-manage/security.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/deploy-manage/security.md b/deploy-manage/security.md index 8d651d28a8..635b2e2e3d 100644 --- a/deploy-manage/security.md +++ b/deploy-manage/security.md @@ -99,25 +99,25 @@ See the [Deployment overview](/deploy-manage/deploy.md) to understand your optio | **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| -| **TLS (HTTP Layer)** | ✓ Managed | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Manual | -| **TLS (Transport Layer)** | ✓ Managed | ✓ Managed | ✓ Managed | ✓ Managed | ✓ Manual | +| **TLS (HTTP Layer)** | ✓ Managed | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Self-managed | +| **TLS (Transport Layer)** | ✓ Managed | ✓ Managed | ✓ Managed | ✓ Managed | ✓ Self-managed | #### Network security | **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| -| **IP Traffic Filtering** | ✓ Available | ✓ Available | ✓ Available | ✓ Available | ✓ Available | -| **Private Link** | ✗ N/A | ✓ Available | ✗ N/A | ✗ N/A | ✗ N/A | -| **Static IPs** | ✓ Available | ✓ Available | ✗ N/A | ✗ N/A | ✗ N/A | +| **IP traffic filtering** | ✓ Configurable | ✓ Configurable | ✓ Configurable | ✓ Configurable | ✓ Configurable | +| **Private link** | ✗ N/A | ✓ Configurable | ✗ N/A | ✗ N/A | ✗ N/A | +| **Static IPs** | ✓ Configurable | ✓ Configurable | ✗ N/A | ✗ N/A | ✗ N/A | #### Data security | **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| -| **Encryption at Rest** | ✓ Default | ✓ Default | ✗ Manual | ✗ Manual | ✗ Manual | -| **Bring your own encryption key** | ✗ N/A | ✓ Available | ✗ N/A | ✗ N/A | ✗ N/A | -| **Keystore Security** | ✓ Available | ✓ Available | ✓ Available | ✓ Available | ✓ Available | -| **Saved Object Encryption** | ✓ Available | ✓ Available | ✓ Available | ✓ Available | ✓ Available | +| **Encryption at rest** | ✓ Managed | ✓ Managed | ✓ Self-managed | ✓ Self-managed | ✓ Self-managed | +| **Bring your own encryption key** | ✗ N/A | ✓ Configurable | ✗ N/A | ✗ N/A | ✗ N/A | +| **Keystore security** | ✓ Managed | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Configurable | +| **Saved object encryption** | ✓ Managed | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Configurable | #### User session security From 8e2764e79e93626a1ad31a0a618b096bb4943fa4 Mon Sep 17 00:00:00 2001 From: Liam Thompson Date: Mon, 10 Mar 2025 11:41:22 +0100 Subject: [PATCH 6/7] Make availability terms explicit, remove sueperfluous ticks --- deploy-manage/security.md | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/deploy-manage/security.md b/deploy-manage/security.md index 635b2e2e3d..4e25c2d1ca 100644 --- a/deploy-manage/security.md +++ b/deploy-manage/security.md @@ -87,7 +87,7 @@ To keep your data secured, Elastic offers comprehensive security features that: - Protect data at rest - Secure sensitive settings and saved objects -Different deployment types have different security requirements and capabilities. Some security features are managed automatically, while others require manual configuration depending on your deployment type. +Security requirements and capabilities vary by deployment. Features may be managed automatically by Elastic, require configuration, or must be fully self-managed. Refer to [Security by deployment type](#security-by-deployment-type) for details. ::::{tip} See the [Deployment overview](/deploy-manage/deploy.md) to understand your options for deploying Elastic. @@ -95,35 +95,44 @@ See the [Deployment overview](/deploy-manage/deploy.md) to understand your optio ### Security by deployment type +Security features have one of these statuses across deployment types: + +| Status | Description | +|--------|-------------| +| **Managed** | Feature is handled automatically by Elastic | +| **Configurable** | Feature is available but requires user configuration | +| **Self-managed** | Feature must be implemented and maintained by you | +| **✗ N/A** | Feature is not available | + #### Communication security | **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| -| **TLS (HTTP Layer)** | ✓ Managed | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Self-managed | -| **TLS (Transport Layer)** | ✓ Managed | ✓ Managed | ✓ Managed | ✓ Managed | ✓ Self-managed | +| **TLS (HTTP Layer)** | Managed | Managed | Configurable | Configurable | Self-managed | +| **TLS (Transport Layer)** | Managed | Managed | Managed | Managed | Self-managed | #### Network security | **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| -| **IP traffic filtering** | ✓ Configurable | ✓ Configurable | ✓ Configurable | ✓ Configurable | ✓ Configurable | -| **Private link** | ✗ N/A | ✓ Configurable | ✗ N/A | ✗ N/A | ✗ N/A | -| **Static IPs** | ✓ Configurable | ✓ Configurable | ✗ N/A | ✗ N/A | ✗ N/A | +| **IP traffic filtering** | Configurable | Configurable | Configurable | Configurable | Configurable | +| **Private link** | ✗ N/A | Configurable | ✗ N/A | ✗ N/A | ✗ N/A | +| **Static IPs** | Configurable | Configurable | ✗ N/A | ✗ N/A | ✗ N/A | #### Data security | **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| -| **Encryption at rest** | ✓ Managed | ✓ Managed | ✓ Self-managed | ✓ Self-managed | ✓ Self-managed | -| **Bring your own encryption key** | ✗ N/A | ✓ Configurable | ✗ N/A | ✗ N/A | ✗ N/A | -| **Keystore security** | ✓ Managed | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Configurable | -| **Saved object encryption** | ✓ Managed | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Configurable | +| **Encryption at rest** | Managed | Managed | Self-managed | Self-managed | Self-managed | +| **Bring your own encryption key** | ✗ N/A | Configurable | ✗ N/A | ✗ N/A | ✗ N/A | +| **Keystore security** | Managed | Managed | Configurable | Configurable | Configurable | +| **Saved object encryption** | Managed | Managed | Configurable | Configurable | Configurable | #### User session security | **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| -| **Kibana Sessions** | ✓ Managed | ✓ Configurable | ✓ Configurable | ✓ Configurable | ✓ Configurable | +| **Kibana Sessions** | Managed | Configurable | Configurable | Configurable | Configurable | ### Using this documentation From 8c136c95563b4f5bf2f12b99cee032e6a3e3dde3 Mon Sep 17 00:00:00 2001 From: Liam Thompson Date: Mon, 10 Mar 2025 12:44:00 +0100 Subject: [PATCH 7/7] tryo clarify availability differentiation --- deploy-manage/security.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/deploy-manage/security.md b/deploy-manage/security.md index 4e25c2d1ca..91277a6022 100644 --- a/deploy-manage/security.md +++ b/deploy-manage/security.md @@ -99,10 +99,10 @@ Security features have one of these statuses across deployment types: | Status | Description | |--------|-------------| -| **Managed** | Feature is handled automatically by Elastic | -| **Configurable** | Feature is available but requires user configuration | -| **Self-managed** | Feature must be implemented and maintained by you | -| **✗ N/A** | Feature is not available | +| **Managed** | Handled automatically by Elastic with no user configuration needed | +| **Configurable** | Built-in feature that needs your configuration (like IP filters or passwords) | +| **Self-managed** | Infrastructure-level security you implement and maintain | +| **N/A** | Not available for this deployment type | #### Communication security @@ -116,15 +116,15 @@ Security features have one of these statuses across deployment types: | **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| | **IP traffic filtering** | Configurable | Configurable | Configurable | Configurable | Configurable | -| **Private link** | ✗ N/A | Configurable | ✗ N/A | ✗ N/A | ✗ N/A | -| **Static IPs** | Configurable | Configurable | ✗ N/A | ✗ N/A | ✗ N/A | +| **Private link** | N/A | Configurable | N/A | N/A | N/A | +| **Static IPs** | Configurable | Configurable | N/A | N/A | N/A | #### Data security | **Security feature** | Serverless | Elastic Cloud Hosted | ECE | ECK | Self-managed | |------------------|------------|--------------|-----|-----|--------------| | **Encryption at rest** | Managed | Managed | Self-managed | Self-managed | Self-managed | -| **Bring your own encryption key** | ✗ N/A | Configurable | ✗ N/A | ✗ N/A | ✗ N/A | +| **Bring your own encryption key** | N/A | Configurable | N/A | N/A | N/A | | **Keystore security** | Managed | Managed | Configurable | Configurable | Configurable | | **Saved object encryption** | Managed | Managed | Configurable | Configurable | Configurable |