From f462028efa72fa51357ce3a33937bbd6ab41ec72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Tue, 18 Mar 2025 14:32:13 +0100 Subject: [PATCH 1/4] some eck docs moved to security and IA and landing pages updated --- .../cloud-on-k8s/configure-deployments.md | 2 + .../deploy/cloud-on-k8s/configure.md | 2 +- .../elastic-stack-configuration-policies.md | 4 +- .../elasticsearch-configuration.md | 5 +- .../k8s-kibana-advanced-configuration.md | 4 +- .../deploy/cloud-on-k8s/k8s-kibana-es.md | 2 +- .../k8s-kibana-secure-settings.md | 40 ---- .../cloud-on-k8s/kibana-configuration.md | 2 +- deploy-manage/security.md | 210 ++++++++++++++---- deploy-manage/security/data-security.md | 4 +- .../security/install-stack-demo-secure.md | 2 + .../k8s-network-policies.md} | 6 +- deploy-manage/security/k8s-secure-settings.md | 160 +++++++++++++ .../k8s-transport-settings.md} | 6 +- ...figure-security-in-self-managed-cluster.md | 4 +- .../security/private-link-traffic-filters.md | 3 + .../security/secure-cluster-communications.md | 5 +- .../security/secure-hosting-environment.md | 13 +- .../security/secure-http-communications.md | 2 +- deploy-manage/security/secure-settings.md | 131 +---------- .../security/secure-your-eck-installation.md | 2 +- ...r-elastic-cloud-enterprise-installation.md | 2 +- .../secure-your-elastic-cloud-organization.md | 37 --- deploy-manage/security/traffic-filtering.md | 9 +- deploy-manage/toc.yml | 52 ++--- 25 files changed, 395 insertions(+), 314 deletions(-) delete mode 100644 deploy-manage/deploy/cloud-on-k8s/k8s-kibana-secure-settings.md rename deploy-manage/{deploy/cloud-on-k8s/network-policies.md => security/k8s-network-policies.md} (98%) create mode 100644 deploy-manage/security/k8s-secure-settings.md rename deploy-manage/{deploy/cloud-on-k8s/transport-settings.md => security/k8s-transport-settings.md} (95%) create mode 100644 deploy-manage/security/private-link-traffic-filters.md delete mode 100644 deploy-manage/security/secure-your-elastic-cloud-organization.md diff --git a/deploy-manage/deploy/cloud-on-k8s/configure-deployments.md b/deploy-manage/deploy/cloud-on-k8s/configure-deployments.md index 80c25b6046..be4f0f82f7 100644 --- a/deploy-manage/deploy/cloud-on-k8s/configure-deployments.md +++ b/deploy-manage/deploy/cloud-on-k8s/configure-deployments.md @@ -29,6 +29,8 @@ Additionally, the following topics apply to both {{es}} and {{kib}}, and in some ECK also facilitates configuration and operation activities with advanced features, such as: +* [**Secure settings**](/deploy-manage/security/k8s-secure-settings.md): Configure {{es}} and {{kib}} keystore settings through Kubernetes secrets. + * [**Elastic Stack configuration policies**](elastic-stack-configuration-policies.md): Organize your {{es}} and {{kib}} configuration settings through `StackConfigPolicy` resources that can be referenced within your deployments. This helps to keep your manifests simplified. ::::{important} diff --git a/deploy-manage/deploy/cloud-on-k8s/configure.md b/deploy-manage/deploy/cloud-on-k8s/configure.md index e2e8be8eaf..2ef767cc3d 100644 --- a/deploy-manage/deploy/cloud-on-k8s/configure.md +++ b/deploy-manage/deploy/cloud-on-k8s/configure.md @@ -27,7 +27,7 @@ The following guides cover common ECK configuration tasks: * [Service meshes](./service-meshes.md): Connect ECK and managed Elastic Stack applications to some of the most popular [service mesh](https://www.cncf.io/blog/2017/04/26/service-mesh-critical-component-cloud-native-stack/) implementations in the Kubernetes ecosystem. -* [Network policies](./network-policies.md): Use [Kubernetes network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to isolate pods by restricting incoming and outgoing network connections to a trusted set of sources and destinations. +* [Network policies](./../../security/k8s-network-policies.md): Use [Kubernetes network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) to isolate pods by restricting incoming and outgoing network connections to a trusted set of sources and destinations. * [](./webhook-namespace-selectors.md): Restrict the namespaces that the validation webhook applies to, allowing multiple operators to coexist efficiently in the same cluster. diff --git a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md index 21a1fe322c..b7463770df 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md +++ b/deploy-manage/deploy/cloud-on-k8s/elastic-stack-configuration-policies.md @@ -35,7 +35,7 @@ Starting from ECK `2.6.1` and Elasticsearch `8.6.1`, Elastic Stack configuration Additionally with ECK `2.11.0` it is possible to configure Kibana as well using Elastic Stack configuration policies, the following settings can be configured for Kibana: * [Kibana Configuration](kibana://reference/configuration-reference/general-settings.md) (configuration settings for Kibana that will go into `kibana.yml`) -* [Kibana Secure Settings](k8s-kibana-secure-settings.md) +* [Kibana Secure Settings](../../security/k8s-secure-settings.md) A policy can be applied to one or more Elasticsearch clusters or Kibana instances in any namespace managed by the ECK operator. Configuration policy settings applied by the ECK operator are immutable through the Elasticsearch REST API. It is currently not allowed to configure an Elasticsearch cluster or Kibana instance with more than one policy. @@ -65,7 +65,7 @@ At least one of `spec.elasticsearch` or `spec.kibana` needs to be defined with a * `spec.kibana` describes the settings to configure for Kibana. * `config` are the settings that go into the `kibana.yml` file. - * `secureSettings` is a list of Secrets containing Secure Settings to inject into the keystore(s) of the Kibana instance(s) to which this policy applies, similar to the [Kibana Secure Settings](k8s-kibana-secure-settings.md). + * `secureSettings` is a list of Secrets containing Secure Settings to inject into the keystore(s) of the Kibana instance(s) to which this policy applies, similar to the [Kibana Secure Settings](../../security/k8s-secure-settings.md). The following fields are optional: diff --git a/deploy-manage/deploy/cloud-on-k8s/elasticsearch-configuration.md b/deploy-manage/deploy/cloud-on-k8s/elasticsearch-configuration.md index b06359d6ba..fdfc5d38a7 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elasticsearch-configuration.md +++ b/deploy-manage/deploy/cloud-on-k8s/elasticsearch-configuration.md @@ -22,6 +22,7 @@ Before deploying and running ECK in production, review the basic and advanced se * [Node configuration](node-configuration.md): Configure the `elasticsearch.yml` of your {{es}} nodes. * [Volume claim templates](volume-claim-templates.md): Configure storage in your {{es}} nodes. * [Virtual memory](virtual-memory.md): Methods to accomplish {{es}} virtual memory system configuration requirement. +* [Secure settings](/deploy-manage/security/secure-settings.md): Configure the {{es}} keystore through Kubernetes secrets. * [Settings managed by ECK](settings-managed-by-eck.md): List of {{es}} settings that you shouldn't update. * [Custom configuration files and plugins](custom-configuration-files-plugins.md): Add extra configuration files or install plugins to your {{es}} nodes. * [Init containers for plugin downloads](init-containers-for-plugin-downloads.md): Use Kubernetes init containers to install plugins before starting {{es}}. @@ -38,7 +39,7 @@ Before deploying and running ECK in production, review the basic and advanced se ## TLS/SSL Certificates * [Secure HTTP communications](/deploy-manage/security/secure-http-communications.md): Customize the service and TLS certificates used for transport traffic. -* [Transport settings](transport-settings.md): Customize the service and TLS certificates used for transport traffic. +* [Transport settings](../../security/k8s-transport-settings.md): Customize the service and TLS certificates used for transport traffic. ## Traffic handling @@ -48,8 +49,6 @@ Before deploying and running ECK in production, review the basic and advanced se Other sections of the documentation also include relevant configuration options for your {{es}} cluster: -* [Secure settings](/deploy-manage/security/secure-settings.md) - * [Users and roles](/deploy-manage/users-roles.md) * [Snapshots](../../tools/snapshot-and-restore/cloud-on-k8s.md) diff --git a/deploy-manage/deploy/cloud-on-k8s/k8s-kibana-advanced-configuration.md b/deploy-manage/deploy/cloud-on-k8s/k8s-kibana-advanced-configuration.md index 7c30d10c59..4cb6ba81a4 100644 --- a/deploy-manage/deploy/cloud-on-k8s/k8s-kibana-advanced-configuration.md +++ b/deploy-manage/deploy/cloud-on-k8s/k8s-kibana-advanced-configuration.md @@ -13,7 +13,7 @@ If you already looked at the [Elasticsearch on ECK](elasticsearch-configuration. * [Customize the Pod configuration](#k8s-kibana-pod-configuration) * [Customize the product configuration](#k8s-kibana-configuration) * [Manage HTTP settings](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-configuration) -* [Use secure settings](k8s-kibana-secure-settings.md) +* [Use secure settings](../../security/k8s-secure-settings.md) * [Install {{kib}} plugins](k8s-kibana-plugins.md) ## Pod configuration [k8s-kibana-pod-configuration] @@ -97,7 +97,7 @@ kubectl get secret my-kibana-kb-config -o jsonpath='{ .data.kibana\.yml }' | bas :::: -You can provide your own encryption keys using a secure setting, as described in [Secure settings](k8s-kibana-secure-settings.md). +You can provide your own encryption keys using a secure setting, as described in [Secure settings](../../security/k8s-secure-settings.md). ::::{note} While most reconfigurations of your {{kib}} instances are carried out in rolling upgrade fashion, all version upgrades will cause {{kib}} downtime. This happens because you can only run a single version of {{kib}} at any given time. For more information, check [Upgrade {{kib}}](/deploy-manage/upgrade/deployment-or-cluster.md). diff --git a/deploy-manage/deploy/cloud-on-k8s/k8s-kibana-es.md b/deploy-manage/deploy/cloud-on-k8s/k8s-kibana-es.md index edd8270ece..71e9d0f10f 100644 --- a/deploy-manage/deploy/cloud-on-k8s/k8s-kibana-es.md +++ b/deploy-manage/deploy/cloud-on-k8s/k8s-kibana-es.md @@ -47,7 +47,7 @@ Refer to [*Connect to external Elastic resources*](connect-to-external-elastic-r ## Using secure settings [k8s_using_secure_settings] -For example, use the [secure settings](k8s-kibana-secure-settings.md) mechanism to securely store the default `elastic` user’s `$PASSWORD` credential of the external {{es}} cluster as set under [Deploy an {{es}} cluster](elasticsearch-deployment-quickstart.md): +For example, use the [secure settings](../../security/k8s-secure-settings.md) mechanism to securely store the default `elastic` user’s `$PASSWORD` credential of the external {{es}} cluster as set under [Deploy an {{es}} cluster](elasticsearch-deployment-quickstart.md): ```shell kubectl create secret generic kibana-elasticsearch-credentials --from-literal=elasticsearch.password=$PASSWORD diff --git a/deploy-manage/deploy/cloud-on-k8s/k8s-kibana-secure-settings.md b/deploy-manage/deploy/cloud-on-k8s/k8s-kibana-secure-settings.md deleted file mode 100644 index ddbf5aaa13..0000000000 --- a/deploy-manage/deploy/cloud-on-k8s/k8s-kibana-secure-settings.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -applies_to: - deployment: - eck: all -mapped_pages: - - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-kibana-secure-settings.html ---- - -% pending to move to security - -# Secure settings [k8s-kibana-secure-settings] - -[Similar to {{es}}](../../security/secure-settings.md), you can use Kubernetes secrets to manage secure settings for {{kib}}. - -For example, you can define a custom encryption key for {{kib}} as follows: - -1. Create a secret containing the desired setting: - - ```yaml - kubectl create secret generic kibana-secret-settings \ - --from-literal=xpack.security.encryptionKey=94d2263b1ead716ae228277049f19975aff864fb4fcfe419c95123c1e90938cd - ``` - -2. Add a reference to the secret in the `secureSettings` section: - - ```yaml - apiVersion: kibana.k8s.elastic.co/v1 - kind: Kibana - metadata: - name: kibana-sample - spec: - version: 8.16.1 - count: 3 - elasticsearchRef: - name: "elasticsearch-sample" - secureSettings: - - secretName: kibana-secret-settings - ``` - - diff --git a/deploy-manage/deploy/cloud-on-k8s/kibana-configuration.md b/deploy-manage/deploy/cloud-on-k8s/kibana-configuration.md index 9522281c7b..11fd37da76 100644 --- a/deploy-manage/deploy/cloud-on-k8s/kibana-configuration.md +++ b/deploy-manage/deploy/cloud-on-k8s/kibana-configuration.md @@ -21,7 +21,7 @@ The following sections describe how to customize a {{kib}} deployment to suit yo * [{{kib}} Configuration](k8s-kibana-advanced-configuration.md#k8s-kibana-configuration) * [Scaling out a {{kib}} deployment](k8s-kibana-advanced-configuration.md#k8s-kibana-scaling) -* [Secure settings](k8s-kibana-secure-settings.md) +* [Secure settings](../../security/k8s-secure-settings.md#k8s-kibana-secure-settings) * [HTTP Configuration](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-configuration) * [Load balancer settings and TLS SANs](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-publish) diff --git a/deploy-manage/security.md b/deploy-manage/security.md index bd7f9293e4..1ecc0d6cd9 100644 --- a/deploy-manage/security.md +++ b/deploy-manage/security.md @@ -59,7 +59,6 @@ $$$maintaining-audit-trail$$$ **This page is a work in progress.** ::: - % The documentation team is working to combine content pulled from the following pages: % * [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md) @@ -75,64 +74,186 @@ $$$maintaining-audit-trail$$$ # Security -This overview page helps you understand Elastic's security capabilities across different deployment types. You'll find: +An Elastic implementation comprises many moving parts: {{es}} nodes forming the cluster, {{kib}} instances, additional stack components such as Logstash and Beats, and various clients and integrations, all communicating with your cluster. -- Key security features for protecting your Elastic deployment -- Security capabilities specific to each deployment type -- Comparison tables showing feature availability and configurability by deployment type -- Links to detailed implementation guides +To keep your data secured, Elastic offers security features that prevent bad actors from tampering with your data, and encrypt communications to, from, and within your cluster. Regardless of your deployment type, Elastic sets up certain security features for you automatically. -## Security overview +The documentation is organized into three main areas. -An Elastic implementation comprises many moving parts: {{es}} nodes forming the cluster, {{kib}} instances, additional stack components such as Logstash and Beats, and various clients and integrations communicating with your deployment. +* [Secure your orchestrator](security/secure-hosting-environment.md): Setup security in your [{{ece}}](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md) or [{{eck}}](/deploy-manage/security/secure-your-eck-installation.md) installations. +* [Secure your cluster or deployment](./security/secure-your-cluster-deployment.md): Learn about how to manage basic Elastic security features. You’ll also learn how to implement advanced security measures. +* [Secure your clients and integrations](security/secure-clients-integrations.md): Secure communications between your applications and the {{stack}}. -To keep your data secured, Elastic offers comprehensive security features that: -- Prevent unauthorized access to your deployment -- Encrypt communications between components -- Protect data at rest -- Secure sensitive settings and saved objects +::::{note} +As part of your overall security strategy, you can also do the following: -:::{note} -The availability and configurability of security features vary by deployment type. Refer to [Security by deployment type](#security-features-by-deployment-type) for a comparison table. -::: +* Prevent unauthorized access with [password protection and role-based access control](/deploy-manage/users-roles.md). +* Maintain an [audit trail](/deploy-manage/security/logging-configuration/security-event-audit-logging.md) for security-related events. +* Control access to dashboards and other saved objects in your UI using [Spaces](/deploy-manage/manage-spaces.md). +* Connect a local cluster to a [remote cluster](/deploy-manage/remote-clusters.md) to enable [cross-cluster replication](/deploy-manage/tools/cross-cluster-replication.md) and [cross-cluster search](/solutions/search/cross-cluster-search.md). +* Manage [API keys](/deploy-manage/api-keys.md) used for programmatic access to Elastic. +:::: -## Security topics +The availability and configurability of security features vary by deployment type. On every page, you'll see deployment type indicators that show which content applies to specific deployment types. Focus on sections tagged with your deployment type and look for subsections specifically addressing your deployment model. -The documentation is organized into three main areas. +At the end of this doc, there's also a [comparison table](#comparison-table) showing feature availability and configurability by deployment type. -On every page, you'll see deployment type indicators that show which content applies to specific deployment types. Focus on sections tagged with your deployment type and look for subsections specifically addressing your deployment model. +## Managed security in Elastic Cloud +```yaml {applies_to} +deployment: + ess: all +serverless: all +``` -### 1. Secure your orchestrator +Elastic Cloud has built-in security. For example, HTTPS communications between Elastic Cloud and the internet, as well as inter-node communications, are secured automatically, and cluster data is encrypted at rest. -The [security of your orchestrator](security/secure-hosting-environment.md) forms the foundation of your overall security posture. This section covers environment-specific security controls: +You can augment Elastic Cloud security features in the following ways: +* Configure [traffic filtering](./security/traffic-filtering.md) to prevent unauthorized access to your deployments. [Elastic Cloud Hosted] +* Encrypt your deployment with a [customer-managed encryption key](./security/encrypt-deployment-with-customer-managed-encryption-key.md). [Elastic Cloud Hosted] +* [Secure your settings](./security/secure-settings.md) using {{es}} and {{kib}} keystores. [Elastic Cloud Hosted] +* Use the list of [Elastic Cloud static IPs](./security/elastic-cloud-static-ips.md) to allow or restrict communications in your infrastructure. -- [**Elastic Cloud Hosted and Serverless**](security/secure-your-elastic-cloud-organization.md) -- [**Elastic Cloud Enterprise**](security/secure-your-elastic-cloud-enterprise-installation.md) -- [**Elastic Cloud on Kubernetes**](security/secure-your-eck-installation.md) +::::{note} +While serverless projects are fully managed and secured by Elastic, additional security settings are available for you to configure individually for your {{ech}} deployments. +:::: -:::{note} -There is no orchestration layer for self-managed deployments because you directly control the host environment. Refer to [](security/manually-configure-security-in-self-managed-cluster.md) to learn more about securing self-managed installations. -::: +Refer to [Elastic Cloud security](https://www.elastic.co/cloud/security) for more details about Elastic security and privacy programs. + +## Cluster or deployment security features + +You can configure the following aspects of your Elastic implementation to maintain and enhance security: + +### Manage TLS certificates +```yaml {applies_to} +deployment: + ece: all + eck: all + self: all +``` + +TLS certificates apply security controls to network communications. TLS is the modern name for what used to be called Secure Sockets Layer (SSL). + +TLS certificates are used in two places: +* **The HTTP layer**: Used for communication between your cluster or deployment and the internet. +* **The transport layer**: Used mainly for inter-node communications, and in certain cases for cluster to cluster communication. + +The way that TLS certificates are managed depends on your deployment type: + +* In self-managed {{es}} clusters, you [manage both of these certificates yourself](./security/secure-cluster-communications.md). You can also [Configure Kibana and Elasticsearch to use mutual TLS](./security/secure-http-communications.md#elasticsearch-mutual-tls). +* In {{ece}}, you can use one or more [proxy certificates](./security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md) to secure the HTTP layer. These certificates are managed at the ECE installation level. Transport-level encryption is managed by ECE and certificates can’t be changed. +* In {{eck}}, you can [manage certificates for the HTTP layer](./security/secure-http-communications.md#k8s-custom-http-certificate). Certificates for the transport layer are managed by ECK and can’t be changed. However, you can set your own certificate authority, customize certificate contents, and provide your own certificate generation tools using [transport settings](./security/k8s-transport-settings.md). + +::::{tip} +Elastic Cloud manages TLS certificates for you. +:::: + +#### Enable cipher suites for stronger encryption + +TBD - to refine +Refer to [](./security/enabling-cipher-suites-for-stronger-encryption.md) for more details. +(These cipher_suites settings are used for a bunch of different auth realms as well as http/transport layer) + +### Restrict connections using traffic filtering +```yaml {applies_to} +deployment: + ess: all + ece: all + eck: all + self: all +``` + +[Traffic filtering](./security/traffic-filtering.md) allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. + +* For all deployment types, you can configure [IP-based traffic filters](./security/ip-traffic-filtering.md). + +* For Elastic Cloud Hosted, you can also configure [private link traffic filters](./security/private-link-traffic-filters.md). -### 2. Secure your deployments and clusters +* For {{eck}}, you can use [Kubernetes network policies](./security/k8s-network-policies.md). -[Secure your deployments](security/secure-your-cluster-deployment.md) with features available across all deployment types: +### Allow or deny Elastic Cloud IP ranges +```yaml {applies_to} +serverless: all +deployment: + ess: all +``` -- [**Traffic filtering**](security/traffic-filtering.md): IP filtering, private links, and static IPs -- [**Secure communications**](security/secure-cluster-communications.md): TLS configuration, certificates management -- [**Data protection**](security/data-security.md): Encryption at rest, secure settings, saved objects -- [**Security event audit logging**](security/logging-configuration/security-event-audit-logging.md): {{es}} and {{kib}} audit logs -- [**Session management**](security/kibana-session-management.md): Kibana session controls -- [**FIPS 140-2 compliance**](security/fips-140-2.md): Federal security standards +Elastic Cloud publishes a list of IP addresses used by its services for both incoming and outgoing traffic. Users can use these lists to configure their network firewalls as needed to allow or restrict traffic related to Elastic Cloud services. -### 3. Secure your clients and integrations +[Learn more about Elastic Cloud static IPs](./security/elastic-cloud-static-ips.md). -[Secure your clients and integrations](security/secure-clients-integrations.md) to ensure secure communication between your applications and Elastic: +### Manage Kibana sessions +```yaml {applies_to} +deployment: + ess: all + ece: all + eck: all + self: all +``` -- [**Client security**](security/httprest-clients-security.md): Best practices for securely connecting applications to {{es}} -- **Integration security**: Secure configuration for Beats, Logstash, and other integrations +Control the timeout and lifespan of logged-in sessions to Kibana, as well as the number of concurrent sessions each user can have. -## Security features by deployment type +[Learn more about {{kib}} session management](./security/kibana-session-management.md). + +### Encryption at rest +```yaml {applies_to} +serverless: all +deployment: + ess: all +``` + +By default, Elastic Cloud already encrypts your deployment data, project data, and snapshots at rest. + +If you’re using Elastic Cloud Hosted, then you can reinforce this mechanism by providing your own encryption key, also known as [Bring Your Own Key (BYOK)](./security/encrypt-deployment-with-customer-managed-encryption-key.md). + +::::{note} +Other deployment types don’t implement encryption at rest out of the box. For self-managed clusters, to implement encryption at rest, the hosts running the cluster must be configured with disk-level encryption, such as `dm-crypt`. In addition, snapshot targets must ensure that data is encrypted at rest as well. + +Configuring `dm-crypt` or similar technologies is outside the scope of this document, and issues related to disk encryption are outside the scope of support. +:::: + +### Secure your settings +```yaml {applies_to} +deployment: + ess: all + ece: all + eck: all + self: all +``` + +Some of the settings that you configure in Elasticsearch Service are sensitive, such as passwords, and relying on file system permissions to protect these settings is insufficient. Learn how to configure secure settings in the {{es}} keystore or {{kib}} keystore. + +[Learn more about storing settings in a keystore](./security/secure-settings.md). + + +### Secure saved objects +```yaml {applies_to} +deployment: + ess: all + ece: all + eck: all + self: all +``` + +Kibana stores entities such as dashboards, visualizations, alerts, actions, and advanced settings as saved objects, which are kept in a dedicated, internal {{es}} index. If such an object includes sensitive information, for example a PagerDuty integration key or email server credentials used by the alert action, {{kib}} encrypts it and makes sure it cannot be accidentally leaked or tampered with. + +Encrypting sensitive information means that a malicious party with access to the Kibana internal indices won’t be able to extract that information without also knowing the encryption key. + +[Learn how to configure and rotate the saved object encryption key](./security/secure-saved-objects.md). + + +### Other topics +```yaml {applies_to} +deployment: + ess: all + ece: all + eck: all + self: all +``` + +TBD / to determine if needed + +% we need to refine this table, but the idea is awesome IMO +## Security features by deployment type [comparison-table] Security feature availability varies by deployment type, with each feature having one of the following statuses: @@ -221,12 +342,3 @@ Select your deployment type below to see what's available and how implementation ::: :::: - -## Next steps - -Refer to the following sections for detailed instructions about securing your hosting environment: - -* [Elastic Cloud Hosted and Serverless security setup](/deploy-manage/security/secure-your-elastic-cloud-organization.md) -* [Elastic Cloud Enterprise (ECE) security setup](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md) -* [Elastic Cloud on Kubernetes (ECK) security setup](/deploy-manage/security/secure-your-eck-installation.md) -* [Self-managed cluster security setup](/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md) \ No newline at end of file diff --git a/deploy-manage/security/data-security.md b/deploy-manage/security/data-security.md index c70d8f7323..fba16c6d90 100644 --- a/deploy-manage/security/data-security.md +++ b/deploy-manage/security/data-security.md @@ -8,7 +8,9 @@ applies_to: serverless: ga --- -# Secure data, objects, and settings +# Encrypt your deployment data + +(orphan now, we should put this content somewhere) Add another layer of security by defining custom encryption rules for your cluster's data, {{kib}} saved objects, and settings. diff --git a/deploy-manage/security/install-stack-demo-secure.md b/deploy-manage/security/install-stack-demo-secure.md index bdbb7166db..db34807184 100644 --- a/deploy-manage/security/install-stack-demo-secure.md +++ b/deploy-manage/security/install-stack-demo-secure.md @@ -8,6 +8,8 @@ mapped_urls: # Tutorial: Securing a self-managed {{stack}} [install-stack-demo-secure] +TBD: This one feels duplicate (it comes from elastic-stack original book) + This tutorial is a follow-on to [installing a self-managed {{stack}}](/deploy-manage/deploy/self-managed.md) with a multi-node {{es}} cluster, {{kib}}, {{fleet-server}} and {{agent}}. In a production environment, it’s recommended after completing the {{kib}} setup to proceed directly to this tutorial to configure your SSL certificates. These steps guide you through that process, and then describe how to configure {{fleet-server}} and {{agent}} with the certificates in place. **Securing the {{stack}}** diff --git a/deploy-manage/deploy/cloud-on-k8s/network-policies.md b/deploy-manage/security/k8s-network-policies.md similarity index 98% rename from deploy-manage/deploy/cloud-on-k8s/network-policies.md rename to deploy-manage/security/k8s-network-policies.md index b6483e644f..9069d22a15 100644 --- a/deploy-manage/deploy/cloud-on-k8s/network-policies.md +++ b/deploy-manage/security/k8s-network-policies.md @@ -7,9 +7,7 @@ mapped_pages: - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s_prerequisites.html --- -% this section could be moved entirely to security. to be considered. - -# Network policies [k8s-network-policies] +# Kubernetes network policies [k8s-network-policies] Kubernetes [network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) allow you to isolate pods by restricting incoming and outgoing network connections to a trusted set of sources and destinations. @@ -21,7 +19,7 @@ Note that network policies alone are not sufficient for security. You should com There are several efforts to support multi-tenancy on Kubernetes, including the [official working group for multi-tenancy](https://github.com/kubernetes-sigs/multi-tenancy) and community extensions such as [loft](https://loft.sh) and [kiosk](https://github.com/kiosk-sh/kiosk), that can make configuration and management easier. You might need to employ network policies such the ones described in this section to have fine-grained control over {{stack}} applications deployed by your tenants. :::: -The following sections assume that the operator is installed in the `elastic-system` namespace with the [`namespaces` configuration](configure-eck.md) set to `team-a,team-b`. Each namespace is expected to be labelled as follows: +The following sections assume that the operator is installed in the `elastic-system` namespace with the [`namespaces` configuration](../deploy/cloud-on-k8s/configure-eck.md) set to `team-a,team-b`. Each namespace is expected to be labelled as follows: ```sh kubectl label namespace elastic-system eck.k8s.elastic.co/operator-name=elastic-operator diff --git a/deploy-manage/security/k8s-secure-settings.md b/deploy-manage/security/k8s-secure-settings.md new file mode 100644 index 0000000000..57a6c444f2 --- /dev/null +++ b/deploy-manage/security/k8s-secure-settings.md @@ -0,0 +1,160 @@ +--- +applies_to: + deployment: + eck: all +mapped_pages: + - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-kibana-secure-settings.html + - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-es-secure-settings.html +--- + +# Secure settings on ECK + +With the help of ECK operator, you can specify {{es}} and {{kib}} [secure settings](/deploy-manage/security/secure-settings.md) to your deployments through [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/). + +The secrets should contain a key-value pair for each secure setting you want to add. ECK automatically injects these settings into the keystore on each {{es}} or {{kib}} Pod before it starts. The ECK operator continues to watch the secrets for changes and will update the {{es}} or {{kib}} keystores when it detects a change. + +To allow the operator to inject the settings into the application, you must reference your secrets in the `spec.secureSettings` field of your {{es}} or {{kib}} object definition. Next, you’ll find examples for both {{es}} and {{kib}}. + +## Elasticsearch basic usage [k8s_basic_usage] + +It is possible to reference several secrets: + +```yaml +spec: + secureSettings: + - secretName: one-secure-settings-secret + - secretName: two-secure-settings-secret +``` + +For the following secret, a `gcs.client.default.credentials_file` key will be created in {{es}}’s keystore with the provided value: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: one-secure-settings-secret +type: Opaque +stringData: + gcs.client.default.credentials_file: | + { + "type": "service_account", + "project_id": "your-project-id", + "private_key_id": "...", + "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n", + "client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com", + "client_id": "...", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-bucket@your-project-id.iam.gserviceaccount.com" + } +``` + +::::{tip} +Note that by default [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) are expecting the value to be base64 encoded unless under a `stringData` field. +:::: + +### Projection of secret keys to specific paths [k8s_projection_of_secret_keys_to_specific_paths] + +You can export a subset of secret keys and also project keys to specific paths using the `entries`, `key` and `path` fields: + +```yaml +spec: + secureSettings: + - secretName: gcs-secure-settings + entries: + - key: gcs.client.default.credentials_file + - key: gcs_client_1 + path: gcs.client.client_1.credentials_file + - key: gcs_client_2 + path: gcs.client.client_2.credentials_file +``` + +For the three entries listed in the `gcs-secure-settings` secret, three keys are created in {{es}}’s keystore: + +* `gcs.client.default.credentials_file` +* `gcs.client.client_1.credentials_file` +* `gcs.client.client_2.credentials_file` + +The referenced `gcs-secure-settings` secret now looks like this: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: gcs-secure-settings +type: Opaque +stringData: + gcs.client.default.credentials_file: | + { + "type": "service_account", + "project_id": "project-id-to-be-used-for-default-client", + "private_key_id": "private key ID for default-client", + "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n", + "client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com", + "client_id": "client ID for the default client", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-bucket@your-project-id.iam.gserviceaccount.com" + } + gcs_client_1: | + { + "type": "service_account", + "project_id": "project-id-to-be-used-for-gcs_client_1", + "private_key_id": "private key ID for gcs_client_1", + "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n", + "client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com", + "client_id": "client ID for the gcs_client_1 client", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-bucket@your-project-id.iam.gserviceaccount.com" + } + gcs_client_2: | + { + "type": "service_account", + "project_id": "project-id-to-be-used-for-gcs_client_2", + "private_key_id": "private key ID for gcs_client_2", + "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n", + "client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com", + "client_id": "client ID for the gcs_client_2 client", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://accounts.google.com/o/oauth2/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-bucket@your-project-id.iam.gserviceaccount.com" + } +``` + +## Kibana secure settings [k8s-kibana-secure-settings] + +Similar to {{es}} secure settings, you can use Kubernetes secrets to manage keystore settings for {{kib}}. + +For example, you can define a custom encryption key for {{kib}} as follows: + +1. Create a secret containing the desired setting: + + ```yaml + kubectl create secret generic kibana-secret-settings \ + --from-literal=xpack.security.encryptionKey=94d2263b1ead716ae228277049f19975aff864fb4fcfe419c95123c1e90938cd + ``` + +2. Add a reference to the secret in the `secureSettings` section: + + ```yaml + apiVersion: kibana.k8s.elastic.co/v1 + kind: Kibana + metadata: + name: kibana-sample + spec: + version: 8.16.1 + count: 3 + elasticsearchRef: + name: "elasticsearch-sample" + secureSettings: + - secretName: kibana-secret-settings + ``` + +## More examples [k8s_more_examples] + +Check [How to create automated snapshots](/deploy-manage/tools/snapshot-and-restore/cloud-on-k8s.md) for an example use case that illustrates how secure settings can be used to set up automated {{es}} snapshots to a GCS storage bucket. diff --git a/deploy-manage/deploy/cloud-on-k8s/transport-settings.md b/deploy-manage/security/k8s-transport-settings.md similarity index 95% rename from deploy-manage/deploy/cloud-on-k8s/transport-settings.md rename to deploy-manage/security/k8s-transport-settings.md index 8197b55c78..621b028993 100644 --- a/deploy-manage/deploy/cloud-on-k8s/transport-settings.md +++ b/deploy-manage/security/k8s-transport-settings.md @@ -6,9 +6,9 @@ mapped_pages: - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-transport-settings.html --- -# Transport settings [k8s-transport-settings] +# Transport certificates on ECK [k8s-transport-settings] -The transport module in Elasticsearch is used for internal communication between nodes within the cluster as well as communication between remote clusters. Check the [Elasticsearch documentation](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md) for details. For customization options of the HTTP layer, check [Services](accessing-services.md) and [TLS certificates](/deploy-manage/security/secure-http-communications.md). +The transport module in Elasticsearch is used for internal communication between nodes within the cluster as well as communication between remote clusters. Check the [Elasticsearch documentation](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md) for details. For customization options of the HTTP layer, check [Services](../deploy/cloud-on-k8s/accessing-services.md) and [TLS certificates](/deploy-manage/security/secure-http-communications.md). ## Customize the Transport Service [k8s_customize_the_transport_service] @@ -76,7 +76,7 @@ spec: When following the instructions in [Configure a custom Certificate Authority](#k8s-transport-ca) the issuance of certificates is orchestrated by the ECK operator and the operator needs access to the CAs private key. If this is undesirable it is also possible to configure node transport certificates without involving the ECK operator. The following two pre-requisites apply: 1. The tooling used must be able to issue individual certificates for each Elasticsearch node and dynamically add or remove certificates as the cluster scales up and down. -2. The ECK operator must be configured to be aware of the CA in use for the [remote cluster](../../remote-clusters/eck-remote-clusters.md#k8s-remote-clusters-connect-external) support to work. +2. The ECK operator must be configured to be aware of the CA in use for the [remote cluster](../remote-clusters/eck-remote-clusters.md#k8s-remote-clusters-connect-external) support to work. The following example configuration using [cert-manager csi-driver](https://cert-manager.io/docs/projects/csi-driver/) and [trust-manager](https://cert-manager.io/docs/projects/trust-manager/) meets these two requirements: diff --git a/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md b/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md index 0973505f6a..3284492515 100644 --- a/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md +++ b/deploy-manage/security/manually-configure-security-in-self-managed-cluster.md @@ -1,5 +1,5 @@ --- -navigation_title: Self-managed +navigation_title: Configure security in a self-managed cluster applies_to: deployment: self: ga @@ -7,7 +7,7 @@ mapped_pages: - https://www.elastic.co/guide/en/elasticsearch/reference/current/manually-configure-security.html --- -# Manually configure security in a self-managed cluster [manually-configure-security] +# Configure security in a self-managed cluster [manually-configure-security] :::{note} This page describes important aspects to consider and common end-to-end scenarios for securing your self-managed {{stack}}. For a more granular view of the available security options for your clusters and nodes, refer to [](secure-your-cluster-deployment.md). diff --git a/deploy-manage/security/private-link-traffic-filters.md b/deploy-manage/security/private-link-traffic-filters.md new file mode 100644 index 0000000000..5c239c7ac2 --- /dev/null +++ b/deploy-manage/security/private-link-traffic-filters.md @@ -0,0 +1,3 @@ +# Private link traffic filters + +landing page. TBD \ No newline at end of file diff --git a/deploy-manage/security/secure-cluster-communications.md b/deploy-manage/security/secure-cluster-communications.md index 20f1d1ba92..ed07718353 100644 --- a/deploy-manage/security/secure-cluster-communications.md +++ b/deploy-manage/security/secure-cluster-communications.md @@ -1,4 +1,5 @@ --- +navigation_title: Manage TLS certificates applies_to: deployment: self: @@ -18,7 +19,7 @@ $$$encrypt-internode-communication$$$ $$$generate-certificates$$$ -# Secure cluster communications +# Manage TLS certificates This page explains how to secure communications between components in your {{stack}} deployment. @@ -47,7 +48,7 @@ The transport layer is used for communication between {{es}} nodes in a cluster. **Deployment type notes:** - **Elastic Cloud, ECE, and Serverless**: Transport security is fully managed by Elastic. No configuration is required. -- **ECK**: Transport security is automatically configured by the operator, but you can [customize its service and SSL certificates](/deploy-manage/deploy/cloud-on-k8s/transport-settings.md). +- **ECK**: Transport security is automatically configured by the operator, but you can [customize its service and SSL certificates](/deploy-manage/security/k8s-transport-settings.md). - **Self-managed**: Transport security must be manually configured following the steps in [Set up basic security](set-up-basic-security.md). ## HTTP layer security diff --git a/deploy-manage/security/secure-hosting-environment.md b/deploy-manage/security/secure-hosting-environment.md index 2800715d9e..e487812b2f 100644 --- a/deploy-manage/security/secure-hosting-environment.md +++ b/deploy-manage/security/secure-hosting-environment.md @@ -1,21 +1,20 @@ --- applies_to: - deployment: all - serverless: ga + deployment: + ece: all + eck: all --- # Secure your orchestrator -Whether you're running Elastic on {{ecloud}} or using an {{ece}} or {{eck}} orchestrator, it is critical that you secure the layer responsible for deploying and hosting your Elastic products. +When running {{stack}} applications on {{ece}} or {{eck}}, it is critical to secure the orchestration layer responsible for deploying and managing your Elastic products. This section covers security measures specific to: -- [{{ecloud}}](secure-your-elastic-cloud-organization.md) - [{{ece}}](secure-your-elastic-cloud-enterprise-installation.md) - [{{eck}}](secure-your-eck-installation.md) :::{note} -There is no orchestration layer for self-managed installations, but you can find a summary of your security options in [](manually-configure-security-in-self-managed-cluster.md). +* For security features at deployment level, refer to [](./secure-your-cluster-deployment.md). +* For details on security mechanisms applied by default in Elastic Cloud SaaS platform, refer to [](../security.md#managed-security-in-elastic-cloud). ::: - -Learn how to manage security certificates, configure TLS versions, and implement additional security controls at the environment level. diff --git a/deploy-manage/security/secure-http-communications.md b/deploy-manage/security/secure-http-communications.md index 6ee868784b..76831407d7 100644 --- a/deploy-manage/security/secure-http-communications.md +++ b/deploy-manage/security/secure-http-communications.md @@ -228,7 +228,7 @@ deployment: ``` :::{note} -This section only covers TLS certificates for the HTTP layer. TLS certificates for the transport layer that are used for internal communications between Elasticsearch nodes are managed by ECK and cannot be changed. You can however set your own certificate authority for the [transport layer](/deploy-manage/deploy/cloud-on-k8s/transport-settings.md#k8s-transport-ca). +This section only covers TLS certificates for the HTTP layer. TLS certificates for the transport layer that are used for internal communications between Elasticsearch nodes are managed by ECK and cannot be changed. You can however set your own certificate authority for the [transport layer](/deploy-manage/security/k8s-transport-settings.md#k8s-transport-ca). ::: By default, the operator manages a self-signed certificate with a custom CA for each resource. The CA, the certificate and the private key are each stored in a separate `Secret`. diff --git a/deploy-manage/security/secure-settings.md b/deploy-manage/security/secure-settings.md index f2ca264cb7..11e3e28def 100644 --- a/deploy-manage/security/secure-settings.md +++ b/deploy-manage/security/secure-settings.md @@ -10,7 +10,6 @@ mapped_urls: - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-restful-api-examples-configuring-keystore.html - https://www.elastic.co/guide/en/cloud/current/ec-configuring-keystore.html - https://www.elastic.co/guide/en/cloud-heroku/current/ech-configuring-keystore.html - - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-es-secure-settings.html - https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html - https://www.elastic.co/guide/en/kibana/current/secure-settings.html --- @@ -29,7 +28,7 @@ Some settings are sensitive, and relying on filesystem permissions to protect th - [The {{es}} keystore](secure-settings.md#the-es-keystore) and the [`elasticsearch-keystore` tool](elasticsearch://reference/elasticsearch/command-line-tools/elasticsearch-keystore.md) to manage {{es}} settings. - [The {{kib}} keystore](secure-settings.md#the-kib-keystore) and the `kibana-keystore` tool to manage {{kib}} settings. -- [Kubernetes secrets](secure-settings.md#kubernetes-secrets), if you are using {{eck}}. +- [Kubernetes secrets](k8s-secure-settings.md), if you are using {{eck}}. :::{important} @@ -356,7 +355,6 @@ To change the password of the keystore, use the `passwd` command: bin/kibana-keystore passwd ``` - ### Has password [has-password] To check if the keystore is password protected, use the `has-passwd` command. An exit code of 0 will be returned if the keystore is password protected, and the command will fail otherwise. @@ -365,130 +363,3 @@ To check if the keystore is password protected, use the `has-passwd` command. An bin/kibana-keystore has-passwd ``` -## Kubernetes secrets -```{applies_to} -deployment: - eck: ga -``` - -You can specify [secure settings](/deploy-manage/security/secure-settings.md) with [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/). The secrets should contain a key-value pair for each secure setting you want to add. ECK automatically injects these settings into the keystore on each {{es}} node before it starts {{es}}. The ECK operator continues to watch the secrets for changes and will update the {{es}} keystore when it detects a change. - -### Basic usage [k8s_basic_usage] - -It is possible to reference several secrets: - -```yaml -spec: - secureSettings: - - secretName: one-secure-settings-secret - - secretName: two-secure-settings-secret -``` - -For the following secret, a `gcs.client.default.credentials_file` key will be created in {{es}}’s keystore with the provided value: - -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: one-secure-settings-secret -type: Opaque -stringData: - gcs.client.default.credentials_file: | - { - "type": "service_account", - "project_id": "your-project-id", - "private_key_id": "...", - "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n", - "client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com", - "client_id": "...", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://accounts.google.com/o/oauth2/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-bucket@your-project-id.iam.gserviceaccount.com" - } -``` - -::::{tip} -Note that by default [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) are expecting the value to be base64 encoded unless under a `stringData` field. -:::: - - - -### Projection of secret keys to specific paths [k8s_projection_of_secret_keys_to_specific_paths] - -You can export a subset of secret keys and also project keys to specific paths using the `entries`, `key` and `path` fields: - -```yaml -spec: - secureSettings: - - secretName: gcs-secure-settings - entries: - - key: gcs.client.default.credentials_file - - key: gcs_client_1 - path: gcs.client.client_1.credentials_file - - key: gcs_client_2 - path: gcs.client.client_2.credentials_file -``` - -For the three entries listed in the `gcs-secure-settings` secret, three keys are created in {{es}}’s keystore: - -* `gcs.client.default.credentials_file` -* `gcs.client.client_1.credentials_file` -* `gcs.client.client_2.credentials_file` - -The referenced `gcs-secure-settings` secret now looks like this: - -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: gcs-secure-settings -type: Opaque -stringData: - gcs.client.default.credentials_file: | - { - "type": "service_account", - "project_id": "project-id-to-be-used-for-default-client", - "private_key_id": "private key ID for default-client", - "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n", - "client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com", - "client_id": "client ID for the default client", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://accounts.google.com/o/oauth2/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-bucket@your-project-id.iam.gserviceaccount.com" - } - gcs_client_1: | - { - "type": "service_account", - "project_id": "project-id-to-be-used-for-gcs_client_1", - "private_key_id": "private key ID for gcs_client_1", - "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n", - "client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com", - "client_id": "client ID for the gcs_client_1 client", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://accounts.google.com/o/oauth2/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-bucket@your-project-id.iam.gserviceaccount.com" - } - gcs_client_2: | - { - "type": "service_account", - "project_id": "project-id-to-be-used-for-gcs_client_2", - "private_key_id": "private key ID for gcs_client_2", - "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n", - "client_email": "service-account-for-your-repository@your-project-id.iam.gserviceaccount.com", - "client_id": "client ID for the gcs_client_2 client", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://accounts.google.com/o/oauth2/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-bucket@your-project-id.iam.gserviceaccount.com" - } -``` - - -### More examples [k8s_more_examples] - -Check [How to create automated snapshots](/deploy-manage/tools/snapshot-and-restore/cloud-on-k8s.md) for an example use case that illustrates how secure settings can be used to set up automated {{es}} snapshots to a GCS storage bucket. - - diff --git a/deploy-manage/security/secure-your-eck-installation.md b/deploy-manage/security/secure-your-eck-installation.md index 27d889fc93..c848c59b1d 100644 --- a/deploy-manage/security/secure-your-eck-installation.md +++ b/deploy-manage/security/secure-your-eck-installation.md @@ -12,7 +12,7 @@ This section covers security settings for your {{eck}} orchestrator. **Orchestrator-level security** - [Restrict cross-namespace resources associations](/deploy-manage/deploy/cloud-on-k8s/restrict-cross-namespace-resource-associations.md) -- [Isolate pods with network policies](/deploy-manage/deploy/cloud-on-k8s/network-policies.md) +- [Isolate pods with network policies](/deploy-manage/security/k8s-network-policies.md) - [Secure the metrics endpoint](/deploy-manage/monitor/orchestrators/k8s-securing-metrics-endpoint.md) Also refer to [](/deploy-manage/deploy/cloud-on-k8s/configure.md) for more information about configuring {{eck}}. diff --git a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md index 33267f3fe9..85bb4fd9eb 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md +++ b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation.md @@ -7,7 +7,7 @@ mapped_pages: - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-securing-considerations.html --- -# Secure your {{ece}} orchestrator [ece-securing-considerations] +# Secure your {{ece}} installation [ece-securing-considerations] This section covers security settings for your {{ece}} orchestrator. diff --git a/deploy-manage/security/secure-your-elastic-cloud-organization.md b/deploy-manage/security/secure-your-elastic-cloud-organization.md deleted file mode 100644 index 8f661e1f27..0000000000 --- a/deploy-manage/security/secure-your-elastic-cloud-organization.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -navigation_title: "{{ecloud}}" -applies_to: - deployment: - ess: ga - serverless: ga ---- - -# Secure your {{ecloud}} organization [ec-securing-considerations] - -This section covers security settings for your {{ecloud}} organization, the platform for managing {{ech}} deployments and serverless projects. - -**Managed by Elastic** - -As a managed service, Elastic automatically handles a [number of security features](https://www.elastic.co/cloud/security#details) with no configuration required: - -- **TLS encrypted communication** is provided in the default configuration. {{es}} nodes communicate using TLS. -- **Encryption at rest**. By default, all of your {{ecloud}} resources are encrypted at rest. Note that you can choose to encrypt your {{ech}} deployments [using your own encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md). -- **Cluster isolation**. {{es}} nodes run in isolated containers, configured according to the principle of least privilege, and with restrictions on system calls and allowed root operations. - -**Additional organization-level security settings** - -To reinforce the security of your organization, consider implementing the following measures: - -- [**Organization-level SSO**](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md). Note that for {{ech}} deployments, you can also configure SSO at the [deployment level](/deploy-manage/users-roles/cluster-or-deployment-auth.md). -- [**Cloud role-based access control**](/deploy-manage/users-roles/cloud-organization/manage-users.md): Define the roles of users who have access to your organization and its resources. Note that for {{ech}} deployments, you can also [manage non-cloud users and roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md). -- [**Cloud API keys**](/deploy-manage/api-keys/elastic-cloud-api-keys.md): Manage API keys used for programmatic access to [{{ecloud}}](https://www.elastic.co/docs/api/doc/cloud/) and [{{ecloud}} serverless](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless/) APIs. - - - -**Additional deployment-level security settings** - -While serverless projects are fully managed and secured by Elastic, additional security settings are available for you to configure individually for your {{ech}} deployments. Refer to [](secure-your-cluster-deployment.md) for more information. - - -In addition, multifactor authentication is mandatory for all {{ecloud}} users belonging to your organization. For more information on the available authentication methods, refer to [](/cloud-account/multifactor-authentication.md). - diff --git a/deploy-manage/security/traffic-filtering.md b/deploy-manage/security/traffic-filtering.md index b082012ee2..a14cf03fdd 100644 --- a/deploy-manage/security/traffic-filtering.md +++ b/deploy-manage/security/traffic-filtering.md @@ -1,4 +1,5 @@ --- +navigation_title: Traffic filtering applies_to: deployment: ess: ga @@ -12,10 +13,16 @@ mapped_urls: - https://www.elastic.co/guide/en/cloud-heroku/current/ech-traffic-filtering-deployment-configuration.html --- -# Secure network access +# Traffic filtering Traffic filtering allows you to limit how your deployments and clusters can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to *only* the sources that you trust. +Depending on your deployment type you can use different mechanisms to restrict traffic, such as [IP filters](./ip-traffic-filtering.md), [private links](./private-link-traffic-filters.md) provided by cloud platforms, or [Kubernetes network policies](./k8s-network-policies.md). + +::::{note} +This section covers traffic filtering at the deployment level. If you need the IP addresses used by Elastic Cloud to configure them in your network firewalls, refer to [](./elastic-cloud-static-ips.md). +:::: + :::::{tab-set} :group: deployment-type diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml index 8b8b5705ae..ae68525092 100644 --- a/deploy-manage/toc.yml +++ b/deploy-manage/toc.yml @@ -211,7 +211,6 @@ toc: children: - file: deploy/cloud-on-k8s/k8s-service-mesh-istio.md - file: deploy/cloud-on-k8s/k8s-service-mesh-linkerd.md - - file: deploy/cloud-on-k8s/network-policies.md - file: deploy/cloud-on-k8s/webhook-namespace-selectors.md - file: deploy/cloud-on-k8s/manage-deployments.md children: @@ -232,7 +231,6 @@ toc: - file: deploy/cloud-on-k8s/settings-managed-by-eck.md - file: deploy/cloud-on-k8s/custom-configuration-files-plugins.md - file: deploy/cloud-on-k8s/init-containers-for-plugin-downloads.md - - file: deploy/cloud-on-k8s/transport-settings.md - file: deploy/cloud-on-k8s/update-strategy.md - file: deploy/cloud-on-k8s/pod-disruption-budget.md - file: deploy/cloud-on-k8s/advanced-elasticsearch-node-scheduling.md @@ -244,7 +242,6 @@ toc: children: - file: deploy/cloud-on-k8s/k8s-kibana-es.md - file: deploy/cloud-on-k8s/k8s-kibana-advanced-configuration.md - - file: deploy/cloud-on-k8s/k8s-kibana-secure-settings.md - file: deploy/cloud-on-k8s/k8s-kibana-plugins.md - file: deploy/cloud-on-k8s/customize-pods.md - file: deploy/cloud-on-k8s/manage-compute-resources.md @@ -469,7 +466,6 @@ toc: children: - file: security/secure-hosting-environment.md children: - - file: security/secure-your-elastic-cloud-organization.md - file: security/secure-your-elastic-cloud-enterprise-installation.md children: - file: security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md @@ -477,29 +473,12 @@ toc: - file: security/secure-your-elastic-cloud-enterprise-installation/configure-tls-version.md - file: security/secure-your-elastic-cloud-enterprise-installation/migrate-ece-on-podman-hosts-to-selinux-enforce.md - file: security/secure-your-eck-installation.md - - file: security/manually-configure-security-in-self-managed-cluster.md - children: - - file: security/set-up-minimal-security.md - - file: security/set-up-basic-security.md - - file: security/set-up-basic-security-plus-https.md - - file: security/using-kibana-with-security.md - - file: security/install-stack-demo-secure.md - file: security/secure-your-cluster-deployment.md children: - - file: security/traffic-filtering.md - children: - - file: security/ip-traffic-filtering.md - children: - - file: security/ec-traffic-filtering-through-the-api.md - - file: security/ece-traffic-filtering-through-the-api.md - - file: security/aws-privatelink-traffic-filters.md - - file: security/azure-private-link-traffic-filters.md - - file: security/gcp-private-service-connect-traffic-filters.md - - file: security/claim-traffic-filter-link-id-ownership-through-api.md - - file: security/elastic-cloud-static-ips.md - file: security/secure-cluster-communications.md children: - file: security/secure-http-communications.md + - file: security/k8s-transport-settings.md - file: security/security-certificates-keys.md children: - file: security/updating-certificates.md @@ -508,12 +487,28 @@ toc: - file: security/different-ca.md - file: security/supported-ssltls-versions-by-jdk-version.md - file: security/enabling-cipher-suites-for-stronger-encryption.md + - file: security/traffic-filtering.md + children: + - file: security/ip-traffic-filtering.md + children: + - file: security/ec-traffic-filtering-through-the-api.md + - file: security/ece-traffic-filtering-through-the-api.md + - file: security/private-link-traffic-filters.md + children: + - file: security/aws-privatelink-traffic-filters.md + - file: security/azure-private-link-traffic-filters.md + - file: security/gcp-private-service-connect-traffic-filters.md + - file: security/claim-traffic-filter-link-id-ownership-through-api.md + - file: security/k8s-network-policies.md + - file: security/elastic-cloud-static-ips.md + - file: security/kibana-session-management.md - file: security/data-security.md children: - file: security/encrypt-deployment-with-customer-managed-encryption-key.md - - file: security/secure-settings.md - - file: security/secure-saved-objects.md - - file: security/kibana-session-management.md + - file: security/secure-settings.md + children: + - file: security/k8s-secure-settings.md + - file: security/secure-saved-objects.md - file: security/logging-configuration/security-event-audit-logging.md children: - file: security/logging-configuration/enabling-audit-logs.md @@ -523,6 +518,13 @@ toc: - file: security/logging-configuration/logfile-audit-output.md - file: security/logging-configuration/auditing-search-queries.md - file: security/logging-configuration/correlating-kibana-elasticsearch-audit-logs.md + - file: security/manually-configure-security-in-self-managed-cluster.md + children: + - file: security/set-up-minimal-security.md + - file: security/set-up-basic-security.md + - file: security/set-up-basic-security-plus-https.md + - file: security/using-kibana-with-security.md + - file: security/install-stack-demo-secure.md - file: security/fips-140-2.md - file: security/secure-clients-integrations.md children: From d3b36f7d6720c5e20efa8fc0e3e073dacd6691da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Tue, 18 Mar 2025 14:39:13 +0100 Subject: [PATCH 2/4] link fix --- deploy-manage/security/secure-cluster-communications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/security/secure-cluster-communications.md b/deploy-manage/security/secure-cluster-communications.md index ed07718353..8f08921831 100644 --- a/deploy-manage/security/secure-cluster-communications.md +++ b/deploy-manage/security/secure-cluster-communications.md @@ -28,7 +28,7 @@ For {{ech}} and {{serverless-full}} deployments, communications security is full For ECE, ECK, and self-managed deployments, this page provides specific configuration guidance to secure the various communication channels between components. :::{tip} -For a complete comparison of security feature availability and responsibility by deployment type, see [Security features by deployment type](../security.md#security-features-by-deployment-type). +For a complete comparison of security feature availability and responsibility by deployment type, see [Security features by deployment type](/deploy-manage/security.md#comparison-table). ::: ## Communication channels overview From 28b1becf9f05ace602e0e82210b19fe0e1d48427 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Tue, 18 Mar 2025 19:48:19 +0100 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com> --- .../cloud-on-k8s/elasticsearch-configuration.md | 2 +- deploy-manage/security.md | 15 ++++++--------- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/elasticsearch-configuration.md b/deploy-manage/deploy/cloud-on-k8s/elasticsearch-configuration.md index fdfc5d38a7..b87ab8a98b 100644 --- a/deploy-manage/deploy/cloud-on-k8s/elasticsearch-configuration.md +++ b/deploy-manage/deploy/cloud-on-k8s/elasticsearch-configuration.md @@ -22,7 +22,7 @@ Before deploying and running ECK in production, review the basic and advanced se * [Node configuration](node-configuration.md): Configure the `elasticsearch.yml` of your {{es}} nodes. * [Volume claim templates](volume-claim-templates.md): Configure storage in your {{es}} nodes. * [Virtual memory](virtual-memory.md): Methods to accomplish {{es}} virtual memory system configuration requirement. -* [Secure settings](/deploy-manage/security/secure-settings.md): Configure the {{es}} keystore through Kubernetes secrets. +* [Secure settings](/deploy-manage/security/k8s-secure-settings.md): Configure the {{es}} keystore through Kubernetes secrets. * [Settings managed by ECK](settings-managed-by-eck.md): List of {{es}} settings that you shouldn't update. * [Custom configuration files and plugins](custom-configuration-files-plugins.md): Add extra configuration files or install plugins to your {{es}} nodes. * [Init containers for plugin downloads](init-containers-for-plugin-downloads.md): Use Kubernetes init containers to install plugins before starting {{es}}. diff --git a/deploy-manage/security.md b/deploy-manage/security.md index 1ecc0d6cd9..508beff14b 100644 --- a/deploy-manage/security.md +++ b/deploy-manage/security.md @@ -88,7 +88,6 @@ The documentation is organized into three main areas. As part of your overall security strategy, you can also do the following: * Prevent unauthorized access with [password protection and role-based access control](/deploy-manage/users-roles.md). -* Maintain an [audit trail](/deploy-manage/security/logging-configuration/security-event-audit-logging.md) for security-related events. * Control access to dashboards and other saved objects in your UI using [Spaces](/deploy-manage/manage-spaces.md). * Connect a local cluster to a [remote cluster](/deploy-manage/remote-clusters.md) to enable [cross-cluster replication](/deploy-manage/tools/cross-cluster-replication.md) and [cross-cluster search](/solutions/search/cross-cluster-search.md). * Manage [API keys](/deploy-manage/api-keys.md) used for programmatic access to Elastic. @@ -107,14 +106,14 @@ serverless: all Elastic Cloud has built-in security. For example, HTTPS communications between Elastic Cloud and the internet, as well as inter-node communications, are secured automatically, and cluster data is encrypted at rest. -You can augment Elastic Cloud security features in the following ways: -* Configure [traffic filtering](./security/traffic-filtering.md) to prevent unauthorized access to your deployments. [Elastic Cloud Hosted] -* Encrypt your deployment with a [customer-managed encryption key](./security/encrypt-deployment-with-customer-managed-encryption-key.md). [Elastic Cloud Hosted] -* [Secure your settings](./security/secure-settings.md) using {{es}} and {{kib}} keystores. [Elastic Cloud Hosted] +In {{ech}}, you can augment these security features in the following ways: +* Configure [traffic filtering](./security/traffic-filtering.md) to prevent unauthorized access to your deployments. +* Encrypt your deployment with a [customer-managed encryption key](./security/encrypt-deployment-with-customer-managed-encryption-key.md). +* [Secure your settings](./security/secure-settings.md) using {{es}} and {{kib}} keystores. * Use the list of [Elastic Cloud static IPs](./security/elastic-cloud-static-ips.md) to allow or restrict communications in your infrastructure. ::::{note} -While serverless projects are fully managed and secured by Elastic, additional security settings are available for you to configure individually for your {{ech}} deployments. +Serverless projects are fully managed and secured by Elastic, and do not have any configurable security features at the project level. :::: Refer to [Elastic Cloud security](https://www.elastic.co/cloud/security) for more details about Elastic security and privacy programs. @@ -172,10 +171,8 @@ deployment: ### Allow or deny Elastic Cloud IP ranges ```yaml {applies_to} -serverless: all deployment: ess: all -``` Elastic Cloud publishes a list of IP addresses used by its services for both incoming and outgoing traffic. Users can use these lists to configure their network firewalls as needed to allow or restrict traffic related to Elastic Cloud services. @@ -208,7 +205,7 @@ If you’re using Elastic Cloud Hosted, then you can reinforce this mechanism by ::::{note} Other deployment types don’t implement encryption at rest out of the box. For self-managed clusters, to implement encryption at rest, the hosts running the cluster must be configured with disk-level encryption, such as `dm-crypt`. In addition, snapshot targets must ensure that data is encrypted at rest as well. -Configuring `dm-crypt` or similar technologies is outside the scope of this document, and issues related to disk encryption are outside the scope of support. +Configuring `dm-crypt` or similar technologies is outside the scope of this documentation, and issues related to disk encryption are outside the scope of support. :::: ### Secure your settings From 08475ea4c4bac4834079cda5edcbd11c566a373d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Tue, 18 Mar 2025 21:02:53 +0100 Subject: [PATCH 4/4] fixed applied --- deploy-manage/security.md | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy-manage/security.md b/deploy-manage/security.md index 508beff14b..c59751b3c6 100644 --- a/deploy-manage/security.md +++ b/deploy-manage/security.md @@ -173,6 +173,7 @@ deployment: ```yaml {applies_to} deployment: ess: all +``` Elastic Cloud publishes a list of IP addresses used by its services for both incoming and outgoing traffic. Users can use these lists to configure their network firewalls as needed to allow or restrict traffic related to Elastic Cloud services.