diff --git a/website/content/docs/agent/config/config-files.mdx b/website/content/docs/agent/config/config-files.mdx index e371497e388c..e61774aec103 100644 --- a/website/content/docs/agent/config/config-files.mdx +++ b/website/content/docs/agent/config/config-files.mdx @@ -447,6 +447,10 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati - `data_dir` Equivalent to the [`-data-dir` command-line flag](/consul/docs/agent/config/cli-flags#_data_dir). +- `default_intention_policy` Controls how service-to-service traffic is authorized + in the absence of specific intentions. + Can be set to `allow`, `deny`, or left empty to default to [`acl.default_policy`](#acl_default_policy). + - `disable_anonymous_signature` Disables providing an anonymous signature for de-duplication with the update check. See [`disable_update_check`](#disable_update_check). diff --git a/website/content/docs/connect/security.mdx b/website/content/docs/connect/security.mdx index 42ce8d0d1e49..1889f57406d8 100644 --- a/website/content/docs/connect/security.mdx +++ b/website/content/docs/connect/security.mdx @@ -26,12 +26,20 @@ of Consul. ## Checklist +### Default Intention Policy Set + +Consul should be configured with a default deny intention policy. This forces +all service-to-service communication to be explicitly +allowed via an allow [intention](/consul/docs/connect/intentions). + +In the absence of `default_intention_policy` Consul will fall back to the ACL +default policy when determining whether to allow or deny communications without +an explicit intention. + ### ACLs Enabled with Default Deny Consul must be configured to use ACLs with a default deny policy. This forces -all requests to have explicit anonymous access or provide an ACL token. The -configuration also forces all service-to-service communication to be explicitly -allowed via an allow [intention](/consul/docs/connect/intentions). +all requests to have explicit anonymous access or provide an ACL token. To learn how to enable ACLs, please see the [tutorial on ACLs](/consul/tutorials/security/access-control-setup-production). @@ -100,7 +108,7 @@ will not be encrypted or authorized via service mesh. Envoy exposes an **unauthenticated** [administration interface](https://www.envoyproxy.io/docs/envoy/latest/operations/admin) -that can be used to query and modify the proxy. This interface +that can be used to query and modify the proxy. This interface allows potentially sensitive information to be retrieved, such as: * Envoy configuration