Secure the Elastic Stack
editSecure the Elastic Stack
editThe Elastic Stack is comprised of many moving parts. There are the Elasticsearch nodes that form the cluster, plus Logstash instances, Kibana instances, Beats agents, and clients all communicating with the cluster. To keep your cluster safe, adhere to the Elasticsearch security principles.
The first principle is to run Elasticsearch with security enabled. Configuring security can be complicated, so we made it easy to start the Elastic Stack with security enabled by default. Just start Elasticsearch to enable and configure the Elastic Stack security features. You can then connect a Kibana instance to your secured Elasticsearch cluster and enroll additional nodes. You’ll have password protection, internode communication secured with Transport Layer Security (TLS), and encrypted connections between Elasticsearch and Kibana.
If you prefer to manage security on your own, you can manually configure security to secure Elasticsearch clusters and any clients that communicate with your clusters. You can also implement additional security measures, such as role-based access control, IP filtering, and auditing.
Enabling security protects Elasticsearch clusters by:
- Preventing unauthorized access with password protection, role-based access control, and IP filtering.
- Preserving the integrity of your data with SSL/TLS encryption.
- Maintaining an audit trail so you know who’s doing what to your cluster and the data it stores.
If you plan to run Elasticsearch in a Federal Information Processing Standard (FIPS) 140-2 enabled JVM, see FIPS 140-2.
Preventing unauthorized access
editTo prevent unauthorized access to your Elasticsearch cluster, you need a way to
authenticate users in order to validate that a user is who they claim to be. For
example, making sure that only the person named Kelsey Andorra can sign
in as the user kandorra
. The Elasticsearch security features provide a standalone
authentication mechanism that enables you to quickly password-protect your
cluster.
If you’re already using LDAP, Active Directory, or PKI to manage users in your organization, the security features integrate with those systems to perform user authentication.
In many cases, authenticating users isn’t enough. You also need a way to
control what data users can access and what tasks they can perform. By enabling
the Elasticsearch security features, you can authorize users by assigning access
privileges to roles and assigning those roles to users. Using this role-based
access control mechanism (RBAC), you can limit the user kandorra
to only
perform read operations on the events
index restrict access to all other
indices.
The security features also enable you to restrict the nodes and clients that can connect to the cluster based on IP filters. You can block and allow specific IP addresses, subnets, or DNS domains to control network-level access to a cluster.
See User authentication and User authorization.
Preserving data integrity and confidentiality
editA critical part of security is keeping confidential data secured. Elasticsearch has built-in protections against accidental data loss and corruption. However, there’s nothing to stop deliberate tampering or data interception. The Elastic Stack security features use TLS to preserve the integrity of your data against tampering, while also providing confidentiality by encrypting communications to, from, and within the cluster. For even greater protection, you can increase the encryption strength.
See Configure security for the Elastic Stack.
Maintaining an audit trail
editKeeping a system secure takes vigilance. By using Elastic Stack security features to maintain an audit trail, you can easily see who is accessing your cluster and what they’re doing. You can configure the audit level, which accounts for the type of events that are logged. These events include failed authentication attempts, user access denied, node connection denied, and more. By analyzing access patterns and failed attempts to access your cluster, you can gain insights into attempted attacks and data breaches. Keeping an auditable log of the activity in your cluster can also help diagnose operational issues.
See Enable audit logging.