Connectors security

edit

This document describes security considerations for managed connectors and self-managed connectors.

Elastic Cloud deployments have strong security defaults. For example, data is encrypted by default, whether at rest or in transit.

Self-managed deployments require more upfront work to ensure strong security. Refer to Secure the Elastic Stack in the Elasticsearch documentation for more information.

Access to credentials

edit

Credentials for the data source — such as API keys or username/password pair— are stored in your deployment’s .elastic-connectors Elasticsearch index. Therefore, the credentials are visible to all Elastic users with the read indices privilege for that index. By default, the following Elastic users have this privilege: the elastic superuser and the kibana_system user. Enterprise Search service account tokens can also read the .elastic-connectors index.

Access to internally stored API keys

edit

API keys for Elastic managed connectors are stored in the internal system index .connector-secrets. Access to this index is restricted to authorized API calls only. The cluster privilege write_connector_secrets is required to store or update secrets through the API. Only the Enterprise Search instance has permission to read from this index.

Document-level security
edit

Document-level security is available for a subset of connectors. DLS is available by default for the following connectors:

Learn more about this feature in Document level security, including availability and prerequisites.

Access to documents

edit

Data synced from your data source are stored as documents in the Elasticsearch index you created. This data is visible to all Elastic users with the read indices privilege for that index. Be careful to ensure that access to this index is at least as restrictive as access to the original data source.

Encryption

edit

Elastic Cloud automatically encrypts data at rest. Data in transit is automatically encrypted using https.

Self-managed deployments must implement encryption at rest. See Configure security for the Elastic Stack in the Elasticsearch documentation for more information.