Securing your deployment

The security of Elasticsearch Service is described on the Elastic Cloud security page. In addition to the security provided by Elastic Cloud, you can take the following steps to secure your deployments:

Prevent unauthorized access with password protection and role-based access control:
- Reset the elastic user password.
- Use third-party authentication providers and services like SAML, OpenID Connect, or Kerberos to provide dynamic role mappings for role based or attribute based access control.
- Use Kibana Spaces and roles to secure access to Kibana.
- Authorize and authenticate service accounts for Beats by granting access using API keys.
- Roles can provide full, or read only, access to your data and can be created in Kibana or directly in Elasticsearch. Check defining roles for full details.

Block unwanted traffic with traffic filter.
Secure your settings with the Elasticsearch keystore.

In addition, we also enable encryption at rest (EAR) by default. Elasticsearch Service supports EAR for both the data stored in your clusters and the snapshots we take for backup, on all cloud platforms and across all regions.

Should I use organization-level or deployment-level SSO?

edit

You can also integrate SAML SSO at the organization level. The option that you choose depends on your requirements:

Consideration	Organization-level	Deployment-level
Management experience	Manage authentication and role mapping centrally for all deployments in the organization	Configure SSO for each deployment individually
Authentication protocols	SAML only	Multiple protocols, including LDAP, OIDC, and SAML
Role mapping	Organization-level roles and instance access roles, Serverless project custom roles	Built-in and custom stack-level roles
User experience	Users interact with Cloud	Users interact with the deployment directly

If you want to avoid exposing users to the Elastic Cloud UI, or have users who only interact with some deployments, then you might prefer users to interact with your deployment directly.

In some circumstances, you might want to use both organization-level and deployment-level SSO. For example, if you have a data analyst who interacts only with data in specific deployments, then you might want to configure deployment-level SSO for them. If you manage multiple tenants in a single organization, then you might want to configure organization-level SSO to administer deployments, and deployment-level SSO for the users who are using each deployment.

« Technical FAQ Reset the elastic user password »