Elastic Cloud Hosted release notes

Review the changes, fixes, and more in each release of Elastic Cloud Hosted.

• Added xpack.securitySolution.disableEndpointRuleAutoInstall to the Kibana settings allowlist.Allow users of Elastic Cloud environments to configure Security Solution setting xpack.securitySolution.disableEndpointRuleAutoInstall
• Added missing banner-related Kibana settings to the settings allowlist.This PR introduces the following settings: xpack.banners.disableSpaceBanners (>= 7.13.0) and xpack.banners.linkColor (>= 9.1.0).
• Optimized /v1/prices/search endpoint performance with database indexing.
• Added cluster_id to the /cloud_resources billing API endpoint.
• Fixed organization_name to return as a non-optional string in the GET memberships API.
• Added preconfigured Anthropic Claude Opus 4.6 AI connector in Elastic Cloud Hosted.

• Fixed resource cleanup when the underlying S3 bucket has already been deleted.
• Fixed the ONLY_IMAGE_CHANGE_ALLOWED restriction that was incorrectly blocking plan changes.
• Fixed Enterprise Search to properly mount the tmp directory to the host.
• Fixed set-maintenance operation to gracefully handle missing instances instead of failing.
• Fixed stack version ordering to correctly sort build candidate and other tags after SNAPSHOT.
• Fixed enrich.cache_size Elasticsearch setting to accept memory sizes and percentages in addition to plain numbers.
• Fixed safety quota enforcement when 100% of quota is in use.
• Fixed default SHELL_MEMORY_OPTIONS configuration to prevent memory-related issues.
• Fixed deallocation to properly handle deleted instance nodes, preventing ghost instances.
• Added safe start mechanism for leader latch to prevent startup race conditions.

• Upgraded logback to version 1.5.19 to address CVE-2025-11226.

• Cost alerting now supports cloud_resource scope, enabling more granular cost monitoring.
• Added marketplace_events IAM role for EventBridge integration.
• Improved force move and upscale operations for foundation infrastructure.
• Added new preconfigured AI connectors in Elastic Cloud Hosted.
• Added organization_id to the /api/v2/billing/organizations API response.Adding organization_id to /api/v2/billing/organizations response. Since we are returning a list of orgs for this APis, we need organization_id to be displayed in the UI.
• Added hideAnnouncements and hideFeedback Kibana settings to the settings allowlist.This PR introduces the following settings: uiSettings.globalOverrides.hideAnnouncements and uiSettings.globalOverrides.hideFeedback.
• Billing API now includes the Kibana URL in responses.
• Added support for marketplace-to-direct domain change in billing.

• Fixed deallocation failure when deployment ID is missing.
• Fixed billing events lock flag not being set for events from the legacy billing-events index.
• Added retry logic for data tier migration to handle eventual consistency when stopping ILM.
• Fixed cluster deletion to also clean up the locksPath directory, preventing orphaned lock files.
• Fixed BYOK deallocation to properly lock encrypted directories even when BYOK settings cannot be verified.
• Fixed ControlPlaneSettingsProvider to use the correct regional feature manager.
• Improved BYOK (Bring Your Own Key) deallocation handling when BYOK settings are unavailable.
• Fixed subscription level updates to no longer fail when clusters are missing in ZooKeeper.
• Fixed AWS bucket management to ensure bucket users are properly deleted during cleanup.

• New GET /v1/billing/organization/{organization_id}/cloud_resources API endpoint for retrieving organization cloud resources.
• Added new csv.maxRows configuration option for Kibana reporting.
• Backported configurable upgrader timeout for Docker stop operations to older milestone.
• Budget and Alert IDs are now required fields in the billing API for consistency.
• Added proper v1/billing prefix to budget API endpoints.
• Renamed preconfigured AI connectors in Elastic Cloud Hosted for clarity.
• Updated Beats to version 8.19.8.
• Updated IAM commons library with lz4 compression improvements.
• Added support for fleet.fleetPolicyRevisionsCleanup Kibana configuration setting.
• Added new preconfigured AI connectors and updated existing ones in Elastic Cloud Hosted.

• Fixed shutdown records not being properly cleaned up after data migration and at plan completion.
• Fixed an issue where reported resource usage was significantly higher than actual usage.
• Fixed traffic-filter authentication by properly injecting app auth tokens for Admin Console to Elasticsearch requests.

• Security upgrade of pypdf library to address vulnerabilities.

• Added new security settings for cross-cluster API keys.
• New /v1/organization/{organization_id}/budgets API endpoint for managing cost budgets.
• Introduced billing budgets resource with new permissions for cost management.
• Added support for application_roles in organization role assignments, enabling more granular role-based access control.Specifying custom application roles for organization-level role assignments is now possible via the role assignments API.
• Kibana instances can now configure csp.object_src for Content Security Policy customization.
• Upgraded pip in FIPS-compliant container images.
• Ensured FIPS-compliant images are used for services running in GovCloud environments.

• Fixed an issue where the force_move parameter in plan configuration was not taking precedence over automatically chosen values.This PR solves a bug related to the force_move parameter. Even if the parameter was specifically set to false by the user in the API request inside the plan_configuration, the provided value was discarded in favor of the value proposed by the TransientConfigurationDecider.
• Added support for attribute_delimiters.group SAML property in the validation schema, fixing SAML group attribute configuration.

• Enables AWS PrivateLink cross-region support. AWS now supports cross-region PrivateLink, so that your Elastic Cloud deployment can be in a different region than the PrivateLink endpoints or the clients that consume the deployment endpoints. Refer to Setting up a cross-region PrivateLink connection to learn more.

• Updates API to record cluster logs on integration test failure. The Elastic Cloud API now supports downloading cluster logs for all cluster types and not just Elasticsearch clusters.

• Introduces verification for role mapping configurations as part of Elastic Cloud SAML SSO setup. Any organization owner role mapping must be verified before saving the configuration to ensure users retain appropriate access after logging in with SAML SSO. You can also use the emulated SAML SSO login flow to test and verify other role mappings to help with the configuration process.

Reports snapshot estimates using the organization ID. To better track snapshot storage costs in multi-user organizations, estimates now rely on the organization ID rather than the user ID.

• Updates the Help popover. A Getting started option is now available in the popover while the Cloud support page was removed in favor of https://support.elastic.co.

• Adds configuration for share.url_expiration.*. Adds the share.url_expiration.enabled, share.url_expiration.duration, share.url_expiration.check_interval, and share.url_expiration.url_limit configuration options for controlling how unused URLs are cleaned up.

• Renames AI4SOC to Elastic AI SOC Engine. The AI for SOC tier was renamed to Elastic AI SOC Engine (EASE).

• Adds missing trace context to /users/auth/methods. To enhance APM traces, a missing trace context was added.

• Change to default endpoint alias behavior. New deployments that don’t specify an endpoint alias now get a default alias based on the deployment name plus a short random ID (for example, my-deployment-abc123). This prevents conflicts when multiple deployments share the same name. It is still possible to define a custom endpoint alias explicitly, but the value must be unique.

• Adds the ability to proxy integrations server instances. Traffic filter tokens for Kibana are generated to configure agentless in supported versions.

• Improves IAM endpoints consistency. Aligning the SaasUsersRoutes and SaasUserRoutes specifications reduces discrepancies in transaction naming.

• Adds endpoints to manage role mappings individually. Roles can now be added, updated, and deleted individually. To delete multiple role mappings simultaneously, specify the roles you want to delete in a comma separated list in the path, for example DELETE /organizations/{orgid}/role_mappings/role1,role2,role3.

• Adds missing tail-based sampling (TBS) configuration. apm-server.sampling.tail.storage_limit and apm-server.sampling.tail.discard_on_write_failure are now included in the Elastic APM TBS configuration.

• Makes Organization IdP routes public. Organization IdP routes are now public in the OpenAPI specifications.

• Changes to network security features. Network security allows you to control how your deployments can be accessed.
  • Features related to network security have been renamed for clarity:
    • Traffic filtering is now referred to as network security.
    • Traffic filtering rule sets are now referred to as network security policies.
    • IP traffic filters are now referred to as IP filters.
    • Private link traffic filters are now referred to as private connection policies, and connections over private link are referred to as private connectivity.
  • Additional options have been added to allow you to easily review and manage policies and protected resources.

• Restricts self-service subscription level changes to admin users. This update disables self-service for subscription level changes in FedRAMP High environments.

• Response alternative types are now added to the Swagger definition. When you define an endpoint using an endpoint specification, you might need to map different types of responses it can return. Swagger generation considers only the primary return types and request bodies defined in the endpoint specification and doesn't account for these alternative response types. This change modifies the endpoint specification so that response alternative types are now appended to the model classes list referenced by the Swagger generator.

• Navigation updates:

  • Monitoring in the Deployment navigation now combines the previously separate Health and Monitoring items, for better structure. Select Monitoring to go to the health status overview page.

  • Access & Security, Extensions, Organization, and Billing have been grouped together in the lower part on the navigation, with Access & Security expanded by default for easier access, and added icons for each item to aid visual distinction and recognition.

• Route name added to request logs. Log entries now include the route name as a separate attribute. This attribute reflects the name of the endpoint that handled the request, making it easier to troubleshoot when building dashboards.

• Compare claimed domains in a case-insensitive way. When comparing claimed domains for Single Sign-on (SSO) the check is no longer case sensitive.

• AutoOps expanded availability. AutoOps is now available to Elastic Cloud Hosted users in all AWS regions. Check AutoOps regions.

• Update the override message The "Override all safety checks" warning message has been expanded for greater clarity.

• Return the invalid characters in the error message The error response now includes the offending characters when a role mapping contains them.

• Surface role mapping syntax errors Improved validation and error handling around role mapping rules

• AutoOps expanded availability. AutoOps is now available to Elastic Cloud Hosted users in additional AWS regions. Check AutoOps regions.

• Supports 8.16 for logs shipping. Support 8.16 for discover link redirection in logs shipping.

• Removes Enterprise Search from deployment page. Hides the Enterprise Search link in version 9.

• Adds support for dots in the role mappings. Dots (.) can be used as part of the role mappings and the groups that are returned by the custom IdPs to match to.

• Displays error when users try to login, are MFA required but have to active factor. Users that have SMS only as a multifactor authentication method won't be able to use it.

• Enables AccountForMemoryUsageByLaunchScripts in production. Slight tweak of memory settings to improve stability for the smallest containers.

• SLO: Use groupBy * instead of empty string. Fixes SLO groupBy.

• Fetches fresh allocator data. Fetches fresh allocator data every time the instance size override modal is opened to ensure updated data.

• Max and min validation of sizes in instance configuration should be diferent for storage size. Fixes a bug where the discrete sizes for an instance configuration using storage as the sizing unit were validated against the limits set for memory. This is now changed to reflect the storage multiplier in use for the instance configuration.

• Fixes cached errors in upgrade modal. Suppresses a warning error when we try to upgrade to another version.

• Upgrades Beats version. Upgrades metricbeat and filebeat for allocator-metricbeat and beats-runner to version 8.17.2.

• Fixes an issue with beats-runner 8.17.0 image. The beats-runner 8.17.0 image could not properly start up beats services due to improper command-line flags.

• Upcoming removal of SMS multifactor authentication method. In October, we made multifactor authentication mandatory for all users. As an additional security measure, the SMS MFA method will be removed in April. If you’re still using SMS, you will be prompted to set up a more secure MFA method, and your registered SMS MFA devices will be automatically deleted from Elastic Cloud.

• Fixes an issue for indices with blocks literally set as null instead of false. If an index is created with the literal null value rather than false for a block in its settings, then that is what Elasticsearch returns even if it should be interpreted as false. With this fix, Elasticsearch Service now properly maps this to false.
• Disables prompt=login and sign out of Okta before initiating SSO. Fixes an issue when using organization SAML SSO where users are required to re-authenticate with the external IdP due to ForceAuthn=true being sent in SAML requests. SAML requests will now send ForceAuthn=false.

• Updates EOL banner. Updates the informational banner about the deprecation of Enterprise Search.
• For Fleet, Allows the configuration of xpack.fleet.enableManagedLogsAndMetricsDataviews. Adds the xpack.fleet.enableManagedLogsAndMetricsDataviews setting to configure the automatic creation of global dataviews logs-* and metrics-*. (issue: #202807)
• AutoOps expanded availability. AutoOps is now available to Elastic Cloud Hosted users in additional AWS regions: Oregon (us-west-2), Ireland (eu-west-1), and Singapore (ap-southeast-1). AutoOps will continue to be deployed to other AWS regions in the coming weeks. To track AutoOps availability, check AutoOps regions.
• Template Optimizer. AutoOps now examines both new and updated templates, identifying specific fields that can be optimized for better performance.
• New Deployment Performance Metrics Charts. AutoOps provides aggregate metrics at the cluster level for key performance indicators. The data is tier-based, offering users a comprehensive understanding of each tier and the entire cluster.
• Passthrough hosted otel bound firehose requests. Passthrough hotel bound firehose requests and avoid processing by the proxy’s firehose middleware.
• Deprecate Cloud Defend billing alerts. Following the deprecation of Cloud Defend in Serverless, removes the billing logic associated with the feature.
• AutoOps shards view improvements. Improved navigation include a new time slider, ability to filter nodes by tier, and revised color schema.
• AutoOps feedback button. A new feedback button has been introduced, allowing users to easily share their thoughts and suggest ideas for improvement.

• Add the field dry_run to the rest of stateless components. Adds the field dry_run to stateless components in the response of the endpoint GET api/v1/deployments/{DEPLOYMENT_ID}. Also removes a check in the UI that is no longer required.
• Bulk item level failures are treated as successfully delivered. Check the response body for bulk item level failures even when the HTTP request returns 200 from Elasticsearch. (issue: #11768)