The first step in securing your cluster is to ensure that your app is accessing it via SSL. While it is possible to access your cluster over plain HTTP, it is highly recommended that SSL be used instead. Both the HTTP and HTTPS URLs are listed on the cluster’s overview page, be sure to pick the secure option. It is important to note that if this URL is ever leaked for your cluster others will be able to access it, so keep this URL safe!
For Elasticsearch clusters before version 5.0, don’t forget to enable Shield.
For a more detailed overview of security settings you must consider before you run Elasticsearch in production, read Securing Your Elasticsearch Cluster.