Securing your deployment

Elasticsearch Service supports most of the security features that are part of the Elastic Stack. These features are designed to:

  • Prevent unauthorized access with password protection, and role-based access control.
  • Preserve the integrity of your data with message authentication and SSL/TLS encryption.

Elasticsearch Service handles the installation of the security features for you, both for new deployments you create and for deployments that you upgrade. Which exact set of security features you use depends on the version of your Elasticsearch cluster.

In Elasticsearch version 5.0 and later, the security features to keep your Elasticsearch clusters safe are now part of X-Pack. If you create a cluster on Elasticsearch 5.0 or later, the X-Pack security features are always enabled, and there is no additional enablement step. With the move to X-Pack, the biggest changes to security features for the Elastic Stack include the names of the security configuration options, TLS/SSL configuration, and how roles are defined. A few privileges have also been removed. You work with users and roles in the Kibana Management app, accessible from the Security page in the Elasticsearch Service Console. Two users are always created with new version 5.x clusters in Elasticsearch Service, the elastic superuser and the anonymous user. If you upgrade a cluster to version 5.x, the users defined in your Shield configuration are also preserved.

For Elasticsearch versions before 5.0, the Shield plugin provides similar security features for your cluster, such as user authentication and role based access control. Shield is always installed and enabled for all newly created clusters. If your cluster did not originally enable Shield, save your Shield configuration to enable the security features. If Shield is not enabled, anyone who knows the ID of your cluster can connect to it. You work with users and roles in the Shield Editor directly in the Elasticsearch Service Console. Three users are always created for clusters in Elasticsearch Service: The admin user, the readwrite user, and the readonly user.

Note that when you upgrade a cluster to Elasticsearch 5.0 or later from an earlier version of Elasticsearch, your Shield configuration is migrated to X-Pack. If you used the Shield Editor before upgrading to version 5.0, you will need to switch to the Kibana Management app after upgrading.

Tip

For Elasticsearch 5.0 and later, you work with users and roles in the Kibana Management app. If you’re using a version of Elasticsearch before 5.0, you use the Security editor to work with users and roles.

Before you begin

Some restrictions apply when securing your deployment on Elasticsearch Service. To learn more, see Security.