Trust managementedit

In order to establish a remote connection between two remote clusters, they must both trust each other. Trust is bi-directional: If one of the clusters doesn’t trust the other, the remote connection won’t be established.

Mutual trust between two clusters is required to enable cross-cluster search and cross-cluster replication.

Trust can be configured individually for each deployment.

Default trust behavior in your accountedit

By default, any deployment that you create trusts all other deployments in the same account. You can change this behavior in the Elasticsearch Service Console under Features > Trust, so that when a new deployment is created it does not trust any other deployment. You can choose one of the following options:

  • Trust all my deployments - New deployments will by default trust any other deployment from your account (even deployments that don’t exist when the deployment is created).
  • Trust no deployment - New deployments won’t trust any other deployment when they are created. (This can be changed later in the deployment trust settings)
Trust management at the account Level

Note the following behaviours with this trust setting:

  • Changing the trust settings affects only deployments that you create in the future. The level of trust of existing deployments is not modified by this setting.
  • Deployments created before the Elasticsearch Service February 2021 release trust only themselves. You need to update the trust setting for each deployment that you want to either use as a remote cluster or configure to work with a remote cluster.

Update the trust settings of a deploymentedit

To configure the trust settings for a deployment:

  1. Log in to the Elasticsearch Service Console.
  2. Find your deployment on the home page in the Elasticsearch Service card and click the gear icon to access it directly. Or, select Elasticsearch Service to go to the deployments page to view all of your deployments.

    On the deployments page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.

  3. From the Security menu, select Trusted deployments > Create trust.
  4. Choose one of following options to configure the level of trust on each of your deployments:

    • All deployments - This deployment trusts all other deployments in your account, including new deployments when they are created.
    • Specific deployments - Choose which of the existing deployments you want to trust in your account.
    • None - No deployment is trusted.
Trust Management at the Deployment Level

Trust between organizationsedit

A deployment can be configured to trust all or specific deployments in another organization. To add cross-organization trust:

  1. Log in to the Elasticsearch Service Console.
  2. Find your deployment on the home page in the Elasticsearch Service card and click the gear icon to access it directly. Or, select Elasticsearch Service to go to the deployments page to view all of your deployments.

    On the deployments page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.

  3. From the Security menu, select Create trust.
  4. Enter the ID of the organization with which you want to establish trust.
  5. Choose one of following options to configure the level of trust with the other organization:

    • All deployments - This deployment trusts all deployments in the other organization, including new deployments when they are created.
    • Specific deployments - Specify which of the existing deployments you want to trust in the other organization. The full deployment ID must be entered for each deployment. The easiest way to do this is to copy and paste the ID from the browser’s location bar when viewing the target deployment’s Overview page.
    • None - No deployment is trusted.
  6. Perform the same steps in the opposite direction, so that the deployments in both organizations are configured to trust each other.

Note that the organization ID and deployment IDs must be entered fully and correctly. For security reasons, no verification of the IDs is possible. If cross-organization trust does not appear to be working, double-checking the IDs is a good place to start.

Trust management for a different organization