IMPORTANT: Version 6.6 of Elasticsearch has passed its maintenance date.
This documentation is no longer being updated. For the latest information, see the current release documentation.
Security protects Elasticsearch clusters by:
To prevent unauthorized access to your Elasticsearch cluster, you must have a
way to authenticate users. This simply means that you need a way to validate
that a user is who they claim to be. For example, you have to make sure only
the person named Kelsey Andorra can sign in as the user
Elasticsearch security features provide a standalone authentication mechanism that enables
you to quickly password-protect your cluster. If you’re already using LDAP,
Active Directory, or PKI to manage users in your organization, the
security features are able to integrate with those systems to perform user
In many cases, simply authenticating users isn’t enough. You also need a way to
control what data users have access to and what tasks they can perform. The
Elasticsearch security features enable you to authorize users by assigning access
privileges to roles and assigning those roles to users. For example, this
role-based access control mechanism (a.k.a RBAC) enables you to specify that the
kandorra can only perform read operations on the
events index and can’t
do anything at all with other indices.
The security features also support IP-based authorization. You can whitelist and blacklist specific IP addresses or subnets to control network-level access to a server.
A critical part of security is keeping confidential data confidential. Elasticsearch has built-in protections against accidental data loss and corruption. However, there’s nothing to stop deliberate tampering or data interception. The Elastic Stack security features preserve the integrity of your data by encrypting communications to and from nodes. For even greater protection, you can increase the encryption strength.
Keeping a system secure takes vigilance. By using Elastic Stack security features to maintain an audit trail, you can easily see who is accessing your cluster and what they’re doing. By analyzing access patterns and failed attempts to access your cluster, you can gain insights into attempted attacks and data breaches. Keeping an auditable log of the activity in your cluster can also help diagnose operational issues.