An Elasticsearch cluster is typically made out of many moving parts. There are the Elasticsearch nodes that form the cluster and often Logstash instances, Kibana instances, Beats agents, and clients all communicating with the cluster. It should not come as a surprise that securing such clusters has many facets and layers.

Security protects Elasticsearch clusters by:

Preventing unauthorized accessedit

To prevent unauthorized access to your Elasticsearch cluster, you must have a way to authenticate users. This simply means that you need a way to validate that a user is who they claim to be. For example, you have to make sure only the person named Kelsey Andorra can sign in as the user kandorra. The Elasticsearch security features provide a standalone authentication mechanism that enables you to quickly password-protect your cluster. If you’re already using LDAP, Active Directory, or PKI to manage users in your organization, the security features are able to integrate with those systems to perform user authentication.

In many cases, simply authenticating users isn’t enough. You also need a way to control what data users have access to and what tasks they can perform. The Elasticsearch security features enable you to authorize users by assigning access privileges to roles and assigning those roles to users. For example, this role-based access control mechanism (a.k.a RBAC) enables you to specify that the user kandorra can only perform read operations on the events index and can’t do anything at all with other indices.

See User authentication and User authorization.

The security features also enable you to restrict the nodes and clients that can connect to the cluster based on IP filters. You can whitelist and blacklist specific IP addresses, subnets, or DNS domains to control network-level access to a cluster.

Preserving data integrityedit

A critical part of security is keeping confidential data confidential. Elasticsearch has built-in protections against accidental data loss and corruption. However, there’s nothing to stop deliberate tampering or data interception. The Elastic Stack security features preserve the integrity of your data by encrypting communications to, from, and within the cluster. See Encrypting communications. For even greater protection, you can increase the encryption strength.

Maintaining an audit trailedit

Keeping a system secure takes vigilance. By using Elastic Stack security features to maintain an audit trail, you can easily see who is accessing your cluster and what they’re doing. You can configure the audit level, which accounts for the type of events that are logged. These events include failed authentication attempts, user access denied, node connection denied, and more. By analyzing access patterns and failed attempts to access your cluster, you can gain insights into attempted attacks and data breaches. Keeping an auditable log of the activity in your cluster can also help diagnose operational issues. For more information, see Audit logging.