Connectors securityedit
This document describes security considerations for native connectors and connector clients.
Elastic Cloud deployments have strong security defaults. For example, data is encrypted by default, whether at rest or in transit.
Self-managed deployments require more upfront work to ensure strong security. Refer to Secure the Elastic Stack in the Elasticsearch documentation for more information.
Access to credentialsedit
Credentials for the data source — such as API keys or username/password pair— are stored in your deployment’s .elastic-connectors
Elasticsearch index.
Therefore, the credentials are visible to all Elastic users with the read
indices privilege for that index.
By default, the following Elastic users have this privilege: the elastic
superuser and the kibana_system
user.
Enterprise Search service account tokens can also read the .elastic-connectors
index.
Access to internally stored API keysedit
API keys for native connectors are stored in the internal system index .connector-secrets
.
Access to this index is restricted to authorized API calls only.
-
The cluster privilege
write_connector_secrets
is required to store or update secrets through the API. -
The cluster privilege
read_connector_secrets
is required to view secrets through the API. Secrets viewed this way are displayed in plain text.
The read_connector_secrets
cluster privilege is intended for use only by the Connector framework to fetch API keys at sync time.
This cluster privilege is not required for a user to manage a native connector through any method.
To keep your API keys secure, we recommend that you avoid assigning the read_connector_secrets
cluster privilege to users unless deemed necessary.
Be aware that any user with the cluster privileges manage
or all
, as well as any superuser, will have access to the read_connector_secrets
cluster privilege by default.
Document-level securityedit
Document-level security is available for a subset of connectors. DLS is available by default for the following connectors:
- Confluence
- Dropbox
- Jira (including Jira Data Center)
- GitHub
- Gmail
- Google Drive
- Network Drive
- OneDrive
- Salesforce
- SharePoint Online
- ServiceNow
Learn more about this feature in Document level security, including availability and prerequisites.
Access to documentsedit
Data synced from your data source are stored as documents in the Elasticsearch index you created.
This data is visible to all Elastic users with the read
indices privilege for that index.
Be careful to ensure that access to this index is at least as restrictive as access to the original data source.
Encryptionedit
Elastic Cloud automatically encrypts data at rest.
Data in transit is automatically encrypted using https
.
Self-managed deployments must implement encryption at rest. See Configure security for the Elastic Stack in the Elasticsearch documentation for more information.