- Observability: other versions:
- What is Elastic Observability?
- What’s new in 8.12
- Get started
- Observability AI Assistant
- Application performance monitoring (APM)
- Self manage APM Server
- Data Model
- Features
- How-to guides
- OpenTelemetry integration
- Manage storage
- Configure
- Advanced setup
- Secure communication
- Monitor
- API
- Troubleshoot
- Upgrade
- Release notes
- Known issues
- Logs
- Infrastructure monitoring
- AWS monitoring
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure projects
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Use Synthetics with traffic filters
- Migrate from the Elastic Synthetics integration
- Scale and architect a deployment
- Synthetics support matrix
- Synthetics Encryption and Security
- Troubleshooting
- Uptime monitoring
- Real user monitoring
- Universal Profiling
- Alerting
- Service-level objectives (SLOs)
- Cases
- CI/CD observability
- Troubleshooting
- Fields reference
- Tutorials
- Monitor Amazon Web Services (AWS) with Elastic Agent
- Monitor Amazon Web Services (AWS) with Beats
- Monitor Google Cloud Platform
- Monitor a Java application
- Monitor Kubernetes
- Monitor Microsoft Azure with Elastic Agent
- Monitor Microsoft Azure with the Azure Native ISV Service
- Monitor Microsoft Azure with Beats
Secure communication with the Elastic Stack
editSecure communication with the Elastic Stack
editThis documentation only applies to the APM Server binary.
Use role-based access control or API keys to grant APM Server users access to secured resources.
After privileged users have been created, use authentication to connect to a secured Elastic cluster.
For secure communication between APM Server and APM Agents, see With APM agents.
A reference of all available SSL configuration settings is also available.
Security Overview
editAPM Server exposes an HTTP endpoint, and as with anything that opens ports on your servers, you should be careful about who can connect to it. Firewall rules are recommended to ensure only authorized systems can connect.
Feature roles
editYou can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.
Typically, you need to create the following separate roles:
- Writer role: To publish events collected by APM Server.
- Monitoring role: One for sending monitoring information, and another for viewing it.
- API key role: To create and manage API keys.
- Central configuration management role: To view APM Agent central configurations.
- RUM source mapping role: To read RUM source maps.
Elasticsearch security features provides built-in roles that grant a subset of the privileges needed by APM users. When possible, assign users the built-in roles to minimize the affect of future changes on your security strategy. If no built-in role is available, you can assign users the privileges needed to accomplish a specific task. In general, there are three types of privileges you’ll work with:
- Elasticsearch cluster privileges: Manage the actions a user can perform against your cluster.
- Elasticsearch index privileges: Control access to the data in specific indices your cluster.
- Kibana space privileges: Grant users write or read access to features and apps within Kibana.
On this page