Add docs for default_intention_policy (#20886)

website/content/docs/agent/config/config-files.mdx

@@ -447,6 +447,10 @@ Refer to the [formatting specification](https://golang.org/pkg/time/#ParseDurati
 
 - `data_dir` Equivalent to the [`-data-dir` command-line flag](/consul/docs/agent/config/cli-flags#_data_dir).
 
+- `default_intention_policy` Controls how service-to-service traffic is authorized
+  in the absence of specific intentions.
+  Can be set to `allow`, `deny`, or left empty to default to [`acl.default_policy`](#acl_default_policy).
+
 - `disable_anonymous_signature` Disables providing an anonymous
   signature for de-duplication with the update check. See [`disable_update_check`](#disable_update_check).
 

website/content/docs/connect/security.mdx

@@ -26,12 +26,20 @@ of Consul.
 
 ## Checklist
 
+### Default Intention Policy Set
+
+Consul should be configured with a default deny intention policy. This forces
+all service-to-service communication to be explicitly
+allowed via an allow [intention](/consul/docs/connect/intentions).
+
+In the absence of `default_intention_policy` Consul will fall back to the ACL
+default policy when determining whether to allow or deny communications without
+an explicit intention.
+
 ### ACLs Enabled with Default Deny
 
 Consul must be configured to use ACLs with a default deny policy. This forces
-all requests to have explicit anonymous access or provide an ACL token. The
-configuration also forces all service-to-service communication to be explicitly
-allowed via an allow [intention](/consul/docs/connect/intentions).
+all requests to have explicit anonymous access or provide an ACL token.
 
 To learn how to enable ACLs, please see the
 [tutorial on ACLs](/consul/tutorials/security/access-control-setup-production).