Quickstart: Access Policy enhancements

After completing the Quickstart guide and setting up your sandbox environment, it’s time to enhance your Access Policies by integrating Trust Providers, Access Conditions, and reporting. These features enhance your workload security giving you finer control over how you grant access within your sandbox environment and provide you with insights about those interactions.

To build upon your quickstart foundation, you will complete practical steps to implement the following features:

• Trust Provider - This verifies workload identities, making sure only authenticated workloads can securely interact with your resources.

• Access Conditions - Enforce detailed rules such as time-based or geo-based restrictions, to tailor access policies to your needs.

• Reporting - Tools to help you monitor and analyze workload interactions in your sandbox environment, providing insights into policy effectiveness and system health.

With these enhancements, Aembit empowers you to make the most of your sandbox setup and prepare for more advanced scenarios.

Before you begin

You must have completed the following before starting this guide:

• Aembit quickstart guide and it’s prerequisites.

Configure a Trust Provider

Trust Providers allow Aembit to verify workload identities without relying on traditional credentials or secrets. By using third-party systems for authentication, Trust Providers ensure that only verified workloads can securely interact with your resources. These steps use Docker Desktop Kubernetes deployments.

1. From your Aembit tenant, go to Access Policies and select the Access Policy you created in the quickstart guide.

2. In the top right corner, click Edit.

3. In the Trust Provider section, hover over +, then click New.

   • Name - QuickStart Kubernetes Trust Provider (or another user-friendly name).

   • Trust Provider - Kubernetes Service Account

4. In the Match Rules section, click + New Rule, then enter the following values:

   • Attribute - kubernetes.io { namespace }.

   • Value - aembit-quickstart.

5. Select Upload Public Key.

6. Browse for the .pub file or copy its contents and paste them into the Public Key field:

   Obtain the public key specific to your environment.

   Use the following locations for your operating system:

   • Windows - %USERPROFILE%\AppData\Local\Docker\pki\sa.pub

   • macOS - ~/Library/Containers/com.docker.docker/pki/sa.pub

   

7. Click Save.

   You’ll be taken back to the Access Policies page.

8. Click Save in the top right corner to save the Access Policy.

   Stay on this page to Configure Access Conditions.

By associating this Trust Provider with an Access Policy, Aembit validates workload identities based on the rules you defined.

For example, Aembit automatically authenticates Kubernetes service accounts running in the aembit-quickstart namespace and denies accounts from all other namespaces. This makes sure that only workloads within that namespace can access your sensitive resources.

Aembit supports a wide variety of Trust Providers tailored for different environments:

• Kubernetes Service Account

• AWS roles

• Azure Metadata Service

This flexibility allows you to seamlessly integrate Trust Providers that align with your existing infrastructure. For more details on Trust Providers, including advanced configurations and other types, see Trust Provider Overview and related sub-pages.

Configure Access Conditions

Access Conditions allow you to define specific rules to control when and how credentials are issued to workloads. These conditions strengthen security by ensuring access is granted only when it aligns with your organization’s policies.

Paid feature

Access Conditions are a paid feature. To enable this feature, contact Aembit Support.

1. In the top right corner of the Access Policies page, click Edit.

2. In the Access Condition section, hover over +, then click New.

   • Name - QuickStart Time Condition (or another user-friendly name).

   • Integration - Aembit Time Condition

3. In the Conditions section, select the appropriate timezone for your condition.

4. Click the + icon next to each day you want to include in your Time Condition configuration, such as Monday from 8 AM to 5 PM.

   Include your current time

   Make sure your current time falls within the time period you set so the condition remains in effect while following this guide.

5. Click Save.

   You’ll be taken back to the Access Policies page.

6. Click Save in the top right corner to save the Access Policy.

With this configuration, Aembit grants access to the workloads you specified only during the days and timeframes you defined. If the conditional access check fails, Aembit denies access, and an displays an error message on the client workload. Aembit logs this action and detailed information about the failure, including the accessConditions field with an Unauthorized result, which you can find in the associated logs. In the next section, Reporting, you’ll see how to review these logs.

Aembit also supports other types of Conditional Access configurations, such as GeoIP restrictions and integrations with third-party vendors such as CrowdStrike. These options allow you to build comprehensive and flexible access policies suited to your organization’s needs. For more details on Access Conditions, see Access Conditions Overview and explore related sub-pages to configure additional types.

Reporting

Reporting is crucial for maintaining security and operational efficiency. It provides a clear view of access attempts, policy evaluations, and credential usage, enabling you to identify potential issues and maintain compliance.

To access the Reporting Dashboard, in your Aembit tenant, select Reporting from the left nav menu. By default, you will see the Access Authorization Events page, where you can review event details related to workload access attempts.

In the top ribbon menu, there are three key reporting categories:

• Access Authorization Events - View event logs for all access attempts. Each event is broken down into its evaluation stages, showing which policies were applied, whether they succeeded, and the reason for any failures.

• Audit Logs - Track system changes, such as user actions, configuration updates, or policy changes.

• Workload Events - Monitor events generated from the traffic between Client Workloads and Server Workloads. These events provide detailed information about all requests and responses, helping you analyze workload interactions comprehensively.

You also have filters available to you to narrow down your view by Timespan, Severity, and Event Type. These filters help you analyze events more efficiently, focusing on specific time periods or issues that require your attention.

For now, you’ll look at Access Authorization Events. As they provide essential insight into how Aembit evaluates access requests.

Access Authorization Events

Whenever a Client Workload attempts to access a Server Workload, Aembit generates Access Authorization Events. These events capture access attempts, log how access was evaluated, and display the outcome (granted or denied). The process is divided into three stages:

• Access Request - Captures initial request details, including source, target, and transport protocol.

• Access Authorization - Evaluates the request against Access Policies, detailing results from Trust Providers, Access Conditions, and Credential Providers.

• Access Credential - Shows how credentials were retrieved and injected, or explains any failure reasons.

To review these stages, follow these steps:

1. Filter by Request - In the filtering options, locate the Event Type and select Request. Then, click on an event in the list to inspect it.

   

   This event provides key details about the connection attempt. It shows when the request happened, where it’s coming from, and which workload made the request. For the quickstart, you should see:

   • Target Host - aembit-quickstart-server.aembit-quickstart.svc.cluster.local

   • Service Account - aembit-quickstart-client

   Both should match what you configured in the Access Policy.

2. Filter by Authorization - Change the Event Type filter to Authorization and select an event from the list.

   

   This event shows how access was evaluated against the Access Policy. It displays the result (Authorized or Unauthorized) and highlights key components that Aembit checked. For the quickstart sandbox environment, you’ll see that Aembit successfully:

   • Identified the Client Workload, Server Workload, and Access Policy.

   • Attested the Trust Provider.

   • Verified the Access Condition.

   • Identified the Credential Provider.

   When Aembit successfully identifies and verifies these components, Aembit grants access to that Client Workload.

3. Filter by Credential - Change the Event Type filter to Credential and select an event from the list.

   

   This event tracks how Aembit retrieves credentials to enable access. It shows whether the credential retrieval was successful and which Credential Provider was used.

   For the quickstart sandbox environment, you’ll see that Aembit successfully:

   • Identified the Client Workload, Server Workload, and Access Policy.

   • Retrieved the Credential Provider, verifying that the Client Workload had the required credentials for secure access.

At this stage, everything is in place—the request was successfully authorized, credentials were securely retrieved, and the Client Workload can now access the Server Workload.

For more detailed insights into Access Credential Events and other reports, visit the Reporting page. These pages provide further guidance on using filters, understanding event data, and troubleshooting potential issues.

Quickstart completed!

Congratulations on completing the quickstart! You now have a solid foundation in Aembit’s key capabilities. But this is just the beginning—Aembit has much more to offer! Our full documentation provides in-depth guides and advanced techniques to help you expand your access policies and strengthen workload identity management.

For your next steps, you can either try configuring Aembit with your real client workloads or explore additional possibilities to tailor it to your needs. In both cases, see the following resources:

• Server Workload Cookbook - Offers ready-to-use recipes for popular APIs and services. Explore guides such as Salesforce REST and GitHub REST to learn how to authorize secure access to these resources.

• Exploring Deployment Models - Aembit supports diverse deployment environments beyond Kubernetes. For detailed examples and guidance, visit the Support Matrix and explore related sub-pages to learn about configuring deployments for specific environments like Virtual Machines, AWS Lambda Containers, and more.

Check out these guides and more to optimize your workloads with confidence!