Aembit now cryptographically signs all container images in Aembit’s Docker Hub repositories. See Verifying Aembit container image signatures for more details and how to verify Aembit container images.
Introducing Aembit Edge API, the new way your cloud-native applications can retrieve credentials dynamically without deploying additional infrastructure. Perfect for serverless functions, containers, and CI/CD pipelines that need secure access to third-party services.
With Aembit Edge API you can:
Check out the Edge API get started page to learn more or start using it right away with the Aembit Edge quickstart guide.
Aembit Discovery can now discover additional resources when you use Wiz as a Discovery Source.
Through the Wiz integration, Aembit now discovers Client Workload resources such as VMs, AWS- and Azure-specific Client Workload Identifies, and many others. As for Server Workload resources, Aembit now discovers Azure Blob Storage, GCP BigQuery, and many others.
For the full list, see Wiz-discoverable resource types.
Aembit has released a new version of Agent Controller, version 1.23.2263, with the following changes:
Enhanced TLS certificate status reporting with improved retry and error handling.
Added comprehensive logging for environment variable configuration with sensitive data masking for secure review.
Updated Edge Components:
Updated Edge Packages:
Helm Chart
VM Agent Controller package
Terraform ECS module
See Edge Components supported versions for more details.
Introducing Workload Discovery Filtering for improved workload management and visibility across your discovered infrastructure. This enhancement adds comprehensive filtering capabilities to both Client Workloads and Server Workloads discovery pages, enabling you to quickly locate and analyze specific workloads.
Filtering options include:
This feature streamlines workload management by enabling you to efficiently search through discovered workloads, making it easier to identify, analyze, and onboard relevant workloads into your Aembit environment.
To learn more about discovered workload filtering, see Workload Discovery Filtering.
You can now view the Global Policy Compliance status of your Access Policies using the new Global Policy Compliance page under Reporting in the left nav menu. Quickly get an overall view of the compliance status of your Access Policies and optionally filter for specific statuses.
To learn more about reporting on Global Policy Compliance status, see How to review Global Policy Compliance.
Aembit has released a new version of Agent Controller, version 1.23.2160, with the following changes:
Security enhancements for Kerberos and Aembit-managed PKI.
Added the AEMBIT_HTTP_PORT_DISABLED environment variable to enable you to disable Agent Controller’s HTTP port.
Updated Edge Components:
Updated Edge Packages:
Helm Chart 1.23
Terraform ECS module 1.23
See Edge Components supported versions for more details.
Aembit has added enhancements to Agent Injector which include:
securityContext settings for Kubernetes Client Workloads.AEMBIT_LOG_LEVEL environment
variable.Introducing Log Streams for CrowdStrike Next-Gen SIEM for real-time security event monitoring and enhanced threat detection. This integration enables rapid streaming of Aembit Edge event logs and audit logs directly to CrowdStrike’s Next-Gen Security Information and Event Management (SIEM) platform using the HTTP Event Collector (HEC) protocol.
By connecting Aembit with CrowdStrike Next-Gen SIEM, you can:
This feature enhances your organization’s security posture by improving threat detection capabilities, streamlining incident management, and supporting compliance monitoring requirements through centralized log analysis in CrowdStrike.
To learn more, see Log Streams for CrowdStrike Next-Gen SIEM.
Aembit has applied security and performance enhancements to Agent Proxy in this release.
Aembit has added the AEMBIT_CLIENT_WORKLOAD_PROCESS_IDENTIFICATION_ENABLED Agent Proxy environment variable to Enable
Process Name Client Workload
identification.
Updated Edge Components:
Updated Edge Packages:
Helm Chart
VM Agent Proxy package
Terraform ECS module
AWS Lambda Extension
AWS Lambda Layer
See Edge Components supported versions for more details.
The Aembit Edge Terraform ECS module now supports Terraform variables that allow you to set Agent Controller and Agent Proxy environment variables directly.
You may now set logging levels for these Edge Components in AWS ECS Fargate environments, and leverage configuration options that the Edge Terraform ECS module doesn’t support directly as variables yet.
See AWS ECS Fargate documentation for more information..
To increase the available deployment options for Amazon Web Services (AWS) Lambda users, Aembit now provides a Lambda Layer to support zip-based Lambda Functions. This joins our existing AWS Lambda Container support.
For more detailed information on how to deploy Aembit Edge Components to AWS Lambda Functions using our Lambda Layer, please refer to the AWS Lambda Functions documentation.
Introducing Global Policy Compliance for centralized security enforcement across your Aembit environment. This feature allows administrators to establish organization-wide security standards for Access Policies and Agent Controllers, ensuring consistent security practices and preventing the creation of policies that might inadvertently expose resources.
With Global Policy Compliance, you can enforce requirements for Trust Providers and Access Conditions across all Access Policies, as well as Trust Provider and TLS Hostname requirements for Agent Controllers. The three-tier enforcement model lets you set requirements as Required, Recommended (default), or Optional based on your organization’s security needs.
Global Policy Compliance visually identifies non-compliant components through color-coded status icons:
To learn more about Global Policy Compliance, see the Global Policy Compliance Overview.
Introducing OIDC ID Token Credential Provider for secure identity token generation and exchange with third-party services. By leveraging Aembit’s custom Identity Provider (IdP) capabilities, this Credential Provider generates JWT-formatted tokens that seamlessly integrate with various Workload Identity Federation (WIF) solutions.
The OIDC ID Token Credential Provider offers flexible configuration options including:
This new Credential Provider is particularly valuable for:
To learn more about this feature, see About the OIDC ID Token Credential Provider.
Introducing Log Stream for Splunk SIEM to enhance your security monitoring capabilities. This integration enables rapid streaming of Aembit Edge event logs and audit logs directly to Splunk using Splunk’s HTTP Event Collector (HEC) protocol.
By connecting Aembit with Splunk SIEM, you can:
The setup process is straightforward, requiring only a properly configured HTTP Event Collector in your Splunk environment and a few configuration steps in the Aembit Admin UI. Aembit will automatically send email notifications if Log Stream transactions consistently fail, ensuring you’re always aware of your logging status.
To learn more about setting up this integration, see How to stream Aembit events to Splunk SIEM.
Aembit has released the new Discovery feature, which automatically identifies workloads across your infrastructure, increasing the visibility, scalability, and access control over your workloads.
Discovery uses Sources to find workloads in your environments—natively through Aembit Edge Discovery and through integrations with services such as Wiz.
See Discovery for full details.
Aembit now supports deploying Edge Components on AWS Elastic Kubernetes Service (EKS) using Fargate compute profiles. For details on feature support in this environment, please refer to Aembit’s AWS EKS Fargate deployment guide and product support matrix.
For the GitLab Managed Service Account Credential Provider, you can now specify the name of the service account that Aembit creates in GitLab for that Credential Provider.
Additionally, you can now create GitLab Service Account integrations for GitLab.com plans. See Create a GitLab Service Account Integration for a GitLab.com plan
Aembit has added the AEMBIT_PASS_THROUGH_TRAFFIC_BEFORE_REGISTRATION Agent Proxy environment variable to enable you to
delay the Client Workload Kubernetes pod startup until registration between Agent Proxy and Agent Controller completes.
See Delaying pod startup until Agent Proxy has
registered for
details.
Aembit has applied security enhancements and hardening to Agent Proxy in this release.
Updated Edge Components:
Updated Edge Packages:
Helm Chart
VM Agent Proxy package
Terraform ECS module
AWS Lambda Extension
See Edge Components supported versions for more details.
Agent Controllers now support Allowed TLS Hostname as a configurable field in your Aembit Tenant:
Allowed TLS Hostname serves the same purpose as the
AEMBIT_MANAGED_TLS_HOSTNAME Agent Controller
environment variable.
Configuring an Allowed TLS Hostname allows you to specify which domain name Aembit Managed TLS includes in the TLS certificate. This makes sure secure connections from your Agent Proxies are only valid when using this exact domain name to reach your Agent Controller, enhancing security without restricting which Agent Proxies can communicate with it.
To configure your Agent Controller with an allowed TLS hostname, see How to create and Agent Controller or Configure Agent Controller TLS with Aembit’s PKI.
The Kerberos Trust Provider now supports the attestation of Client Workloads running on Windows Server virtual machines (VMs) joined to Active Directory (AD). See Kerberos Trust Provider for details.
You can now install Agent Controller on Windows Server 2019 and Windows Server 2022 virtual machines. See Agent Controller on Windows Server for details.
Introducing Standalone CAs for more granular control over TLS Decrypt management. This feature allows you to create and manage dedicated Certificate Authorities (CAs) that function independently from Aembit’s default Tenant-level certificates.
With Standalone CAs, you can assign CAs directly to specific Client Workloads or Resource Sets, creating isolated trust boundaries and enabling precise management of TLS traffic across different environments. Aembit intelligently selects the appropriate CA using a clear hierarchy: Client Workload level -> Resource Set level -> Tenant level.
To learn more about Standalone CAs, see About Standalone CA for TLS Decrypt.
We’ve updated the Deploy Edge Components experience in the Aembit admin UI to streamline how you deploy Aembit Edge Components.
We’ve added deployment guides directly in the Aembit admin UI for each type of deployment such as Kubernetes, Ubuntu Linux, Red Hat Enterprise Linux, or Microsoft. Now when you’re deploying new Aembit Edge Components, you’ll have a guided experience to get you up and running faster.
Introducing Credential Provider Integrations, which automate credential lifecycle management for third-party systems. This feature makes sure your workloads always have valid credentials without manual management, enhancing both security and operational efficiency, eliminating manual credential management.
Our new Credential Provider Integrations feature makes this possible by connecting Aembit directly to third-party systems like with the GitLab Service Account integration. The GitLab Service Account integration enables you to create a Managed GitLab Account Credential Provider, which allows you to manage the credential lifecycle of your GitLab service accounts.
This gives you fine-grained control while eliminating the overhead of manual credential management.
The Aembit Credential Provider for AWS Security Token Service (STS) now supports the AWS SigV4 and SigV4a request signing protocols. Aembit automatically signs requests to AWS services using SigV4 for regional services or SigV4a for global/multi-region services.
See How Aembit uses AWS SigV4 and SigV4a to learn more and AWS Security Token Service (STS) Federation to configure an AWS STS Credential Provider.
Updated Edge Components:
Updated Edge Packages:
Helm Chart
VM Agent Proxy package
Terraform ECS module
AWS Lambda Extension
Restored Agent Proxy termination behavior when you set AEMBIT_SIGTERM_STRATEGY to immediate.
Updated Edge Components:
Updated Edge Packages:
Helm Chart
VM Agent Proxy package
AWS Lambda Extension
Enhanced Agent Controllers to now serve the entire CA certificate chain instead of just the leaf certificate.
Updated Edge Components:
Updated Edge Packages:
Helm Chart version
Terraform ECS module version
VM Agent Controller package
Aembit’s Access Condition integration with Wiz now supports Lambda Containers. See Access Condition for Wiz to configure an Access Condition.