The Aembit Edge Terraform ECS module now supports Terraform variables that allow you to set Agent Controller and Agent Proxy environment variables directly.
You may now set logging levels for these Edge Components in AWS ECS Fargate environments, and leverage configuration options that the Edge Terraform ECS module doesn’t support directly as variables yet.
See AWS ECS Fargate documentation for more information..
To increase the available deployment options for Amazon Web Services (AWS) Lambda users, Aembit now provides a Lambda Layer to support zip-based Lambda Functions. This joins our existing AWS Lambda Container support.
For more detailed information on how to deploy Aembit Edge Components to AWS Lambda Functions using our Lambda Layer, please refer to the AWS Lambda Functions documentation.
Introducing Global Policy Compliance for centralized security enforcement across your Aembit environment. This feature allows administrators to establish organization-wide security standards for Access Policies and Agent Controllers, ensuring consistent security practices and preventing the creation of policies that might inadvertently expose resources.
With Global Policy Compliance, you can enforce requirements for Trust Providers and Access Conditions across all Access Policies, as well as Trust Provider and TLS Hostname requirements for Agent Controllers. The three-tier enforcement model lets you set requirements as Required, Recommended (default), or Optional based on your organization’s security needs.
Global Policy Compliance visually identifies non-compliant components through color-coded status icons:
To learn more about Global Policy Compliance, see the Global Policy Compliance Overview.
Introducing OIDC ID Token Credential Provider for secure identity token generation and exchange with third-party services. By leveraging Aembit’s custom Identity Provider (IdP) capabilities, this Credential Provider generates JWT-formatted tokens that seamlessly integrate with various Workload Identity Federation (WIF) solutions.
The OIDC ID Token Credential Provider offers flexible configuration options including:
This new Credential Provider is particularly valuable for:
To learn more about this feature, see About the OIDC ID Token Credential Provider.
Introducing Log Stream for Splunk SIEM to enhance your security monitoring capabilities. This integration enables rapid streaming of Aembit Edge event logs and audit logs directly to Splunk using Splunk’s HTTP Event Collector (HEC) protocol.
By connecting Aembit with Splunk SIEM, you can:
The setup process is straightforward, requiring only a properly configured HTTP Event Collector in your Splunk environment and a few configuration steps in the Aembit Admin UI. Aembit will automatically send email notifications if Log Stream transactions consistently fail, ensuring you’re always aware of your logging status.
To learn more about setting up this integration, see How to stream Aembit events to Splunk SIEM.
Aembit has released the new Discovery feature, which automatically identifies workloads across your infrastructure, increasing the visibility, scalability, and access control over your workloads.
Discovery uses Sources to find workloads in your environments—natively through Aembit Edge Discovery and through integrations with services such as Wiz.
See Discovery for full details.
Aembit now supports deploying Edge Components on AWS Elastic Kubernetes Service (EKS) using Fargate compute profiles. For details on feature support in this environment, please refer to Aembit’s AWS EKS Fargate deployment guide and product support matrix.
For the GitLab Managed Service Account Credential Provider, you can now specify the name of the service account that Aembit creates in GitLab for that Credential Provider.
Additionally, you can now create GitLab Service Account integrations for GitLab.com plans. See Create a GitLab Service Account Integration for a GitLab.com plan
Aembit has added the AEMBIT_PASS_THROUGH_TRAFFIC_BEFORE_REGISTRATION Agent Proxy environment variable to enable you to
delay the Client Workload Kubernetes pod startup until registration between Agent Proxy and Agent Controller completes.
See Delaying pod startup until Agent Proxy has
registered for
details.
Aembit has applied security enhancements and hardening to Agent Proxy in this release.
Updated Edge Components:
Updated Edge Packages:
Helm Chart
VM Agent Proxy package
Terraform ECS module
AWS Lambda Extension
See Edge Components supported versions for more details.
Agent Controllers now support Allowed TLS Hostname as a configurable field in your Aembit Tenant:
Allowed TLS Hostname serves the same purpose as the
AEMBIT_MANAGED_TLS_HOSTNAME Agent Controller
environment variable.
Configuring an Allowed TLS Hostname allows you to specify which domain name Aembit Managed TLS includes in the TLS certificate. This makes sure secure connections from your Agent Proxies are only valid when using this exact domain name to reach your Agent Controller, enhancing security without restricting which Agent Proxies can communicate with it.
To configure your Agent Controller with an allowed TLS hostname, see How to create and Agent Controller or Configure Agent Controller TLS with Aembit’s PKI.
The Kerberos Trust Provider now supports the attestation of Client Workloads running on Windows Server virtual machines (VMs) joined to Active Directory (AD). See Kerberos Trust Provider for details.
You can now install Agent Controller on Windows Server 2019 and Windows Server 2022 virtual machines. See Agent Controller on Windows Server for details.
Introducing Standalone CAs for more granular control over TLS Decrypt management. This feature allows you to create and manage dedicated Certificate Authorities (CAs) that function independently from Aembit’s default Tenant-level certificates.
With Standalone CAs, you can assign CAs directly to specific Client Workloads or Resource Sets, creating isolated trust boundaries and enabling precise management of TLS traffic across different environments. Aembit intelligently selects the appropriate CA using a clear hierarchy: Client Workload level -> Resource Set level -> Tenant level.
To learn more about Standalone CAs, see About Standalone CA for TLS Decrypt.
We’ve updated the Deploy Edge Components experience in the Aembit admin UI to streamline how you deploy Aembit Edge Components.
We’ve added deployment guides directly in the Aembit admin UI for each type of deployment such as Kubernetes, Ubuntu Linux, Red Hat Enterprise Linux, or Microsoft. Now when you’re deploying new Aembit Edge Components, you’ll have a guided experience to get you up and running faster.
Introducing Credential Provider Integrations, which automate credential lifecycle management for third-party systems. This feature makes sure your workloads always have valid credentials without manual management, enhancing both security and operational efficiency, eliminating manual credential management.
Our new Credential Provider Integrations feature makes this possible by connecting Aembit directly to third-party systems like with the GitLab Service Account integration. The GitLab Service Account integration enables you to create a Managed GitLab Account Credential Provider, which allows you to manage the credential lifecycle of your GitLab service accounts.
This gives you fine-grained control while eliminating the overhead of manual credential management.
The Aembit Credential Provider for AWS Security Token Service (STS) now supports the AWS SigV4 and SigV4a request signing protocols. Aembit automatically signs requests to AWS services using SigV4 for regional services or SigV4a for global/multi-region services.
See How Aembit uses AWS SigV4 and SigV4a to learn more and AWS Security Token Service (STS) Federation to configure an AWS STS Credential Provider.
Updated Edge Components:
Updated Edge Packages:
Helm Chart
VM Agent Proxy package
Terraform ECS module
AWS Lambda Extension
Restored Agent Proxy termination behavior when you set AEMBIT_SIGTERM_STRATEGY to immediate.
Updated Edge Components:
Updated Edge Packages:
Helm Chart
VM Agent Proxy package
AWS Lambda Extension
Enhanced Agent Controllers to now serve the entire CA certificate chain instead of just the leaf certificate.
Updated Edge Components:
Updated Edge Packages:
Helm Chart version
Terraform ECS module version
VM Agent Controller package
Aembit’s Access Condition integration with Wiz now supports Lambda Containers. See Access Condition for Wiz to configure an Access Condition.
Aembit now supports accessing HashiCorp Vault Credential Providers that reside on private networks. This allows your colocated Agent Proxy to handle authentication directly instead of Aembit Cloud. See Accessing Vault on private networks for more info.
Aembit now supports Conditional Access for CrowdStrike on Windows. To set up Conditional Access for CrowdStrike on Windows, follow the steps in Access Condition for CrowdStrike.
Aembit now supports the AWS Role Trust Provider on Agent Proxy for ECS Fargate deployments.
Enhanced Vault token header behavior.
Enhanced Agent Proxy initialization on Kubernetes to prevent other processes from interfering and impacting its startup.
Updated Edge Components:
Updated Edge Packages:
Helm Chart
Terraform ECS module
VM Agent Proxy package
AWS Lambda Extension
Aembit now supportsAzure Entra Workload Identity Federation as a Credential Provider. This enables you to automatically obtain credentials through Aembit as a third-party federated Identity Provider (IdP) to securely authenticate with Azure Entra to access your Azure Entra registered applications and managed identities.
Aembit now supports Automatic User Creation triggered by SSO login requests. Aembit has enhanced the Identity Provider configuration page with additional parameters, enabling you to map SAML attributes from your Identity Provider to the user roles defined in your Aembit Tenant.
You can now change the leaf certificate lifetime when using the TLS Decrypt feature.
Aembit Agent Proxy supports virtual machine deployments for Windows Server 2019 and Windows Server 2022. See Agent Proxy install for details.
Aembit Edge Components have been updated to include support for RedHat Enterprise Linux (RHEL) 8 and 9 with Security-Enhanced Linux (SELinux). With this improvement, administrators may now add additional layers of security to their system architecture.
For more information on integrating Aembit Edge Components with SELinux, please see the SELinux support page.
Aembit has added support for defining a SignOn Policy, enabling you to customize the login experience for your users.
For more information, please see the SignOn Policy page.
Aembit has released an updated AWS Lambda Extension, enhancing support for Client Workload identification earlier in the Lambda container lifecycle.
For more information, please refer to the AWS Lambda Container Supported Phases.
Aembit has released a new, pre-packaged deployment model that enables you to use a Virtual Appliance configuration and setup for deploying Aembit Edge Components in your environment. This virtual appliance image includes both Agent Controller and Agent Proxy bundled together in a single OVA file.
For more detailed information on how to deploy the Aembit Virtual Appliance, please see the Virtual Appliance technical documentation.