Aembit Changelog

End-to-end mTLS between Client and Server Workloads with SPIFFE X.509-SVID certificates

Thu, 21 May 2026 12:00:00 GMT

Introducing end-to-end mutual TLS (mTLS) between Client Workloads and Server Workloads using SPIFFE-compliant X.509-SVID certificates.

Aembit has released new versions of the following components and packages:

Agent Proxy
Cloud (Tenant UI + API)
EdgeAPI
Terraform Provider
Helm Chart
Terraform ECS module
AWS Lambda Extension
AWS Lambda Layer

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

Agent Proxy outbound mTLS with X.509-SVID: Agent Proxy can now establish outbound mTLS connections to Server Workloads using SPIFFE-compliant X.509-SVID certificates, with no application code changes required.
mTLS Authentication method for Server Workloads: A new authentication method, mTLS Authentication with the x509 Certificate scheme, lets Server Workloads validate the client certificate that Agent Proxy presents during the mTLS handshake.
X.509-SVID Credential Provider: A new Credential Provider type that issues SPIFFE-compliant X.509 certificates. This release’s Agent Proxy update is what consumes them for outbound mTLS to Server Workloads.

Agent Proxy can now establish outbound mTLS connections to Server Workloads using SPIFFE-compliant X.509-SVID certificates, enabling certificate-based workload-to-workload authentication without application code changes.

What’s new:

In-memory private key: Agent Proxy generates an ECDSA key pair in memory for each X.509-SVID certificate. The private key is never written to disk and is never transmitted to Aembit Cloud.
Automatic rotation at 80% of certificate lifetime: Agent Proxy refreshes the certificate well before expiration, generating a new key pair on each refresh. In-progress mTLS connections continue using the prior certificate until they close.
mTLS Authentication for Server Workloads: A new Server Workload authentication method (mTLS Authentication with the x509 Certificate scheme) lets the Server Workload side validate the X.509-SVID certificate that Agent Proxy presents during the handshake.

For the end-to-end workflow and procedure, see Enable mTLS on a Server Workload. For the authentication-method catalog, see Authentication methods and schemes.

Aembit is introducing a new X.509-SVID Credential Provider type that issues SPIFFE-compliant X.509 certificates to Client Workloads, signed by an Aembit Standalone CA.

What’s new:

SPIFFE-compliant identity in the URI Subject Alternative Name (SAN): Every issued certificate embeds the workload’s SPIFFE ID as a URI SAN, so SPIFFE-aware Server Workloads can authenticate the Client Workload during the TLS handshake.
Literal or dynamic Subject and SPIFFE ID: Configure either field with a fixed value or with template expressions that resolve at issuance time using workload attestation attributes.
Configurable Extended Key Usage: Default to id-kp-clientAuth for outbound mTLS, or add id-kp-serverAuth to use the same certificate as a server credential.
Configurable certificate lifetime: Set the lifetime in minutes (default 15). Agent Proxy automatically refreshes the certificate before expiration (typically at 80% of the configured lifetime).

For setup instructions, see Create an X.509-SVID Credential Provider. For concepts and the end-to-end issuance flow, see About the X.509-SVID Credential Provider.

Expanded MCP and AI IAM event coverage

Tue, 19 May 2026 12:00:00 GMT

Aembit has expanded the event coverage and reporting surfaces for troubleshooting MCP and AI IAM failures:

New access.discovery event type: Access Authorization Events now include an access.discovery event that lists the Client Workloads and Server Workloads Aembit Cloud considered during evaluation. Use it to diagnose requests that match no workload or policy, or that match multiple. See Access Discovery events.
User identity on MCP Workload Events: MCP Workload Events now include a userId field at application.mcp.userId for flows that involve a human identity, such as MCP Authorization Server flows. The Workload Events view exposes a matching User (MCP App Protocol only) filter for per-user investigations and SIEM scoping.
Trust Provider failures emit at Error severity: Trust Provider attestation failures in MCP flows now emit at Error severity rather than warning, so SIEM alerts that watch for Error events catch real authorization failures reliably.
Clearer expired-credential explanations: The access.credential event’s reason now identifies which token expired and at which step, making it easier to decide between re-authentication, credential refresh, or Credential Provider reconfiguration.
MCP Authorization Tracing view: A new live diagnostic view in the Reporting dashboard surfaces inbound authorization requests at the MCP Identity Gateway in real time, with the redirect URI, resource, matched Client Workload, and policy outcome for each request. See MCP Authorization Tracing.

For an end-to-end investigation flow that uses these reporting surfaces together, see Troubleshoot MCP and AI IAM access.

MCP Identity Gateway 1.31.4955 release

Tue, 19 May 2026 12:00:00 GMT

Aembit has released MCP Identity Gateway version 1.31.4955.

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

Session deletion: Support for deleting MCP sessions, enabling clients to explicitly end MCP Identity Gateway sessions when finished.
MCP-level error metrics: New Prometheus metrics expose MCP protocol-level errors, giving operators visibility into request failures at the MCP layer.
Application-specific Prometheus metrics: Additional Prometheus metrics scoped to the MCP Identity Gateway application for improved observability.

Aembit Secrets Operator CRDs graduate to v1

Fri, 15 May 2026 12:00:00 GMT

Aembit Secrets Operator 1.31.314 is now available.

This release graduates the Secrets Operator CRDs from v1beta1 to v1. Use apiVersion: aembit.io/v1 in your manifests—see the Configuration Reference for the updated specs.

Aembit Secrets Operator now available

Tue, 12 May 2026 12:00:00 GMT

Aembit Secrets Operator 1.31.298 is now available.

Secrets Operator is a Kubernetes operator that authenticates to the Aembit platform and synchronizes credentials into Kubernetes Secrets. Applications consume managed secrets the same way they consume any other Kubernetes Secret.

Key capabilities in this release:

Kubernetes Service Account authentication: Authenticate using the operator’s in-cluster ServiceAccount token, validated against the cluster’s OIDC endpoint. No per-cluster signing key required. Verified on Amazon EKS and K3s. See Set up Secrets Operator for configuration.
OIDC symmetric key authentication: Alternatively, authenticate using OIDC tokens with symmetric key signing (HS256) for custom claims and non-Kubernetes identity scenarios.
Proactive credential renewal: Credentials refresh at 80% of their TTL, or sooner when you configure a shorter refreshInterval, ensuring applications always have a valid credential.
Multi-namespace install: You can now use the same Helm release name across multiple namespaces on the same cluster without resource name conflicts.

MCP Identity Gateway 1.31 release

Tue, 12 May 2026 12:00:00 GMT

Aembit has released MCP Identity Gateway version 1.31.

Key Updates:

User identity on workload events: The userId field now appears on mcp.request and mcp.response workload events when the MCP client is identified, making it easier to attribute MCP activity to authenticated users in audit reports.
Client-initiated session termination: MCP clients can now end their session with the Gateway by sending an HTTP DELETE request to the /mcp endpoint, per MCP specification section 2.5.5. See Session management for the request contract.

Dynamic claims now support custom environment variables

Sat, 02 May 2026 12:00:00 GMT

Custom environment variables on Agent Proxy and Aembit CLI can now feed into OIDC and JWT-SVID dynamic claims, gated by an explicit allowlist.

What’s new:

AEMBIT_ENV_VAR_ALLOWLIST: A new environment variable that defines which custom variables Agent Proxy and Aembit CLI may capture for use in dynamic claims. By default, Agent Proxy and Aembit CLI capture no custom variables.
Always-available Kubernetes variables: K8S_POD_NAME, K8S_NAMESPACE, and KUBERNETES_PROVIDER_ID are now usable in dynamic claims regardless of the allowlist.

For setup instructions, see Configure custom environment variables for Agent Proxy. For the dynamic claims expression syntax, see OIDC and JWT-SVID dynamic claims.

Edge components release with Oracle GA and HTTP proxy support

Sat, 02 May 2026 12:00:00 GMT

Aembit has released new versions of the following components and packages:

Helm Chart
Terraform ECS module
VM Agent Proxy package
Agent CLI
AWS Lambda Extension
AWS Lambda Layer
Agent Injector
Agent Proxy

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

Oracle Application Protocol GA: Oracle Database protocol support is now available for production use, including mid-connection TLS support, improved client error handling, Prometheus metrics for Oracle credential injection events, and internal packet-handling improvements.
Upstream HTTP proxy support: Agent Proxy and Aembit CLI now support upstream HTTP proxy configuration for gRPC and Server-Workload-bound HTTP/HTTPS traffic, with NO_PROXY honored.
S3 upload size restriction removed: Large file uploads to AWS S3 Log Streams are now supported via streaming AWS chunked signing, removing the previous upload size limit. See How Aembit uses AWS SigV4 and SigV4a for more details.
Expanded credential resolver capabilities: Enhanced support for credential provider resolution across deployment types.
Dynamic claims from environment variables: Agent Proxy and Aembit CLI can now gather dynamic claims from environment variables, controlled by the AEMBIT_ENV_VAR_ALLOWLIST.
CLI enhancements: Aembit CLI adds the --client-workload-id flag and OIDC token expiration validation.
General improvements: Numerous stability reliability improvements across edge components.
Security upgrades: Security dependency upgrades across edge components.
Improved logging and observability: Improved request logging and enhanced error reporting for common failure conditions.

Oracle Database now generally available

Sat, 02 May 2026 12:00:00 GMT

Oracle Database protocol support is now available for production use.

What’s new:

Oracle Database GA: Support for Oracle 19c and 21c is now available for production use. Aembit injects username/password credentials into Oracle TNS connections at authentication time, eliminating static database passwords without modifying your application code.
TLS connections: Oracle database connections can now use TLS via the TCP/IP with TLS (TCPS) protocol. You can enable TLS independently on the client-to-proxy and proxy-to-database sides by checking the TLS checkbox on the Port and Forward to Port fields in the Server Workload configuration.
Improved Oracle error handling: Agent Proxy now returns clearer ORA-* error messages when Oracle authentication fails, making it easier to diagnose credential injection and configuration issues.
Prometheus observability: Oracle credential injection events now appear in the aembit_agent_proxy_credential_injections_total metric with application_protocol="oracleDatabase", so you can monitor Oracle credential operations alongside other supported protocols.

For setup instructions, see Create an Oracle Database Server Workload. For a technical overview, see About Oracle Databases.

OAuth 2.0 Authorization Code now uses centralized callback URL

Tue, 28 Apr 2026 12:00:00 GMT

The OAuth 2.0 Authorization Code Credential Provider now uses a centralized callback URL and supports an optional Final Redirect URL that supports custom or embedded integration scenarios.

What’s new:

Centralized Callback URL - OAuth 2.0 Authorization Code Credential Providers now use a single, centralized callback URL shared across Credential Providers on your Aembit stack. If you previously registered a per-tenant callback URL with a third-party provider, you don’t need to take any action.
Final Redirect URL - A new optional field that redirects users to a specified URL after completing the OAuth authorization flow, instead of returning to the Aembit Credential Provider page. Contact Aembit support to enable this feature.

For details, see OAuth 2.0 Authorization Code Credential Provider.

Faster Aembit-minted token generation

Tue, 21 Apr 2026 12:00:00 GMT

Aembit optimized how it generates tokens for Credential Providers and MCP authorization flows. This reduces latency and improves scalability, especially for MCP-based use cases.

Agent Proxy now honors HTTP proxy environment variables

Fri, 17 Apr 2026 12:00:00 GMT

Aembit has released new versions of the following components and packages:

Helm Chart
Terraform ECS module
VM Agent Proxy package
AWS Lambda Extension
AWS Lambda Layer
Agent Proxy

Agent Proxy now honors HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables. If your network routes outbound traffic through an HTTP proxy, you can configure these environment variables so that Agent Proxy routes its outbound connections through the proxy.

For details, see Agent Proxy environment variables.

For the latest available versions of these components, see the Edge Components Supported Versions page.

Agent Controller now honors HTTP proxy environment variables

Wed, 15 Apr 2026 12:00:00 GMT

Aembit has released Agent Controller version 1.30.3384.

Agent Controller now honors HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables. If your network routes outbound traffic through an HTTP proxy, you can configure these environment variables so that Agent Controller routes its outbound connections through the proxy.

For details, see Agent Controller environment variables.

Refresh token support for MCP authorization flows

Tue, 07 Apr 2026 12:00:00 GMT

OIDC ID Token and Aembit Access Token Credential Providers now support refresh tokens for MCP Authorization Server flows. This feature applies exclusively to MCP Authorization Server use cases.

What’s new:

An Enable Refresh Token Support option on OIDC ID Token and Aembit Access Token Credential Providers.
An Absolute Token Lifetime setting that controls how long refresh tokens remain valid for exchanging for new access tokens after initial issuance.
Refresh tokens are single-use. Each exchange returns a new refresh token.

When enabled, the MCP Authorization Server returns refresh tokens alongside access tokens during OAuth token requests. MCP clients can exchange a refresh token for a new access token and a new refresh token, maintaining an active session without completing a new authorization flow. Other credential flows, such as Agent Proxy, are not affected by this setting.

To use this feature, edit your Credential Provider, toggle Enable Refresh Token Support to on, and set the Absolute Token Lifetime.

For details, see Token refresh, OIDC ID Token, and Aembit Access Token.

MCP Identity Gateway 1.30 release

Fri, 03 Apr 2026 12:00:00 GMT

Aembit has released MCP Identity Gateway version 1.30.4549.

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

The Gateway now authenticates requests before proxying them to upstream MCP servers (new default behavior)
Tool annotations are included in MCP responses
The Gateway returns HTTP 405 for GET requests to the MCP endpoint
Unauthorized (401) responses now include additional metadata for easier troubleshooting
Errors from upstream MCP servers are forwarded to MCP clients
The Gateway honors the AEMBIT_TRUSTED_ISSUER_DOMAINS environment variable for trusted issuer configuration
A new metrics endpoint provides Gateway operational metrics on a configurable port
Improved compatibility with Claude Desktop and other MCP clients
Improved handling of MCP servers that don’t support resources
General improvements to session management, installer reliability, and internal performance

MCP Authorization Server now supports unauthenticated flows

Tue, 31 Mar 2026 12:00:00 GMT

Aembit’s MCP Authorization Server now supports OAuth flows that don’t require end-user authentication. This enables use cases like ChatGPT apps and other MCP integrations where user sign-in isn’t needed or desired.

What’s new:

An Enforce SSO option on Client Workloads with the Redirect URI identifier type. Enforce SSO is on by default, preserving the current behavior of requiring user authentication.
When Enforce SSO is on, a multi-select dropdown lets you choose which SSO identity providers appear on the MCP authentication page. By default, all configured identity providers are selected.
When Enforce SSO is off, the MCP Authorization Server issues access tokens without redirecting users to an identity provider. No Trust Provider is needed, but a Credential Provider is still required.
Access Policies still apply as an authorization control. You can turn off policies or entities to block token issuance.

To use this feature, edit your Client Workload, select the Redirect URI client identifier, and configure Enforce SSO under MCP Authorization Configuration.

For details, see Authentication support and MCP Authorization Server architecture.

MCP Identity Gateway now supports MCP resources

Tue, 17 Mar 2026 12:00:00 GMT

Aembit has released MCP Identity Gateway version 1.29.4419.

Key Updates:

MCP resource support for the Identity Gateway

The MCP Identity Gateway now proxies MCP resource requests in addition to tool requests. MCP servers that expose resources (such as files, database schemas, or application data) are now accessible through the Gateway with the same identity-aware access policies, credential isolation, and audit logging that govern tool invocations.

What’s new:

resources/list discovers available resources across all assigned MCP servers. The Gateway fans out the request and aggregates results from all connected servers.
resources/read retrieves a specific resource by URI from the appropriate MCP server.

No action required. Resource support is available automatically after upgrading to MCP Identity Gateway 1.29.4419. Your existing access policies, Trust Providers, and Credential Providers apply to resource requests with no configuration changes.

For details, see MCP resource support.

Edge components release with S3 stability and OpenShift improvements

Wed, 11 Mar 2026 12:00:00 GMT

Aembit has released new versions of the following components and packages:

Helm Chart
Terraform ECS module
VM Agent Proxy package
VM Agent Controller package
Agent Proxy
Agent Controller

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

Apply stability improvements for S3 uploads and downloads
Improve Helm Chart compatibility across Kubernetes platforms including Red Hat OpenShift (ROSA)

Oracle Database support enters beta with new process-based identifiers

Thu, 26 Feb 2026 12:00:00 GMT

Aembit has released new versions of the following components and packages:

Helm Chart
VM Agent Proxy package
VM Agent Controller package
AWS Lambda Extension
AWS Lambda Layer
Agent Injector
Agent Proxy
Agent Controller

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

Oracle Database protocol support (Limited Beta)
Support Process Command Line and Process Path client workload identification

Aembit’s Agent Proxy now supports the Oracle Database application protocol in Limited Beta. This enables Aembit to manage access for client workloads connecting to Oracle databases by intercepting the TNS wire protocol and injecting credentials transparently.

Key capabilities:

Username/password credential injection for Oracle 19c and 21c databases (12C password verifier only)
Support for thin Oracle clients (Java, Python), with experimental thick client support
Tested with AWS RDS for Oracle and containerized Oracle environments
Transparent steering on Linux VM deployments

For setup instructions, see the Oracle Database Server Workload guide. For an overview of how Oracle protocol support works, see About Oracle Databases.

Aembit’s Agent Proxy now supports Process Command Line and Process Path as Client Workload identifiers. These identifiers allow you to identify client workloads based on their full command line or executable path, providing more granular control over which applications can access your protected resources.

Key capabilities:

Process Command Line: Identify workloads by the full command used to start them, including arguments. Supports wildcard matching to target specific arguments (for example, *--env production*).
Process Path: Identify workloads by the exact filesystem path of the executable.
Combine with other identifiers like Process Name and Process User Name for precise matching.
Supports Linux virtual machine deployments.

For configuration details, see Process Command Line and Process Path.

MCP Identity Gateway enters beta with MCP Server and component copying

Tue, 24 Feb 2026 12:00:00 GMT

Aembit now offers an MCP Identity Gateway (Beta) that sits between AI agents and MCP servers, enforcing Access Policies, performing secure token exchange, and providing visibility into MCP activity. Deployed on a Linux VM, the Gateway ensures AI agents never hold direct credentials for enterprise systems.

Key capabilities:

Proxies MCP traffic with identity-aware policy enforcement
Performs secure token exchange using OAuth 2.0 and API key credentials
Provides per-user credential management and centralized MCP routing
Logs agent identity, user identity, and policy decisions for auditability
Fail-closed behavior—denies access by default unless explicitly allowed

For setup instructions and architecture details, see MCP Identity Gateway.

Aembit now provides an MCP Server that enables AI agents and users to query Aembit event logs using structured commands. Built on the Model Context Protocol specification, the MCP Server enables agentic observability and auditability for organizations using Aembit.

Key capabilities:

Query audit logs, authorization events, and workload events
Integrations with MCP Inspector, Claude Code, GitHub Copilot, and Visual Studio
Resource-set-based access scoping for least-privilege access
Read-only access—no create, update, or delete operations
Full audit trail of all MCP Server queries

For setup and connection guides, see Aembit MCP Server.

Aembit has added a new MCP User-Based Access Token Credential Provider type. This type enables per-user OAuth credentials for MCP servers using the OAuth 2.0 Authorization Code flow. The MCP Identity Gateway manages user-specific tokens when connecting to downstream MCP servers.

Key capabilities:

OAuth 2.0 Authorization Code flow with Proof Key for Code Exchange (PKCE) support
MCP Server URL discovery with auto-population of OAuth endpoints
Per-user credential scoping
Token introspection and lifetime management

For configuration details, see MCP User-Based Access Token Credential Provider.

Aembit now supports component copying between Resource Sets. You can replicate Access Policy components—including Client Workloads, Server Workloads, Trust Providers, Credential Providers, and Access Conditions—from one Resource Set to another. You can also copy entire Access Policies with all related components at once.

Key capabilities:

Copy individual components or entire Access Policies between Resource Sets
Each copy receives a unique identifier while the original remains unchanged
Supports environment promotion, regional deployments, and safe experimentation

For details, see About component copying and Copy components.

Edge components release with S3 streaming and Secrets Manager improvements

Fri, 16 Jan 2026 12:00:00 GMT

Aembit has released new versions of the following components and packages:

Helm Chart
Terraform ECS module
Agent Proxy

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

Improved AWS S3 upload streaming signature support
AWS Secrets Manager Private Network Access username/password credential support (requires Agent Proxy 1.28)

Aembit has improved Agent Proxy’s AWS S3 upload support with enhanced streaming signature handling. Agent Proxy 1.28 addresses limitations from the 1.27 release related to streaming signed payloads.

Key capabilities:

Improved handling of aws-chunked content encoding for streaming uploads
Better compatibility with AWS SDK streaming operations
Enhanced request signing for chunked transfer encoding

For complete documentation, see How Aembit uses AWS SigV4 and SigV4a.

The AWS Secrets Manager Credential Provider with Private Network Access now supports username/password credentials. This extends the PNA capability introduced in Agent Proxy 1.27 to include secrets stored as username/password pairs.

Requirements:

Agent Proxy 1.28 or later

For configuration details, see AWS Secrets Manager Credential Provider.

VM Agent Proxy package
AWS Lambda Extension
AWS Lambda Layer
Agent Proxy

For the latest available versions of these components, please see the Edge Components Supported Versions page.

Key Updates:

Added private network access support for HTTP Basic Auth Credential Providers using AWS Secrets Manager.
Added process name and process username as Client Workload Identifiers.
Extended AWS S3 support to include all SigV4 headers, enabling required signing type specification.

GitHub Action, MCP Authorization Server beta, and Access Policy Builder now available

Tue, 13 Jan 2026 12:00:00 GMT

Aembit now provides an official GitHub Action for injecting credentials into your CI/CD workflows. The action retrieves credentials from Aembit and makes them available to subsequent steps in your workflow.

Key capabilities:

Retrieve credentials using workload identity federation with GitHub’s OIDC tokens
Support for AWS, Azure, database, and API key credential types
Automatic credential masking in workflow logs

For setup instructions, see the GitHub Actions tutorial. For usage examples with different credential types, see the how-to guide.

Aembit now supports Private Network Access (PNA) for the AWS Secrets Manager Credential Provider. This allows your Aembit Edge components (Aembit CLI or Agent Proxy) to retrieve secrets directly from AWS Secrets Manager instances in private networks, such as AWS VPCs with private endpoints.

Key capabilities:

Retrieve secrets from AWS Secrets Manager without exposing your VPC to the public internet
Works with both Aembit CLI and Agent Proxy deployments
No changes required to your existing AWS IAM policies or VPC endpoint configuration

For configuration details, see Private Network Access for Credential Providers and AWS Secrets Manager Credential Provider.

Aembit has released the MCP Authorization Server (beta), which secures Model Context Protocol (MCP) workloads using OAuth 2.1 authorization flows. This enables you to apply Aembit Access Policies to AI agents and MCP clients, controlling which users can access which MCP servers.

Beta feature

The MCP Authorization Server is currently in beta. Contact your Aembit representative to request access.

Key capabilities:

OAuth 2.1 authorization code flow implementation for MCP-compliant workloads
Dynamic Client Registration support for tools like Claude Desktop and Gemini CLI
Integration with OIDC and SAML identity providers for user authentication
Access Policies with time and location-based conditions

Aembit has redesigned the Access Policy creation experience with the new Access Policy Builder. The builder provides a card-based interface that guides you through configuring each component of an Access Policy.

Key capabilities:

Visual card-based navigation for policy components
Inline creation of Client Workloads, Server Workloads, Trust Providers, and other components
Clear indicators for required, recommended, and optional components based on Global Policy Compliance settings

To use the new builder, enable Use new access policy in your user profile preferences. For a walkthrough, see Create an Access Policy.

Edge components release with AWS S3 uploads and multiple AWS STS support

Thu, 04 Dec 2025 12:00:00 GMT

Aembit has released new versions of the following components and packages:

Helm Chart
Terraform ECS module
Agent Proxy
AWS Lambda Extension
AWS Lambda Layer

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

Support AWS S3 upload request workloads
Support multiple AWS STS Credential Providers in a single Access Policy via Access Key ID mapping

Aembit’s Agent Proxy now supports AWS S3 file uploads. Agent Proxy transparently handles S3’s complex signing requirements, including detecting client signatures, re-signing requests with injected credentials, and streaming large file uploads.

Key capabilities:

Automatic detection of S3 signing methods using the x-amz-content-sha256 header
Support for unsigned payloads, streaming signatures, and standard SigV4 signing
Transparent credential injection without client-side configuration changes

Known limitations in this release:

Streaming signed payload uploads default to a 50 MiB limit (configurable via AEMBIT_AWS_MAX_BUFFERED_PAYLOAD_BYTES)
Request compression isn’t supported for S3 requests

For complete documentation and workarounds, see How Aembit uses AWS SigV4 and SigV4a.

Aembit now supports multiple AWS Security Token Service (STS) Credential Providers within a single Access Policy. This feature enables a single Client Workload to access multiple AWS resources, each requiring different IAM roles, without creating separate Access Policies.

Key capabilities:

Access Key ID selectors for automatic Credential Provider matching
Simplified policy management with multiple AWS STS Credential Providers per Access Policy
Seamless credential injection for applications accessing different AWS services

Minimum Edge Component versions required:

Agent Proxy 1.27.3865
Agent Controller 1.27.2906

For complete documentation, see Using multiple AWS STS Credential Providers.

Aembit has expanded the Server Workload documentation with new guides covering architecture patterns, credential lifecycle management, developer integration, and troubleshooting. These resources help you understand how Aembit manages credentials for your Server Workloads and provide guidance for integrating Aembit into your applications.

New documentation:

Architecture patterns - OAuth flows, trust boundaries, and deployment models
Credential lifecycle - How Aembit manages credential rotation and security
Developer integration - SDK integration patterns and placeholder credentials for local development
Troubleshooting - Diagnostic steps for common configuration issues

New and updated Server Workload guides:

NEW Microsoft Entra ID - Authenticate to Entra ID-protected resources using Azure Entra Workload Identity Federation or OAuth interception
UPDATED AWS services - Authenticate to AWS services using AWS Security Token Service (STS) Credential Providers and SigV4 signing

Agent Controller logging and error handling improvements

Tue, 25 Nov 2025 12:00:00 GMT

Aembit has released new versions of the following components and packages:

Helm Chart
Terraform ECS module
Agent Controller

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

Enhancements to Agent Controller logging and error handling for improved observability

Azure Key Vault Credential Provider and OIDC SSO now available

Tue, 21 Oct 2025 12:00:00 GMT

Aembit has released new versions of the following components and packages:

Helm Chart
Terraform ECS module
Agent Proxy
AWS Lambda Extension
AWS Lambda Layer
Agent Injector

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

Azure Key Vault Private Network Access: Added support for accessing Azure Key Vault instances configured with private network endpoints
Performance Improvements: Enhanced performance for Secure Parameter Exchange (SPE) Postgres database operations
Dependency Updates: Updated multiple project dependencies to their latest stable versions
Rust and Hyper Upgrade: Upgraded to Rust 1.89.0 and introduced the hyper HTTP library for improved performance and security
Logging Enhancements: Internal improvements to logging functionality for better observability and debugging

Aembit has released the new Azure Entra Federation Credential Provider Integration and Azure Key Vault Credential Provider.

Together, they enable you to retrieve secrets from Azure Key Vault directly through Aembit using Azure’s Workload Identity Federation.

The Azure Entra Federation integration leverages OpenID Connect (OIDC) standards to authenticate with Azure Entra without requiring long-lived secrets or static credentials. This allows Aembit to securely access your Azure Key Vault instances using short-lived, federated tokens.

The Azure Key Vault Credential Provider supports:

Single value credentials (API keys, tokens)
Username/Password credentials
Both public and private network access scenarios
Policy-driven access controls and centralized auditing

See Azure Entra Federation Credential Provider Integration and Azure Key Vault Credential Provider to learn more.

You can now configure OIDC 1.0 Identity Providers for administrator Single Sign-On (SSO) authentication. This enables you to use OIDC-compliant identity providers such as Okta, Azure AD, and Auth0 to simplify the Aembit Tenant login process for your users. With OIDC support, you can leverage your existing identity infrastructure for secure, standardized authentication to the Aembit administrative console.

For more information, see Create an OIDC Identity Provider.

Edge components release with container base image security update

Thu, 02 Oct 2025 12:00:00 GMT

Aembit has released new versions of the following components and packages:

Helm Chart
Terraform ECS module
AWS Lambda Extension
AWS Lambda Layer
Agent Proxy
Agent Injector
Sidecar Init

For the latest available versions of these components, see the Edge Components Supported Versions page.

Key Updates:

Applied a security enhancement to container-base images

Faster, more reliable Agent Controller cloud detection and attestation

Tue, 09 Sep 2025 12:00:00 GMT

Aembit has applied performance enhancements to Agent Controller in this release, including:

improved cloud environment detection and attestation, making Agent Controller onboarding faster and more reliable across AWS and Azure
improved logging around TLS-related errors
deprecated the AEMBIT_HTTP_DISABLED environment variable (HTTP is now disabled when TLS is enabled)

For the latest available versions of these components, see the Edge Components Supported Versions page.

New AWS Lambda layer and extension release

Tue, 02 Sep 2025 12:00:00 GMT

Aembit has released new versions of the following components and packages:

AWS Lambda layer
AWS Lambda extension

For the latest available versions of these components, see the Edge Components Supported Versions page.

SPIFFE JWT-SVID Credential Provider now available

Tue, 26 Aug 2025 12:00:00 GMT

Aembit has added the SPIFFE JWT-SVID Credential Provider. This Credential Provider enables you to generate JWT-SVID tokens for workloads that require SPIFFE-compliant authentication and authorization.

See About the SPIFFE JWT-SVID Credential Provider and JWT-SVID Token Credential Provider for more information and configuration details.

Edge components release with OpenShift support and AWS Secrets Manager private network access

Fri, 22 Aug 2025 12:00:00 GMT

Aembit has updated Aembit Edge Components to include the latest versions of Agent Proxy, Sidecar Init, and the Aembit Helm chart. These updates include support for:

Official Red Hat OpenShift and OpenShift Service on AWS (ROSA) support for Agent Proxy and Sidecar Init, including SecurityContextConstraint configurations and deployment best practices. See OpenShift deployment guide.
AWS Secrets Manager private network access for Aembit CLI and Agent Proxy.
Aembit CLI CrowdStrike support.
Enhanced Helm chart with support for custom annotations on Kubernetes resources. See Helm chart configuration options.
New guide for managing Agent Injector TLS certificates in Kubernetes deployments. See Managing Agent Injector certificates.
Support for volume-mounted certificates in Aembit Edge Components.
Security and performance enhancements.

Updated Edge Components:

Agent Proxy 1.25.3494
Sidecar Init 1.25.127
Helm Chart 1.25.494

See Edge Components supported versions for more details.

Aembit has added Private Network Access to the AWS Secrets Manager Credential Provider. This feature allows you to securely access AWS Secrets Manager secrets from Aembit Edge Components running in private networks, such as AWS VPCs, without exposing them to the public internet.

When you enable Private Network Access, the Aembit CLI or Agent Proxy retrieve secrets from AWS Secrets Manager directly, ensuring secure and private access to your secrets.

See AWS Secrets Manager Credential Provider for more details on how to configure this feature.

GitLab CI/CD Component, OIDC dynamic claims, and CrowdStrike conditions now available

Tue, 19 Aug 2025 12:00:00 GMT

The Aembit Edge GitLab CI/CD Component is now available to simplify Aembit integration within your pipelines. Find the component in the GitLab CI/CD Catalog and learn how to use it in the component documentation.

The OIDC ID Token Credential Provider now supports dynamic claims, allowing you to extract and use values from OIDC tokens in the credential data. This feature creates personalized and context-aware credentials that reflect the workload’s identity and attributes from their original OIDC token.

See OIDC ID Token Dynamic Claims for more information.

Aembit has added two new Access Conditions for CrowdStrike:

MAC Address - Ensures the CrowdStrike Agent Host MAC Address matches the Host MAC Address that Agent Proxy retrieved.
Local IP Address - Ensures the CrowdStrike Agent Host Local IP Address matches the Host Local IP Address that Agent Proxy retrieved.

See Create Access Conditions for CrowdStrike to learn how to create Access Conditions for CrowdStrike.

Aembit CLI, AWS Secrets Manager, and Jenkins Pipelines now available

Tue, 29 Jul 2025 12:00:00 GMT

Aembit has released the new AWS IAM Role Credential Provider Integration and Secrets Manager Credential Provider. Together, they enable you to retrieve secrets from AWS Secrets Manager directly through Aembit.

See AWS IAM Role Credential Provider Integration and AWS Secrets Manager Credential Provider to learn more.

Aembit has released the Aembit CLI, a command-line interface that allows you to inject credentials into your CI/CD pipelines. Compatible with GitLab, GitHub, and now Jenkins.

Check out the Aembit CLI Guide to get started with the Aembit CLI!
Also, see Aembit Edge on CI/CD services for more information on how to use Aembit CLI with your CI/CD pipelines.

Aembit has released support for Jenkins Pipelines to help you integrate Aembit into your Jenkins CI/CD workflows. This integration allows you to securely retrieve and use Aembit-managed credentials directly in your Jenkins Pipelines, streamlining your CI/CD processes and enhancing security.

Check out Jenkins Pipelines to learn more about how to use Aembit with Jenkins Pipelines.

Aembit now supports Server Workloads with a wildcard hostname.

This enables you to simplify your server workloads in a flexible and well defined manner.

As of Agent Controller version 1.24.xxxx, Aembit has enhanced Agent Controller to automatically close insecure HTTP ports when you enable TLS. This update streamlines security by ensuring only encrypted connections are active.

When you enable TLS, Agent Controller now automatically:

Opens Secure Ports: 443 (or 5443 on VMs) and the secure Prometheus port 9091.
Closes Insecure Ports: 80 (or 5000 on VMs) and the insecure Prometheus port 9090.

This automation removes the manual step of closing insecure, vulnerable ports, preventing potential misconfigurations and enforcing a more secure, “secure-by-default” posture.

Aembit has applied security enhancements to Agent Controller version 1.24.2485 in this release, including:

Disabling insecure HTTP ports when you enable TLS.

Updated Edge Components:

Agent Controller

Updated Edge Packages:

Helm Chart
Terraform ECS module

See Edge Components supported versions for more details.

Discovery filtering and OIDC ID Token Trust Provider now available

Tue, 22 Jul 2025 12:00:00 GMT

Aembit has added more advanced filtering options to the Discovered tab for Client and Server Workloads. This enables you to find specific discovered workloads based on the criteria you filter.

See Filtering Discovered Workloads for more info.

Aembit has added the OIDC ID Token Trust Provider. This Trust Provider is Aembit’s solution for authenticating workloads using standard OIDC ID tokens. It validates incoming tokens against specific issuer, audience, and subject claims, giving you maximum flexibility to integrate with virtually any OIDC-compliant identity provider for secure, token-based workload access.

See OIDC ID Token Trust Provider for more info.

Aembit has applied security and performance enhancements to Agent Proxy version 1.24.3324 in this release.

Updated Edge Components:

Agent Proxy

Updated Edge Packages:

Helm Chart
Terraform ECS module
AWS Lambda Extension

See Edge Components supported versions for more details.

Aembit container images are now cryptographically signed

Tue, 24 Jun 2025 12:00:00 GMT

Aembit now cryptographically signs all container images in Aembit’s Docker Hub repositories. See Verifying Aembit container image signatures for more details and how to verify Aembit container images.

Aembit Edge API now available with expanded Wiz Discovery

Tue, 17 Jun 2025 12:00:00 GMT

Introducing Aembit Edge API, the new way your cloud-native applications can retrieve credentials dynamically without deploying additional infrastructure. Perfect for serverless functions, containers, and CI/CD pipelines that need secure access to third-party services.

With Aembit Edge API you can:

Retrieve credentials on-demand for any configured service from your CI/CD pipelines.
Authenticate workloads using platform-native identity tokens (GitHub Actions, GitLab CI, AWS Lambda, etc.).
Eliminate hardcoded secrets by fetching credentials just-in-time.
Support multiple credential types including API keys, username/password, and CI/CD provider tokens.

Check out the Edge API get started page to learn more or start using it right away with the Aembit Edge quickstart guide.

Aembit Discovery can now discover additional resources when you use Wiz as a Discovery Source.

Through the Wiz integration, Aembit now discovers Client Workload resources such as VMs, AWS- and Azure-specific Client Workload Identifies, and many others. As for Server Workload resources, Aembit now discovers Azure Blob Storage, GCP BigQuery, and many others.

For the full list, see Wiz-discoverable resource types.

Improved Agent Controller TLS reporting and environment variable logging

Wed, 11 Jun 2025 12:00:00 GMT

Aembit has released a new version of Agent Controller, version 1.23.2263, with the following changes:

Enhanced TLS certificate status reporting with improved retry and error handling.
Added comprehensive logging for environment variable configuration with sensitive data masking for secure review.

Updated Edge Components:

Agent Controller

Updated Edge Packages:

Helm Chart
VM Agent Controller package
Terraform ECS module

See Edge Components supported versions for more details.

Workload Discovery filtering and Global Policy Compliance reporting now available

Tue, 03 Jun 2025 12:00:00 GMT

Introducing Workload Discovery Filtering for improved workload management and visibility across your discovered infrastructure. This enhancement adds comprehensive filtering capabilities to both Client Workloads and Server Workloads discovery pages, enabling you to quickly locate and analyze specific workloads.

Filtering options include:

Client Workloads: Filter by Client Workload Identifiers and Workload Discovery Source
Server Workloads: Filter by Port, Protocol, and Workload Discovery Source

This feature streamlines workload management by enabling you to efficiently search through discovered workloads, making it easier to identify, analyze, and onboard relevant workloads into your Aembit environment.

To learn more about discovered workload filtering, see Workload Discovery Filtering.

You can now view the Global Policy Compliance status of your Access Policies using the new Global Policy Compliance page under Reporting in the left nav menu. Quickly get an overall view of the compliance status of your Access Policies and optionally filter for specific statuses.

To learn more about reporting on Global Policy Compliance status, see How to review Global Policy Compliance.

Kerberos and PKI security enhancements for Agent Proxy

Mon, 02 Jun 2025 12:00:00 GMT

Aembit has released a new version of Agent Controller, version 1.23.2160, with the following changes:

Security enhancements for Kerberos and Aembit-managed PKI.
Added the AEMBIT_HTTP_PORT_DISABLED environment variable to enable you to disable Agent Controller’s HTTP port.

Updated Edge Components:

Agent Proxy 1.23.2160

Updated Edge Packages:

Helm Chart 1.23
Terraform ECS module 1.23

See Edge Components supported versions for more details.

Improved Agent Injector pod security and TLS handling

Fri, 30 May 2025 12:00:00 GMT

Aembit has added enhancements to Agent Injector which include:

Improved compatibility with pod-level securityContext settings for Kubernetes Client Workloads.
TLS certificate security enhancements.
Agent Injector now supports the AEMBIT_LOG_LEVEL environment variable.

CrowdStrike SIEM Log Streams and Agent Proxy enhancements

Mon, 26 May 2025 12:00:00 GMT

Introducing Log Streams for CrowdStrike Next-Gen SIEM for real-time security event monitoring and enhanced threat detection. This integration enables rapid streaming of Aembit Edge event logs and audit logs directly to CrowdStrike’s Next-Gen Security Information and Event Management (SIEM) platform using the HTTP Event Collector (HEC) protocol.

By connecting Aembit with CrowdStrike Next-Gen SIEM, you can:

Stream Access Authorization Events, Audit Logs, and Workload Events to CrowdStrike SIEM
Configure TLS encryption and verification options
Automatic failure notifications for Aembit admins
Seamless integration with existing CrowdStrike HEC configurations

This feature enhances your organization’s security posture by improving threat detection capabilities, streamlining incident management, and supporting compliance monitoring requirements through centralized log analysis in CrowdStrike.

To learn more, see Log Streams for CrowdStrike Next-Gen SIEM.

Aembit has applied security and performance enhancements to Agent Proxy in this release.

Aembit has added the AEMBIT_CLIENT_WORKLOAD_PROCESS_IDENTIFICATION_ENABLED Agent Proxy environment variable to Enable Process Name Client Workload identification.

Updated Edge Components:

Agent Proxy

Updated Edge Packages:

Helm Chart
VM Agent Proxy package
Terraform ECS module
AWS Lambda Extension
AWS Lambda Layer

See Edge Components supported versions for more details.

Terraform ECS module now supports environment variables

Thu, 22 May 2025 12:00:00 GMT

The Aembit Edge Terraform ECS module now supports Terraform variables that allow you to set Agent Controller and Agent Proxy environment variables directly.

You may now set logging levels for these Edge Components in AWS ECS Fargate environments, and leverage configuration options that the Edge Terraform ECS module doesn’t support directly as variables yet.

See AWS ECS Fargate documentation for more information..

Global Policy Compliance, OIDC ID Token Credential Provider, and Splunk Log Streams now available

Tue, 06 May 2025 12:00:00 GMT

To increase the available deployment options for Amazon Web Services (AWS) Lambda users, Aembit now provides a Lambda Layer to support zip-based Lambda Functions. This joins our existing AWS Lambda Container support.

For more detailed information on how to deploy Aembit Edge Components to AWS Lambda Functions using our Lambda Layer, please refer to the AWS Lambda Functions documentation.

Introducing Global Policy Compliance for centralized security enforcement across your Aembit environment. This feature allows administrators to establish organization-wide security standards for Access Policies and Agent Controllers, ensuring consistent security practices and preventing the creation of policies that might inadvertently expose resources.

With Global Policy Compliance, you can enforce requirements for Trust Providers and Access Conditions across all Access Policies, as well as Trust Provider and TLS Hostname requirements for Agent Controllers. The three-tier enforcement model lets you set requirements as Required, Recommended (default), or Optional based on your organization’s security needs.

Global Policy Compliance visually identifies non-compliant components through color-coded status icons:

Red indicators for required but missing elements
Yellow indicators for recommended but missing elements
Green indicators for compliant Access Policies
Gray indicators for disabled or not active Access Policies

To learn more about Global Policy Compliance, see the Global Policy Compliance Overview.

Introducing OIDC ID Token Credential Provider for secure identity token generation and exchange with third-party services. By leveraging Aembit’s custom Identity Provider (IdP) capabilities, this Credential Provider generates JWT-formatted tokens that seamlessly integrate with various Workload Identity Federation (WIF) solutions.

The OIDC ID Token Credential Provider offers flexible configuration options including:

Custom claims configuration with both dynamic and literal subject support
Choice of signing algorithms (RS256 or ES256)
Integration with identity brokers such as AWS STS, GCP WIF, Azure WIF, and HashiCorp Vault

This new Credential Provider is particularly valuable for:

Secure access to cloud provider resources through their WIF solutions
Authentication with HashiCorp Vault using OIDC tokens
Integration with any service supporting OIDC/JWT authentication

To learn more about this feature, see About the OIDC ID Token Credential Provider.

Introducing Log Stream for Splunk SIEM to enhance your security monitoring capabilities. This integration enables rapid streaming of Aembit Edge event logs and audit logs directly to Splunk using Splunk’s HTTP Event Collector (HEC) protocol.

By connecting Aembit with Splunk SIEM, you can:

Enhance threat detection with comprehensive security data
Improve incident management through centralized logging
Streamline compliance monitoring for your organization

The setup process is straightforward, requiring only a properly configured HTTP Event Collector in your Splunk environment and a few configuration steps in the Aembit Admin UI. Aembit will automatically send email notifications if Log Stream transactions consistently fail, ensuring you’re always aware of your logging status.

To learn more about setting up this integration, see How to stream Aembit events to Splunk SIEM.

Workload Discovery now available

Fri, 25 Apr 2025 12:00:00 GMT

Aembit has released the new Discovery feature, which automatically identifies workloads across your infrastructure, increasing the visibility, scalability, and access control over your workloads.

Discovery uses Sources to find workloads in your environments—natively through Aembit Edge Discovery and through integrations with services such as Wiz.

See Discovery for full details.

Aembit Edge now available on AWS EKS Fargate

Thu, 24 Apr 2025 12:00:00 GMT

Aembit now supports deploying Edge Components on AWS Elastic Kubernetes Service (EKS) using Fargate compute profiles. For details on feature support in this environment, please refer to Aembit’s AWS EKS Fargate deployment guide and product support matrix.

GitLab.com support and service account naming for Managed GitLab Account Credential Provider

Tue, 22 Apr 2025 12:00:00 GMT

For the GitLab Managed Service Account Credential Provider, you can now specify the name of the service account that Aembit creates in GitLab for that Credential Provider.

Additionally, you can now create GitLab Service Account integrations for GitLab.com plans. See Create a GitLab Service Account Integration for a GitLab.com plan

Pod startup delay and security enhancements for Agent Proxy

Mon, 21 Apr 2025 12:00:00 GMT

Aembit has added the AEMBIT_PASS_THROUGH_TRAFFIC_BEFORE_REGISTRATION Agent Proxy environment variable to enable you to delay the Client Workload Kubernetes pod startup until registration between Agent Proxy and Agent Controller completes. See Delaying pod startup until Agent Proxy has registered for details.

Aembit has applied security enhancements and hardening to Agent Proxy in this release.

Updated Edge Components:

Agent Proxy

Updated Edge Packages:

Helm Chart
VM Agent Proxy package
Terraform ECS module
AWS Lambda Extension

See Edge Components supported versions for more details.

Allowed TLS Hostname now configurable for Agent Controller

Tue, 15 Apr 2025 12:00:00 GMT

Agent Controllers now support Allowed TLS Hostname as a configurable field in your Aembit Tenant:

Allowed TLS Hostname serves the same purpose as the AEMBIT_MANAGED_TLS_HOSTNAME Agent Controller environment variable.

Configuring an Allowed TLS Hostname allows you to specify which domain name Aembit Managed TLS includes in the TLS certificate. This makes sure secure connections from your Agent Proxies are only valid when using this exact domain name to reach your Agent Controller, enhancing security without restricting which Agent Proxies can communicate with it.

To configure your Agent Controller with an allowed TLS hostname, see How to create and Agent Controller or Configure Agent Controller TLS with Aembit’s PKI.

Windows Server now supported for Kerberos Trust Provider and Agent Controller

Thu, 03 Apr 2025 12:00:00 GMT

The Kerberos Trust Provider now supports the attestation of Client Workloads running on Windows Server virtual machines (VMs) joined to Active Directory (AD). See Kerberos Trust Provider for details.

You can now install Agent Controller on Windows Server 2019 and Windows Server 2022 virtual machines. See Agent Controller on Windows Server for details.

Standalone CAs and Credential Provider Integrations now available

Tue, 25 Mar 2025 12:00:00 GMT

Introducing Standalone CAs for more granular control over TLS Decrypt management. This feature allows you to create and manage dedicated Certificate Authorities (CAs) that function independently from Aembit’s default Tenant-level certificates.

With Standalone CAs, you can assign CAs directly to specific Client Workloads or Resource Sets, creating isolated trust boundaries and enabling precise management of TLS traffic across different environments. Aembit intelligently selects the appropriate CA using a clear hierarchy: Client Workload level -> Resource Set level -> Tenant level.

To learn more about Standalone CAs, see About Standalone CA for TLS Decrypt.

We’ve updated the Deploy Edge Components experience in the Aembit admin UI to streamline how you deploy Aembit Edge Components.

We’ve added deployment guides directly in the Aembit admin UI for each type of deployment such as Kubernetes, Ubuntu Linux, Red Hat Enterprise Linux, or Microsoft. Now when you’re deploying new Aembit Edge Components, you’ll have a guided experience to get you up and running faster.

Introducing Credential Provider Integrations, which automate credential lifecycle management for third-party systems. This feature makes sure your workloads always have valid credentials without manual management, enhancing both security and operational efficiency, eliminating manual credential management.

Our new Credential Provider Integrations feature makes this possible by connecting Aembit directly to third-party systems like with the GitLab Service Account integration. The GitLab Service Account integration enables you to create a Managed GitLab Account Credential Provider, which allows you to manage the credential lifecycle of your GitLab service accounts.

This gives you fine-grained control while eliminating the overhead of manual credential management.

AWS SigV4 and SigV4a request signing now supported

Wed, 05 Mar 2025 12:00:00 GMT

The Aembit Credential Provider for AWS Security Token Service (STS) now supports the AWS SigV4 and SigV4a request signing protocols. Aembit automatically signs requests to AWS services using SigV4 for regional services or SigV4a for global/multi-region services.

See How Aembit uses AWS SigV4 and SigV4a to learn more and AWS Security Token Service (STS) Federation to configure an AWS STS Credential Provider.

Updated Edge Components:

Agent Proxy

Updated Edge Packages:

Helm Chart
VM Agent Proxy package
Terraform ECS module
AWS Lambda Extension

See Edge Components supported versions.

Agent Proxy SIGTERM termination behavior restored

Mon, 03 Mar 2025 12:00:00 GMT

Restored Agent Proxy termination behavior when you set AEMBIT_SIGTERM_STRATEGY to immediate.

Updated Edge Components:

Agent Proxy

Updated Edge Packages:

Helm Chart
VM Agent Proxy package
AWS Lambda Extension

See Edge Components supported versions.

Agent Controller now serves the full CA certificate chain

Thu, 27 Feb 2025 12:00:00 GMT

Enhanced Agent Controllers to now serve the entire CA certificate chain instead of just the leaf certificate.

Updated Edge Components:

Agent Controller

Updated Edge Packages:

Helm Chart version
Terraform ECS module version
VM Agent Controller package

See Edge Components supported versions.

Wiz Access Conditions now support Lambda Containers

Tue, 25 Feb 2025 12:00:00 GMT

Aembit’s Access Condition integration with Wiz now supports Lambda Containers. See Access Condition for Wiz to configure an Access Condition.

Vault private network access and CrowdStrike on Windows now available

Thu, 20 Feb 2025 12:00:00 GMT

Aembit now supports accessing HashiCorp Vault Credential Providers that reside on private networks. This allows your colocated Agent Proxy to handle authentication directly instead of Aembit Cloud. See Accessing Vault on private networks for more info.

Aembit now supports Conditional Access for CrowdStrike on Windows. To set up Conditional Access for CrowdStrike on Windows, follow the steps in Access Condition for CrowdStrike.

Aembit now supports the AWS Role Trust Provider on Agent Proxy for ECS Fargate deployments.

Enhanced Vault token header behavior.

Enhanced Agent Proxy initialization on Kubernetes to prevent other processes from interfering and impacting its startup.

Updated Edge Components:

Agent Proxy

Updated Edge Packages:

Helm Chart
Terraform ECS module
VM Agent Proxy package
AWS Lambda Extension

See Edge Components supported versions.

Azure Entra Workload Identity Federation and automatic user creation now available

Tue, 11 Feb 2025 12:00:00 GMT

Aembit now supportsAzure Entra Workload Identity Federation as a Credential Provider. This enables you to automatically obtain credentials through Aembit as a third-party federated Identity Provider (IdP) to securely authenticate with Azure Entra to access your Azure Entra registered applications and managed identities.

Aembit now supports Automatic User Creation triggered by SSO login requests. Aembit has enhanced the Identity Provider configuration page with additional parameters, enabling you to map SAML attributes from your Identity Provider to the user roles defined in your Aembit Tenant.

You can now change the leaf certificate lifetime when using the TLS Decrypt feature.

Agent Proxy now available on Windows Server virtual machines

Tue, 28 Jan 2025 12:00:00 GMT

Aembit Agent Proxy supports virtual machine deployments for Windows Server 2019 and Windows Server 2022. See Agent Proxy install for details.

RHEL with SELinux now supported for Edge components

Thu, 26 Dec 2024 12:00:00 GMT

Aembit Edge Components have been updated to include support for RedHat Enterprise Linux (RHEL) 8 and 9 with Security-Enhanced Linux (SELinux). With this improvement, administrators may now add additional layers of security to their system architecture.

For more information on integrating Aembit Edge Components with SELinux, please see the SELinux support page.

SignOn Policy now available for custom login experiences

Tue, 17 Dec 2024 12:00:00 GMT

Aembit has added support for defining a SignOn Policy, enabling you to customize the login experience for your users.

For more information, please see the SignOn Policy page.

Earlier Client Workload identification in AWS Lambda Extension

Fri, 22 Nov 2024 12:00:00 GMT

Aembit has released an updated AWS Lambda Extension, enhancing support for Client Workload identification earlier in the Lambda container lifecycle.

For more information, please refer to the AWS Lambda Container Supported Phases.

Aembit Virtual Appliance now available for Edge components

Thu, 14 Nov 2024 12:00:00 GMT

Aembit has released a new, pre-packaged deployment model that enables you to use a Virtual Appliance configuration and setup for deploying Aembit Edge Components in your environment. This virtual appliance image includes both Agent Controller and Agent Proxy bundled together in a single OVA file.

For more detailed information on how to deploy the Aembit Virtual Appliance, please see the Virtual Appliance technical documentation.

Edge components release with performance improvements

Tue, 29 Oct 2024 12:00:00 GMT

Aembit Edge Components have been updated to newer versions to improve overall performance and functionality.

The following components and packages have been updated:

Helm Chart
Agent Proxy

For the latest available versions of these components, please see the Edge Components Supported Versions page.

Network traffic tracing now available for Agent Proxy debugging

Mon, 28 Oct 2024 12:00:00 GMT

Agent Proxy has been updated to include a new environment variable that enables Agent Proxy to monitor network traffic so you can perform detailed debugging if you encounter network traffic errors.

For more detailed information on this feature, please see the Agent Proxy Debug Network Tracing page.

Multiple match rules of the same type now supported in Terraform Provider

Fri, 25 Oct 2024 12:00:00 GMT

The Aembit Terraform Provider is regularly updated with new features and capabilities to give you additional configuration options.

You may now use multiple Trust Provider match rules of the same type (OR-based combinations) in your Terraform Provider configuration.

For more detailed technical information on how to use similar match rule types in GitLab using the Aembit Terraform Provider, please see the Aembit Terraform Provider Registry technical documentation.

Explicit steering and enhanced access authorization events now available

Wed, 23 Oct 2024 12:00:00 GMT

Aembit regularly releases new enhancements and improvements to Aembit Edge and Aembit Cloud components to provide additional features and functionality for your Aembit environment.

The following new features and enhancements have been released:

Enhanced Access Authorization Events
Explicit Steering
Updated Aembit Edge Component Versions

Enhanced Access Authorization Events

Aembit automatically records and collects various types of workload metadata in access authorization events, enabling you to use this information to audit and analyze security events.

The information collected and recorded in these access authorization events has been enhanced to now capture and display additional workload metadata, including VM hostname, IP address, and process name.

For more information on access authorization events, please refer to the following technical documentation pages:

Access Authorization Events

Explicit Steering

Aembit continues to look for ways to improve the overall user experience in an Aembit environment, while also providing additional functionality and features that enhance this experience. One of these ways is by enabling you to route only specific types of traffic through Aembit, via the explicit steering feature.

With explicit steering, you can now configure Client Workloads to direct only certain types of traffic to the Agent Proxy. This enables you to have more precise control of which traffic is managed by the Agent Proxy.

For more information on the explicit steering feature, please refer to the Explicit Steering page.

Aembit Edge Components Update

Aembit Edge Components have been updated to newer versions to improve overall performance and functionality.

The following components and packages have been updated:

Helm Chart
Agent Controller
Agent Proxy

For the latest available versions of these components, please see the Edge Components Supported Versions page.

GitLab Jobs now supported in the Aembit Terraform Provider

Fri, 18 Oct 2024 12:00:00 GMT

The Aembit Terraform Provider is regularly updated with new features and capabilities to give you additional configuration options.

Aembit now supports both GitLab Job Client Identifiers and GitLab Job Trust Provider types, enabling you to manage Client Workloads in Gitlab using the Aembit Terraform Provider.

For more detailed technical information on how to manage Client Workloads in GitLab using the Aembit Terraform Provider, please see the Aembit Terraform Provider Registry technical documentation.

Multi-Credential Provider Terraform support and Prometheus metrics now available

Tue, 08 Oct 2024 12:00:00 GMT

Aembit regularly releases new enhancements and improvements to Aembit Edge and Aembit Cloud components to provide additional features and functionality for your Aembit environment.

The following four new major features have been released:

Terraform Provider support for Access Policies with Multiple Credential Providers
Admin Dashboard enhancements and improvements
Exposure of Prometheus-compatible Aembit Edge metrics
Updated Edge Component Versions

Terraform Provider Support for Access Policies with Multiple Credential Providers

Aembit has released a Terraform Provider update that enables users to add multiple Credential Providers to an Access Policy.

Aembit now supports use cases where the Aembit Terraform Provider can manage Aembit Access Policies associated with individual or multiple Credential Providers.

For more information about this feature, please see the Multiple Credential Providers - Terraform page.

Admin Dashboard Enhancements and Improvements

Aembit continually makes improvements and enhancements to the Admin Dashboard to provide greater visibility and insight into your Aembit environment.

The Admin Dashboard has been updated and enhanced with additional tiles and panels that provide detailed information on Client and Server Workloads, Credential Usage by Type, the number of Access Condition failures based on Access Policies over the past 24 hours, and several other visualizations.

For more information on the Admin Dashboard and these additional panels, please see the Admin Dashboard Overview page.

Exposure of Prometheus-compatible Aembit Edge Metrics

Aembit aims to provides users with the ability to view detailed Aembit Edge metrics and data.

Aembit now exposes Prometheus-compatible metrics which enables users to view, and troubleshoot Aembit Edge Components (Agent Proxy, Agent Controller, and Agent Injector), while supporting both Kubernetes and virtual machine deployment models.

For more detailed information on how Aembit exposes Prometheus-compatible metrics, please see the Aembit Edge Prometheus-compatible Metrics page.

Aembit Edge Components Update

Aembit Edge Components have been updated to newer versions to improve overall performance and functionality.

The following components and packages have been updated:

Helm Chart
Terraform ECS Module
AWS Lambda Extension
VM Artifacts
Agent Controller
Agent Proxy

For the latest available versions of these components, please see the Edge Components Supported Versions page.

Improved access authorization events and audit logging

Tue, 01 Oct 2024 12:00:00 GMT

Aembit has released improvements to its reporting and logging/auditing capabilities, giving you improved visibility into access authorization events and audit logs. With these enhancements, you can more easily diagnose issues and troubleshoot problems in your environment.

Improved Access Authorization Events and Audit Logging

Improvements have been made to the Aembit Tenant’s reporting capabilities and reporting documentation, enabling increased visibility into access authorization events and audit logs. The Aembit technical documentation has also been augmented to assist with using these capabilities.

For more information on these access authorization event and audit log improvements, please see the following pages:

Real-time Agent Controller health monitoring now available

Mon, 30 Sep 2024 12:00:00 GMT

Aembit has released two new updates and improvements to Aembit components:

Agent Controller functionality has been enhanced to enable real-time monitoring and status of Agent Controllers in the Aembit Tenant.
Aembit Edge Components and packages have been updated to the latest versions.

Agent Controller Real-Time Health Status and Health Update

You may now view the real-time health status of Agent Controllers in the Aembit Tenant.

For more information on how to check the health status of Agent Controllers, please see the Tenant Health Check page.

Edge Components Update

Aembit Edge Components have been updated to newer versions to improve overall performance and functionality.

The following components and packages have been updated:

Helm Chart
Terraform ECS Module
VM Artifacts
Agent Controller

For the latest available versions of these components, please see the Edge Components Supported Versions page.

Helm Chart fix for Edge components

Fri, 20 Sep 2024 12:00:00 GMT

Aembit Edge Components are regularly updated to newer versions to address specific bug fixes and optimize performance of these components.

We recently identified a known issue that was resolved with a new Helm Chart version.

For the latest available versions of these components, please see the Edge Components Supported Versions page.

Custom Resource Sets now supported for GitHub Actions and GitLab Jobs

Wed, 18 Sep 2024 12:00:00 GMT

Aembit regularly provides feature and functionality updates to various components to extend capabilities and performance.

Aembit has released a feature improvement that enables you to work with Custom Resource Sets in GitHub Actions and GitLab Jobs CI/CD pipelines.

Custom Resource Set Support for GitHub Actions and GitLab Jobs

For users that would like to implement a CI/CD pipeline solution using Aembit with a custom Resource Set, separate from other workloads, Aembit has introduced Resource Set support for both GitHub Actions and GitLab Jobs.

Aembit supports Workload Identity and Access with GitHub Actions or GitLab Jobs, in your CI/CD workloads and encourages scoping these for appropriate access control. Adding support for Resource Sets in these solutions provides you with additional options and flexibility in best managing and protecting your CI/CD workloads.

For more information on how to configure Resource Sets in GitHub Actions and GitLab Jobs, please see the following pages:

Aembit PKI Agent Controller TLS now available for Kubernetes and virtual machines

Tue, 17 Sep 2024 12:00:00 GMT

Aembit regularly releases updates to Aembit components and packages to improve overall performance of your environment.

The following updates have been released:

Aembit Edge Component Updates
Agent Controller PKI-Based TLS Support for Kubernetes and virtual machines

Aembit Edge Component Updates

Aembit Edge Components have been updated to newer versions to improve overall performance and functionality.

The following components and packages have been updated:

Helm Chart
Terraform ECS Module
VM Artifacts
AWS Lambda Extension

For the latest available versions of these components, please see the Edge Components Supported Versions page.

Agent Controller PKI-Based TLS Support for Kubernetes and virtual machine Deployments

Aembit has extended the Aembit PKI-based Agent Controller TLS functionality beyond just ECS deployment models to include Kubernetes and virtual machine deployments.

For Kubernetes deployments, if the Customer’s PKI-based Agent Controller is already configured, it will remain unchanged. Otherwise, Aembit’s PKI-based Agent Controller TLS is enabled by default.
For virtual machine deployments, you need to configure Aembit’s PKI-based Agent Controller TLS manually.

Edge components release with Agent Proxy idle timeout fix

Thu, 05 Sep 2024 12:00:00 GMT

Aembit Edge Components are updated on a regular basis to include new features, functionality, and package improvements.

Aembit has released new versions of the following components and packages:

Helm Chart
Terraform ECS Module
VM Artifacts
AWS Lambda
Agent Proxy

Agent Proxy has been updated to address a specific issue related to idle timeouts for HTTP persistent connections (currently 1 hour). If no new request comes over a connection, the request will be closed by Agent Proxy.

For the latest available versions of these components, please see the Edge Components Supported Versions page.

Updated Admin Dashboard and multiple Credential Providers per Access Policy

Tue, 27 Aug 2024 12:00:00 GMT

Aembit recently released the following two updates to improve the Aembit user experience:

The Aembit Tenant UI has been updated with an expanded Admin Dashboard with additional metrics and data.
Access Policies have been improved to enable users to add multiple Credential Providers to Access Policies.

Updated Admin Dashboard

Aembit has released an updated Admin Dashboard with additional metrics and data you can review when logging into your tenant. You will now see the following metrics displayed from the last 24 hours:

Client Workloads (Managed)
Server Workloads (Managed)
Credentials (Usage By Type)
Workloads Connections (Managed)

Multiple Service Accounts per Access Policy

Aembit now supports the ability for you to have multiple Credential Providers associated with an Access Policy for specific use cases.

Adding and mapping multiple Credential Providers to an Access Policy can be very useful when you have a single Access Policy, but want to have different Credential Providers associated with that Access Policy.

For example, if you want to have the same Client Workload access the same Server Workload, but use different credentials for different functions, this feature enables you to specify the appropriate Credential Providers for each function on an Access Policy.

For more detailed information on how you can add multiple Credential Providers to an Access Policy, please see the Multiple Credential Providers page.

Agent Proxy now injected as a native Kubernetes sidecar

Fri, 09 Aug 2024 12:00:00 GMT

Kubernetes recently introduced support for native sidecar containers. Aembit now leverages this model for the Agent Proxy, where possible.

Aembit now automatically injects the Agent Proxy as a native sidecar, allowing init container Client Workloads.

This change only applies to Kubernetes deployments of version 1.29 and above.

For more information on how you can use Agent Proxy as a sidecar to support init containers, please see the Kubernetes Deployment page.

Comprehensive Aembit API documentation now available

Thu, 01 Aug 2024 12:00:00 GMT

Aembit has released comprehensive API technical documentation for the Aembit API.

With this documentation release, you now have access to a complete library technical content, usage information, and the latest version of the OpenAPI specification, which you can use to learn how to use the Aembit API.

For more detailed information on the Aembit API technical documentation, please see the page.

Aembit Edge Terraform module and ECS TLS support now available

Mon, 29 Jul 2024 12:00:00 GMT

Aembit has released two major enhancements to Aembit Edge Components: Aembit Edge Terraform Module for AWS ECS, and ECS TLS support.

Aembit ECS Terraform Registry

Aembit releases updates to the Aembit ECS Terraform Registry on a regular basis to provide users with additional features and functionality, including improvements to Agent Proxy and Agent Controller.

For more information on the latest ECS Terraform Registry release, please see the Aembit Terraform Registry page.

ECS TLS Support

Aembit has released an ECS deployment enhancement that enable Transport Layer Security (TLS) between the Agent Proxy and Agent Controller using Aembit-provided Private Key Infrastructure (PKI).

There is no option to use your own PKI for ECS deployments.

Aembit Terraform Provider update with Custom Resource Sets and OAuth

Thu, 18 Jul 2024 12:00:00 GMT

Aembit has released an Aembit Terraform Provider update to the Terraform Registry.

This update includes several improvements and enhancements, including:

Support for Custom Resource Sets.
Removal of the deprecated AWS ECS Role Trust Provider (replaced previously by the AWS Role Trust Provider).
Support for Credential Providers of type OAuth2 Authorization Code.

For more information on these updates and changes, please see the Aembit Terraform Registry page.

Dynamic steering to specific hostnames now available

Wed, 03 Jul 2024 12:00:00 GMT

Aembit now supports dynamically steering only specific traffic to the Agent Proxy.

The dynamic steering feature introduces the ability to restrict this proxied traffic to a specific list of hostnames. When this feature is enabled, only egress traffic to the user-specified hostnames will be proxied. This enables you to have more precise control over which destinations’ traffic is managed by the Agent Proxy.

Expanded Client Workload identification and Trust Provider match rules

Wed, 26 Jun 2024 12:00:00 GMT

Aembit now supports more options for identifying Client Workloads and specifying Trust Provider match rules, including multiple “or” condition matches and wildcard support.

These matching improvements shipped alongside the new OAuth 2.0 Authorization Code Credential Provider; see that entry for the new-feature details.

OAuth 2.0 Authorization Code Credential Provider now available

Wed, 26 Jun 2024 12:00:00 GMT

Aembit now supports 3-legged OAuth (3LO) workflows through the new OAuth 2.0 Authorization Code Credential Provider. Applications can request a user’s permission to access their account data and act on the user’s behalf.

With 3LO support, an application can access services or applications that the user has authorized.

Aembit supports the following third-party services with OAuth 2.0 Authorization Code Credential Providers:

For configuration details, see the OAuth 2.0 Authorization Code Credential documentation.

An expansion to Client Workload identification and Trust Provider match rules also shipped in this release; see Expanded Client Workload identification and Trust Provider match rules.

OAuth 2.0 Authorization Code Credential Provider enters beta

Mon, 10 Jun 2024 12:00:00 GMT

Aembit has released beta support for the OAuth 2.0 Authorization Code Credential Provider.

Many organizations require Credential Provider support for various 3rd party SaaS services which only support short lived credentials with the OAuth 2.0 Authorization Code Flow. These services included:

Atlassian
GitLab
Slack
GCP BigQuery
Apigee
PagerDuty

This beta release enables users to use 3rd party SaaS services and have short-lived access tokens generated on demand for authentication to APIs that these 3rd party services provide.

For more information on how to configure the OAuth 2.0 Authorization Code Credential Provider to be used with any of these 3rd party services, please see the OAUth 2.0 Authorization Code Credential Provider page.

Non-root Aembit containers and configurable Agent Proxy file descriptor limits

Wed, 05 Jun 2024 12:00:00 GMT

Aembit has released two new feature updates that enhance existing Aembit functionality.

Aembit Containers

All injected Aembit containers are now run as non-root users.

Agent Proxy File Descriptor Limits

Users may configure limits for the number of file descriptors Agent Proxy is allowed to open on a VM. You may configure this number when Agent Proxy is installed (using the AEMBIT_FD_LIMIT flag).

virtual machines

Default Limit - 65535, set by Agent Proxy installer
Configuration - This limit is configurable via the AEMBIT_FD_LIMIT environment variable. This value is passed directly to systemd in Agent Proxy’s service file at the time of installation.
Example - AEMBIT_FD_LIMIT=200000 [...] ./install

Kubernetes

Default Limit - This limit is inherited from container runtime.
Configuration - There is no official support without modifying the underlying runtime. For more information on configuring these limits, please see the Kubernetes limits support GitHub thread.

AWS ECS

Default Limit - 1024
Configuration - This limit is configurable via the ECS Task Definition API or ECS Dashboard. Please refer to the AWS ECS Developer Guide for more detailed information on how to configure these limits.

AWS Lambda

Default Limit - 1024
Configuration - This limit is not configurable. For more information, please refer to the AWS Lambda Developer Guide.

AWS Role Trust Provider now available

Tue, 04 Jun 2024 12:00:00 GMT

Aembit has released an update to support AWS Role-Based Trust Providers.

The ability to create and use different types of Trust Providers in your Aembit environment enables you to have flexibility in how resources are managed. With this enhancement, you now have an additional option when selecting a Trust Provider.

For more information on AWS Role-Based Trust Providers, please see the AWS Role Trust Provider page.

Resource Sets now available

Thu, 30 May 2024 12:00:00 GMT

Many organizations have certain security requirements that specify which resources should be managed by a group. To address these security needs, Aembit has released a new Resource Sets feature that enables you to determine which groups will have access to various resources.

You may find it necessary to segment management responsibilities for certain entities and resources in your Aembit environment between different individuals and groups for security reasons. To accommodate this requirement, Aembit has released the Resource Sets feature.

Resource Sets enable you to group entities and resources (e.g. Credential Providers, Trust Providers, Identity Providers, etc.) into a single collection and assign specific users to manage these resources.

For more detailed technical information on how to use create and manage Resource Sets, please refer to the Resource Sets technical documentation.

Graceful Agent Proxy shutdown for sidecars

Wed, 15 May 2024 12:00:00 GMT

In some cases, you may find it necessary to manually shut down Agent Proxy when the main container exits, but a sidecar is still running. Since you may not want to kill the whole job, since it will look like a cancelled job, Aembit now provides a solution that enables you to gracefully terminate the job while allowing the sidecar to still run.

For more detailed information on this feature, please refer to the Agent Proxy Shutdown page.

AWS Lambda Container deployment now supported

Tue, 30 Apr 2024 12:00:00 GMT

There are many different deployment options you can currently use to deploy Aembit Edge Components in your environment, including GitHub Actions, GitLab Jobs, and Kubernetes.

To increase the available deployment options for our users, Aembit now provides support for users who wish to deploy Aembit Edge Components to an Amazon Web Services (AWS) Lambda Container.

For more detailed information on how to deploy Aembit Edge Components to AWS Lambda Containers, please refer to the AWS Lambda Container technical documentation.

GeoIP Access Conditions and Google Cloud Storage Log Streams now available

Tue, 23 Apr 2024 12:00:00 GMT

Aembit has released two new features on Aembit Cloud:

Access Condition support for Geographic IP (GeoIP) restrictions
Log Stream support for streaming to Google Cloud Storage Buckets

Aembit GeoIP Access Conditions

You may now configure and add Aembit GeoIP conditions in your Aembit Tenant. This new Access Condition type enables you to explicitly designate which countries/regions will have access to Server Workloads from policy-enabled Client Workloads.

For more information on this feature, please refer to the Access Conditions for GeoIP Restriction page.

Google Cloud Storage Bucket Log Streams

Aembit now supports Log Streams that target Google Cloud Storage (GCS) Buckets. You may add or configure this new Log Stream destination type in the Administration tab of your Aembit Tenant.

For more information on this feature, please refer to the Google Cloud Storage Bucket Log Streams page.

Red Hat 8.9 now supported for virtual machine deployments

Mon, 08 Apr 2024 12:00:00 GMT

Aembit Edge Components now support virtual machine deployments to virtual machines running Red Hat 8.9.

GitLab CI/CD Jobs now supported as Client Workloads

Thu, 04 Apr 2024 12:00:00 GMT

Aembit now supports GitLab CI/CD Jobs as Client Workloads.

For more information on how to configure GitLabs Jobs with Aembit Client Workloads, please refer to the Script-based Agent page.

Automatic Kerberos attestation key rotation in Agent Controller

Tue, 19 Mar 2024 12:00:00 GMT

An issue was identified in the Agent Controller component due to the non-rotation of the public/private key pair used for Kerberos attestation. This issue has been resolved by implementing a process by which these private/public key pairs will be automatically rotated when the certificate reaches 80% of its lifespan.

Kerberos Trust Provider now available for Active Directory

Tue, 12 Mar 2024 12:00:00 GMT

Aembit has released a Kerberos Trust Provider that enables the attestation of Client Workloads running in virtual machine environments joined to Active Directory. This attestation method is specifically designed for on-premise deployments where alternative attestation methods, such as AWS or Azure metadata service trust providers, are not available.

For more detailed information on this Kerberos Trust Provider, please refer to the Kerberos Trust Provider technical documentation.

TLS support between Agent Proxy and Agent Controller

Mon, 11 Mar 2024 12:00:00 GMT

Aembit now supports secure communication between Agent Proxy and Agent Controller using Transport Layer Security (TLS) for both Kubernetes and virtual machine deployments.

For more information on how to configure TLS for Agent Controller, please refer to the Configuring TLS for Agent Controller documentation.

Aembit Terraform Provider now available

Sat, 09 Mar 2024 12:00:00 GMT

Aembit has officially released a Terraform Provider to the Hashicorp Terraform Registry.

The Aembit Terraform Provider enables users to manage Aembit Cloud resources using terraform manually or via CI/CD workflows.

For more detailed information about the Aembit Terraform Provider, please see the Aembit Terraform documentation.

SAML SSO authentication now available for administrators

Tue, 27 Feb 2024 12:00:00 GMT

Aembit now supports SAML/SSO authentication for administrators who wish to simplify the Aembit Tenant login process for their users. Instead of requiring a user to enter their username/password credentials every time a user tries to access the Aembit Tenant, users will now be able to use a 3rd party SAML SSO Provider (e.g. Google, Okta, Microsoft Entrata) to log into the tenant.

For more information on how to configure Identity Providers using SAML, please see the Configuring Identity Providers technical documentation.

Wiz integration now available for vulnerability assessment

Wed, 31 Jan 2024 12:00:00 GMT

Aembit now supports Wiz integration. Using the Wiz Integration API, you can work with both your Aembit Tenant and Wiz to identify customer assets and vulnerabilities.

For more detailed information about the Aembit -> Wiz integration, please refer to the Wiz Integration page on the Aembit technical documentation site.

Access Authorization Events and Google Cloud Run Jobs support now available

Tue, 16 Jan 2024 12:00:00 GMT

Support for Access Authorization Events

Aembit has now enabled support for Access Authorization Events. Access Authorization Events enable customers to observe credential requests.

Support for Google CloudRun Jobs as Client Workloads

Aembit supports Google CloudRun Jobs as Client Workloads. With this support, you can now:

authenticate to the Aembit IdP using Attestation with the GCP Cloud Run Job Identity
request and retrieve a secret from GCP Secret Manager

CrowdStrike integration now available for security posture checks

Mon, 15 Jan 2024 12:00:00 GMT

Aembit now supports integration with CrowdStrike. This integration allows you to leverage CrowdStrike’s service to prevent Server Workload access from Client Workloads that do not meet an expected state.

For more information about this integration, please refer to the CrowdStrike Integration page on the Aembit technical documentation site.

Agent Controller high availability now supported

Thu, 04 Jan 2024 12:00:00 GMT

The Aembit Agent Controller can now be installed in high availability configurations. Because the Agent Controller is a critical Aembit Edge Component that manages Agent Proxy registration and credential acquisition for Aembit Cloud access, HA support was necessary to ensure the continuous availability of the Agent Controller.

For information on installing and configuring Agent Controller in high availability environments, please see the Agent Controller High Availability page.

CrowdStrike Falcon Sensor integration for virtual machine verification

Thu, 07 Dec 2023 12:00:00 GMT

In an effort to ensure only Client Workloads that run in a secure environment can access Server Workloads, Aembit has enabled integrations with CrowdStrike and its CrowdStrike Falcon Sensor. CrowdStrike Falcon Sensor checks multiple items on the virtual machine (VM) to verify the VM is secure.

MFA support and Linux virtual machine Edge deployment now available

Tue, 14 Nov 2023 12:00:00 GMT

Several new feature updates and additions have been made to improve Aembit user experience. These updates include:

Admin console multi-factor authentication support
Edge components VM deployment support

Multi-factor authentication support

Aembit now supports Multi-Factor Authentication (MFA) so users can provide different authentication methods. Users can:

scan a QR code to configure their compatible authentication application
retrieve MFA Recovery Codes in case the device or application is unavailable
view the users who have configured MFA within the Aembit Users view.

Linux-based VM deployment support

Users may now deploy Aembit Edge Components to VMs (non-Kubernetes). This feature enables users to have options on how they want to deploy these components.

For more detailed information about this feature, please see the virtual machine Installation page.

Dynamic Claims now available for Credential Providers

Mon, 16 Oct 2023 12:00:00 GMT

Aembit has released a new feature for Credential Providers called “Dynamic Claims.” This feature allows you to set the Subject claim and Custom claims with either literal strings or dynamic values when setting up Credential Providers in your Aembit client tenant.

For more detailed information about Dynamic Claims, please refer to Dynamic Claims page

This feature is currently only supported for Vault integration.