Skip to content
Releases GitHub

Changelog — Enhancement

Subscribe with RSS

All areas
Enhancement
Clear all

Faster, more reliable Agent Controller cloud detection and attestation

Aembit has applied performance enhancements to Agent Controller in this release, including:

  • improved cloud environment detection and attestation, making Agent Controller onboarding faster and more reliable across AWS and Azure
  • improved logging around TLS-related errors
  • deprecated the AEMBIT_HTTP_DISABLED environment variable (HTTP is now disabled when TLS is enabled)

For the latest available versions of these components, see the Edge Components Supported Versions page.

Tags:

Edge components release with OpenShift support and AWS Secrets Manager private network access

Aembit has updated Aembit Edge Components to include the latest versions of Agent Proxy, Sidecar Init, and the Aembit Helm chart. These updates include support for:

  • Official Red Hat OpenShift and OpenShift Service on AWS (ROSA) support for Agent Proxy and Sidecar Init, including SecurityContextConstraint configurations and deployment best practices. See OpenShift deployment guide.
  • AWS Secrets Manager private network access for Aembit CLI and Agent Proxy.
  • Aembit CLI CrowdStrike support.
  • Enhanced Helm chart with support for custom annotations on Kubernetes resources. See Helm chart configuration options.
  • New guide for managing Agent Injector TLS certificates in Kubernetes deployments. See Managing Agent Injector certificates.
  • Support for volume-mounted certificates in Aembit Edge Components.
  • Security and performance enhancements.

Updated Edge Components:

  • Agent Proxy 1.25.3494
  • Sidecar Init 1.25.127
  • Helm Chart 1.25.494

See Edge Components supported versions for more details.

Aembit has added Private Network Access to the AWS Secrets Manager Credential Provider. This feature allows you to securely access AWS Secrets Manager secrets from Aembit Edge Components running in private networks, such as AWS VPCs, without exposing them to the public internet.

When you enable Private Network Access, the Aembit CLI or Agent Proxy retrieve secrets from AWS Secrets Manager directly, ensuring secure and private access to your secrets.

See AWS Secrets Manager Credential Provider for more details on how to configure this feature.

Tags:

GitLab CI/CD Component, OIDC dynamic claims, and CrowdStrike conditions now available

The Aembit Edge GitLab CI/CD Component is now available to simplify Aembit integration within your pipelines. Find the component in the GitLab CI/CD Catalog and learn how to use it in the component documentation.

The OIDC ID Token Credential Provider now supports dynamic claims, allowing you to extract and use values from OIDC tokens in the credential data. This feature creates personalized and context-aware credentials that reflect the workload’s identity and attributes from their original OIDC token.

See OIDC ID Token Dynamic Claims for more information.

Aembit has added two new Access Conditions for CrowdStrike:

  • MAC Address - Ensures the CrowdStrike Agent Host MAC Address matches the Host MAC Address that Agent Proxy retrieved.
  • Local IP Address - Ensures the CrowdStrike Agent Host Local IP Address matches the Host Local IP Address that Agent Proxy retrieved.

See Create Access Conditions for CrowdStrike to learn how to create Access Conditions for CrowdStrike.

Tags:

Aembit CLI, AWS Secrets Manager, and Jenkins Pipelines now available

Aembit has released the new AWS IAM Role Credential Provider Integration and Secrets Manager Credential Provider. Together, they enable you to retrieve secrets from AWS Secrets Manager directly through Aembit.

See AWS IAM Role Credential Provider Integration and AWS Secrets Manager Credential Provider to learn more.

Aembit has released the Aembit CLI, a command-line interface that allows you to inject credentials into your CI/CD pipelines. Compatible with GitLab, GitHub, and now Jenkins.

Check out the Aembit CLI Guide to get started with the Aembit CLI!
Also, see Aembit Edge on CI/CD services for more information on how to use Aembit CLI with your CI/CD pipelines.

Aembit has released support for Jenkins Pipelines to help you integrate Aembit into your Jenkins CI/CD workflows. This integration allows you to securely retrieve and use Aembit-managed credentials directly in your Jenkins Pipelines, streamlining your CI/CD processes and enhancing security.

Check out Jenkins Pipelines to learn more about how to use Aembit with Jenkins Pipelines.

Aembit now supports Server Workloads with a wildcard hostname.

This enables you to simplify your server workloads in a flexible and well defined manner.

As of Agent Controller version 1.24.xxxx, Aembit has enhanced Agent Controller to automatically close insecure HTTP ports when you enable TLS. This update streamlines security by ensuring only encrypted connections are active.

When you enable TLS, Agent Controller now automatically:

  • Opens Secure Ports: 443 (or 5443 on VMs) and the secure Prometheus port 9091.
  • Closes Insecure Ports: 80 (or 5000 on VMs) and the insecure Prometheus port 9090.

This automation removes the manual step of closing insecure, vulnerable ports, preventing potential misconfigurations and enforcing a more secure, “secure-by-default” posture.

Aembit has applied security enhancements to Agent Controller version 1.24.2485 in this release, including:

  • Disabling insecure HTTP ports when you enable TLS.

Updated Edge Components:

  • Agent Controller

Updated Edge Packages:

  • Helm Chart

  • Terraform ECS module

See Edge Components supported versions for more details.

Tags:

Discovery filtering and OIDC ID Token Trust Provider now available

Aembit has added more advanced filtering options to the Discovered tab for Client and Server Workloads. This enables you to find specific discovered workloads based on the criteria you filter.

Discovered Client Workloads page

Discovered Server Workloads page

See Filtering Discovered Workloads for more info.

Aembit has added the OIDC ID Token Trust Provider. This Trust Provider is Aembit’s solution for authenticating workloads using standard OIDC ID tokens. It validates incoming tokens against specific issuer, audience, and subject claims, giving you maximum flexibility to integrate with virtually any OIDC-compliant identity provider for secure, token-based workload access.

See OIDC ID Token Trust Provider for more info.

Aembit has applied security and performance enhancements to Agent Proxy version 1.24.3324 in this release.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • Terraform ECS module

  • AWS Lambda Extension

See Edge Components supported versions for more details.

Tags:

Aembit Edge API now available with expanded Wiz Discovery

Introducing Aembit Edge API, the new way your cloud-native applications can retrieve credentials dynamically without deploying additional infrastructure. Perfect for serverless functions, containers, and CI/CD pipelines that need secure access to third-party services.

With Aembit Edge API you can:

  • Retrieve credentials on-demand for any configured service from your CI/CD pipelines.
  • Authenticate workloads using platform-native identity tokens (GitHub Actions, GitLab CI, AWS Lambda, etc.).
  • Eliminate hardcoded secrets by fetching credentials just-in-time.
  • Support multiple credential types including API keys, username/password, and CI/CD provider tokens.

Check out the Edge API get started page to learn more or start using it right away with the Aembit Edge quickstart guide.

Aembit Discovery can now discover additional resources when you use Wiz as a Discovery Source.

Through the Wiz integration, Aembit now discovers Client Workload resources such as VMs, AWS- and Azure-specific Client Workload Identifies, and many others. As for Server Workload resources, Aembit now discovers Azure Blob Storage, GCP BigQuery, and many others.

For the full list, see Wiz-discoverable resource types.

Tags:

Improved Agent Controller TLS reporting and environment variable logging

Aembit has released a new version of Agent Controller, version 1.23.2263, with the following changes:

  • Enhanced TLS certificate status reporting with improved retry and error handling.

  • Added comprehensive logging for environment variable configuration with sensitive data masking for secure review.

Updated Edge Components:

  • Agent Controller

Updated Edge Packages:

  • Helm Chart

  • VM Agent Controller package

  • Terraform ECS module

See Edge Components supported versions for more details.

Tags:

Workload Discovery filtering and Global Policy Compliance reporting now available

Introducing Workload Discovery Filtering for improved workload management and visibility across your discovered infrastructure. This enhancement adds comprehensive filtering capabilities to both Client Workloads and Server Workloads discovery pages, enabling you to quickly locate and analyze specific workloads.

Filtering options include:

  • Client Workloads: Filter by Client Workload Identifiers and Workload Discovery Source
  • Server Workloads: Filter by Port, Protocol, and Workload Discovery Source

Server Workload discovery filtering

This feature streamlines workload management by enabling you to efficiently search through discovered workloads, making it easier to identify, analyze, and onboard relevant workloads into your Aembit environment.

To learn more about discovered workload filtering, see Workload Discovery Filtering.

You can now view the Global Policy Compliance status of your Access Policies using the new Global Policy Compliance page under Reporting in the left nav menu. Quickly get an overall view of the compliance status of your Access Policies and optionally filter for specific statuses.

Global Policy Compliance report dashboard

To learn more about reporting on Global Policy Compliance status, see How to review Global Policy Compliance.

Tags:

CrowdStrike SIEM Log Streams and Agent Proxy enhancements

Introducing Log Streams for CrowdStrike Next-Gen SIEM for real-time security event monitoring and enhanced threat detection. This integration enables rapid streaming of Aembit Edge event logs and audit logs directly to CrowdStrike’s Next-Gen Security Information and Event Management (SIEM) platform using the HTTP Event Collector (HEC) protocol.

By connecting Aembit with CrowdStrike Next-Gen SIEM, you can:

  • Stream Access Authorization Events, Audit Logs, and Workload Events to CrowdStrike SIEM
  • Configure TLS encryption and verification options
  • Automatic failure notifications for Aembit admins
  • Seamless integration with existing CrowdStrike HEC configurations

This feature enhances your organization’s security posture by improving threat detection capabilities, streamlining incident management, and supporting compliance monitoring requirements through centralized log analysis in CrowdStrike.

To learn more, see Log Streams for CrowdStrike Next-Gen SIEM.

Aembit has applied security and performance enhancements to Agent Proxy in this release.

Aembit has added the AEMBIT_CLIENT_WORKLOAD_PROCESS_IDENTIFICATION_ENABLED Agent Proxy environment variable to Enable Process Name Client Workload identification.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • VM Agent Proxy package

  • Terraform ECS module

  • AWS Lambda Extension

  • AWS Lambda Layer

See Edge Components supported versions for more details.

Tags:

Terraform ECS module now supports environment variables

The Aembit Edge Terraform ECS module now supports Terraform variables that allow you to set Agent Controller and Agent Proxy environment variables directly.

You may now set logging levels for these Edge Components in AWS ECS Fargate environments, and leverage configuration options that the Edge Terraform ECS module doesn’t support directly as variables yet.

See AWS ECS Fargate documentation for more information..

Tags:

Global Policy Compliance, OIDC ID Token Credential Provider, and Splunk Log Streams now available

To increase the available deployment options for Amazon Web Services (AWS) Lambda users, Aembit now provides a Lambda Layer to support zip-based Lambda Functions. This joins our existing AWS Lambda Container support.

For more detailed information on how to deploy Aembit Edge Components to AWS Lambda Functions using our Lambda Layer, please refer to the AWS Lambda Functions documentation.

Introducing Global Policy Compliance for centralized security enforcement across your Aembit environment. This feature allows administrators to establish organization-wide security standards for Access Policies and Agent Controllers, ensuring consistent security practices and preventing the creation of policies that might inadvertently expose resources.

With Global Policy Compliance, you can enforce requirements for Trust Providers and Access Conditions across all Access Policies, as well as Trust Provider and TLS Hostname requirements for Agent Controllers. The three-tier enforcement model lets you set requirements as Required, Recommended (default), or Optional based on your organization’s security needs.

Global Policy Compliance visually identifies non-compliant components through color-coded status icons:

  • Red indicators for required but missing elements
  • Yellow indicators for recommended but missing elements
  • Green indicators for compliant Access Policies
  • Gray indicators for disabled or not active Access Policies

To learn more about Global Policy Compliance, see the Global Policy Compliance Overview.

Introducing OIDC ID Token Credential Provider for secure identity token generation and exchange with third-party services. By leveraging Aembit’s custom Identity Provider (IdP) capabilities, this Credential Provider generates JWT-formatted tokens that seamlessly integrate with various Workload Identity Federation (WIF) solutions.

The OIDC ID Token Credential Provider offers flexible configuration options including:

  • Custom claims configuration with both dynamic and literal subject support
  • Choice of signing algorithms (RS256 or ES256)
  • Integration with identity brokers such as AWS STS, GCP WIF, Azure WIF, and HashiCorp Vault

This new Credential Provider is particularly valuable for:

  • Secure access to cloud provider resources through their WIF solutions
  • Authentication with HashiCorp Vault using OIDC tokens
  • Integration with any service supporting OIDC/JWT authentication

To learn more about this feature, see About the OIDC ID Token Credential Provider.

Introducing Log Stream for Splunk SIEM to enhance your security monitoring capabilities. This integration enables rapid streaming of Aembit Edge event logs and audit logs directly to Splunk using Splunk’s HTTP Event Collector (HEC) protocol.

By connecting Aembit with Splunk SIEM, you can:

  • Enhance threat detection with comprehensive security data
  • Improve incident management through centralized logging
  • Streamline compliance monitoring for your organization

The setup process is straightforward, requiring only a properly configured HTTP Event Collector in your Splunk environment and a few configuration steps in the Aembit Admin UI. Aembit will automatically send email notifications if Log Stream transactions consistently fail, ensuring you’re always aware of your logging status.

To learn more about setting up this integration, see How to stream Aembit events to Splunk SIEM.

Tags:

Pod startup delay and security enhancements for Agent Proxy

Aembit has added the AEMBIT_PASS_THROUGH_TRAFFIC_BEFORE_REGISTRATION Agent Proxy environment variable to enable you to delay the Client Workload Kubernetes pod startup until registration between Agent Proxy and Agent Controller completes. See Delaying pod startup until Agent Proxy has registered for details.

Aembit has applied security enhancements and hardening to Agent Proxy in this release.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • VM Agent Proxy package

  • Terraform ECS module

  • AWS Lambda Extension

See Edge Components supported versions for more details.

Tags:

Allowed TLS Hostname now configurable for Agent Controller

Agent Controllers now support Allowed TLS Hostname as a configurable field in your Aembit Tenant:

Create an Agent Controller with TLS Hostname field

Allowed TLS Hostname serves the same purpose as the AEMBIT_MANAGED_TLS_HOSTNAME Agent Controller environment variable.

Configuring an Allowed TLS Hostname allows you to specify which domain name Aembit Managed TLS includes in the TLS certificate. This makes sure secure connections from your Agent Proxies are only valid when using this exact domain name to reach your Agent Controller, enhancing security without restricting which Agent Proxies can communicate with it.

To configure your Agent Controller with an allowed TLS hostname, see How to create and Agent Controller or Configure Agent Controller TLS with Aembit’s PKI.

Tags:

Standalone CAs and Credential Provider Integrations now available

Introducing Standalone CAs for more granular control over TLS Decrypt management. This feature allows you to create and manage dedicated Certificate Authorities (CAs) that function independently from Aembit’s default Tenant-level certificates.

With Standalone CAs, you can assign CAs directly to specific Client Workloads or Resource Sets, creating isolated trust boundaries and enabling precise management of TLS traffic across different environments. Aembit intelligently selects the appropriate CA using a clear hierarchy: Client Workload level -> Resource Set level -> Tenant level.

To learn more about Standalone CAs, see About Standalone CA for TLS Decrypt.

We’ve updated the Deploy Edge Components experience in the Aembit admin UI to streamline how you deploy Aembit Edge Components.

We’ve added deployment guides directly in the Aembit admin UI for each type of deployment such as Kubernetes, Ubuntu Linux, Red Hat Enterprise Linux, or Microsoft. Now when you’re deploying new Aembit Edge Components, you’ll have a guided experience to get you up and running faster.

Deploy Aembit Edge screen

Introducing Credential Provider Integrations, which automate credential lifecycle management for third-party systems. This feature makes sure your workloads always have valid credentials without manual management, enhancing both security and operational efficiency, eliminating manual credential management.

Our new Credential Provider Integrations feature makes this possible by connecting Aembit directly to third-party systems like with the GitLab Service Account integration. The GitLab Service Account integration enables you to create a Managed GitLab Account Credential Provider, which allows you to manage the credential lifecycle of your GitLab service accounts.

This gives you fine-grained control while eliminating the overhead of manual credential management.

Tags:

AWS SigV4 and SigV4a request signing now supported

The Aembit Credential Provider for AWS Security Token Service (STS) now supports the AWS SigV4 and SigV4a request signing protocols. Aembit automatically signs requests to AWS services using SigV4 for regional services or SigV4a for global/multi-region services.

See How Aembit uses AWS SigV4 and SigV4a to learn more and AWS Security Token Service (STS) Federation to configure an AWS STS Credential Provider.

Updated Edge Components:

  • Agent Proxy

Updated Edge Packages:

  • Helm Chart

  • VM Agent Proxy package

  • Terraform ECS module

  • AWS Lambda Extension

See Edge Components supported versions.

Tags:
Copyright © 2026. All rights reserved.Privacy PolicyTerms of ServiceTrust CenterContact Aembit