Aembit Docs

Updated Admin Dashboard and multiple Credential Providers per Access Policy

August 27, 2024

Aembit recently released the following two updates to improve the Aembit user experience:

The Aembit Tenant UI has been updated with an expanded Admin Dashboard with additional metrics and data.
Access Policies have been improved to enable users to add multiple Credential Providers to Access Policies.

Updated Admin Dashboard

Aembit has released an updated Admin Dashboard with additional metrics and data you can review when logging into your tenant. You will now see the following metrics displayed from the last 24 hours:

Client Workloads (Managed)
Server Workloads (Managed)
Credentials (Usage By Type)
Workloads Connections (Managed)

Multiple Service Accounts per Access Policy

Aembit now supports the ability for you to have multiple Credential Providers associated with an Access Policy for specific use cases.

Adding and mapping multiple Credential Providers to an Access Policy can be very useful when you have a single Access Policy, but want to have different Credential Providers associated with that Access Policy.

For example, if you want to have the same Client Workload access the same Server Workload, but use different credentials for different functions, this feature enables you to specify the appropriate Credential Providers for each function on an Access Policy.

For more detailed information on how you can add multiple Credential Providers to an Access Policy, please see the Multiple Credential Providers page.

Tags:

Agent Proxy now injected as a native Kubernetes sidecar

August 9, 2024

Kubernetes recently introduced support for native sidecar containers. Aembit now leverages this model for the Agent Proxy, where possible.

Aembit now automatically injects the Agent Proxy as a native sidecar, allowing init container Client Workloads.

This change only applies to Kubernetes deployments of version 1.29 and above.

For more information on how you can use Agent Proxy as a sidecar to support init containers, please see the Kubernetes Deployment page.

Tags:

Comprehensive Aembit API documentation now available

August 1, 2024

Aembit has released comprehensive API technical documentation for the Aembit API.

With this documentation release, you now have access to a complete library technical content, usage information, and the latest version of the OpenAPI specification, which you can use to learn how to use the Aembit API.

For more detailed information on the Aembit API technical documentation, please see the page.

Tags:

Enhancement

Aembit Edge Terraform module and ECS TLS support now available

July 29, 2024

Aembit has released two major enhancements to Aembit Edge Components: Aembit Edge Terraform Module for AWS ECS, and ECS TLS support.

Aembit ECS Terraform Registry

Aembit releases updates to the Aembit ECS Terraform Registry on a regular basis to provide users with additional features and functionality, including improvements to Agent Proxy and Agent Controller.

For more information on the latest ECS Terraform Registry release, please see the Aembit Terraform Registry page.

ECS TLS Support

Aembit has released an ECS deployment enhancement that enable Transport Layer Security (TLS) between the Agent Proxy and Agent Controller using Aembit-provided Private Key Infrastructure (PKI).

There is no option to use your own PKI for ECS deployments.

Tags:

Aembit Terraform Provider update with Custom Resource Sets and OAuth

July 18, 2024

Aembit has released an Aembit Terraform Provider update to the Terraform Registry.

This update includes several improvements and enhancements, including:

Support for Custom Resource Sets.
Removal of the deprecated AWS ECS Role Trust Provider (replaced previously by the AWS Role Trust Provider).
Support for Credential Providers of type OAuth2 Authorization Code.

For more information on these updates and changes, please see the Aembit Terraform Registry page.

Tags:

Enhancement

Expanded Client Workload identification and Trust Provider match rules

June 26, 2024

Aembit now supports more options for identifying Client Workloads and specifying Trust Provider match rules, including multiple “or” condition matches and wildcard support.

These matching improvements shipped alongside the new OAuth 2.0 Authorization Code Credential Provider; see that entry for the new-feature details.

Tags:

Non-root Aembit containers and configurable Agent Proxy file descriptor limits

June 5, 2024

Aembit has released two new feature updates that enhance existing Aembit functionality.

Aembit Containers

All injected Aembit containers are now run as non-root users.

Agent Proxy File Descriptor Limits

Users may configure limits for the number of file descriptors Agent Proxy is allowed to open on a VM. You may configure this number when Agent Proxy is installed (using the AEMBIT_FD_LIMIT flag).

virtual machines

Default Limit - 65535, set by Agent Proxy installer
Configuration - This limit is configurable via the AEMBIT_FD_LIMIT environment variable. This value is passed directly to systemd in Agent Proxy’s service file at the time of installation.
Example - AEMBIT_FD_LIMIT=200000 [...] ./install

Kubernetes

Default Limit - This limit is inherited from container runtime.
Configuration - There is no official support without modifying the underlying runtime. For more information on configuring these limits, please see the Kubernetes limits support GitHub thread.

AWS ECS

Default Limit - 1024
Configuration - This limit is configurable via the ECS Task Definition API or ECS Dashboard. Please refer to the AWS ECS Developer Guide for more detailed information on how to configure these limits.

AWS Lambda

Default Limit - 1024
Configuration - This limit is not configurable. For more information, please refer to the AWS Lambda Developer Guide.

Tags:

Graceful Agent Proxy shutdown for sidecars

May 15, 2024

In some cases, you may find it necessary to manually shut down Agent Proxy when the main container exits, but a sidecar is still running. Since you may not want to kill the whole job, since it will look like a cancelled job, Aembit now provides a solution that enables you to gracefully terminate the job while allowing the sidecar to still run.

For more detailed information on this feature, please refer to the Agent Proxy Shutdown page.

Tags:

GeoIP Access Conditions and Google Cloud Storage Log Streams now available

April 23, 2024

Aembit has released two new features on Aembit Cloud:

Access Condition support for Geographic IP (GeoIP) restrictions
Log Stream support for streaming to Google Cloud Storage Buckets

Aembit GeoIP Access Conditions

You may now configure and add Aembit GeoIP conditions in your Aembit Tenant. This new Access Condition type enables you to explicitly designate which countries/regions will have access to Server Workloads from policy-enabled Client Workloads.

For more information on this feature, please refer to the Access Conditions for GeoIP Restriction page.

Google Cloud Storage Bucket Log Streams

Aembit now supports Log Streams that target Google Cloud Storage (GCS) Buckets. You may add or configure this new Log Stream destination type in the Administration tab of your Aembit Tenant.

For more information on this feature, please refer to the Google Cloud Storage Bucket Log Streams page.

Tags:

Red Hat 8.9 now supported for virtual machine deployments

April 8, 2024

Aembit Edge Components now support virtual machine deployments to virtual machines running Red Hat 8.9.

Tags:

Enhancement

Automatic Kerberos attestation key rotation in Agent Controller

March 19, 2024

An issue was identified in the Agent Controller component due to the non-rotation of the public/private key pair used for Kerberos attestation. This issue has been resolved by implementing a process by which these private/public key pairs will be automatically rotated when the certificate reaches 80% of its lifespan.

Tags:

TLS support between Agent Proxy and Agent Controller

March 11, 2024

Aembit now supports secure communication between Agent Proxy and Agent Controller using Transport Layer Security (TLS) for both Kubernetes and virtual machine deployments.

For more information on how to configure TLS for Agent Controller, please refer to the Configuring TLS for Agent Controller documentation.

Tags:

Access Authorization Events and Google Cloud Run Jobs support now available

January 16, 2024

Support for Access Authorization Events

Aembit has now enabled support for Access Authorization Events. Access Authorization Events enable customers to observe credential requests.

Support for Google CloudRun Jobs as Client Workloads

Aembit supports Google CloudRun Jobs as Client Workloads. With this support, you can now:

authenticate to the Aembit IdP using Attestation with the GCP Cloud Run Job Identity
request and retrieve a secret from GCP Secret Manager

Tags:

MFA support and Linux virtual machine Edge deployment now available

November 14, 2023

Several new feature updates and additions have been made to improve Aembit user experience. These updates include:

Admin console multi-factor authentication support
Edge components VM deployment support

Multi-factor authentication support

Aembit now supports Multi-Factor Authentication (MFA) so users can provide different authentication methods. Users can:

scan a QR code to configure their compatible authentication application
retrieve MFA Recovery Codes in case the device or application is unavailable
view the users who have configured MFA within the Aembit Users view.

Linux-based VM deployment support

Users may now deploy Aembit Edge Components to VMs (non-Kubernetes). This feature enables users to have options on how they want to deploy these components.

For more detailed information about this feature, please see the virtual machine Installation page.

Tags: