Skip to main content

Aembit - Administration Starter Kit

Updated

Overview

Aembit provides a centralized platform for managing NHI and Workload IAM, tailored to meet individual business needs. While acknowledging the unique architectural and design decisions of each customer, Aembit offers a wide catalog of administrative features to enable your production posture and maximize usage. 

Aembit - Customer Environment

Aembit has standardized various channels of ingress/egress for product usage. We recommend reviewing these environmental elements for compatibility with our default operability and service. 

  • Allow list - Firewall and related security measures enable trust and passthrough 
    • [*.aembit.io]
  • Ports - Aembit Deployment & Configuration 
    • Kubernetes/ECS Fargate
      • 80, 443
      • 8000
      • 9090 
    • Virtual Machine
      • 5000, 5443
    • 8000 

Reference Material

Aembit Tenant

Administration, access, and configuration plays an instrumental role in deploying and configuring Aembit and product features. Implementation of these features will benefit ongoing administration and governance.

  • Single-Sign On - Centralize your end-user access by removing the dependency on username/password administration. *Requires Identity Provider Feature

  • Multi-Factor Authentication - Add an additional layer of security to Aembit-native authentication access
  • Resource Sets - Enable RBAC policies to address end-user segmentation and fine-grained scope.
  • SuperAdmin - Aembit tenant's highest-privileged role. Aembit tenant administration should be limited to a privileged sub-set of people for business continuity, administration redundancy and configuration flexibility. 
  • Reporting
    • Audit Logs - Defined cadence of review for anomalies, administration deployment and overall activity
  • Status Page - Maintaining operational awareness of Aembit Cloud and services we recommend subscribing to our Status page, https://status.aembit.io/

Reference Material

 

Agent Controller

The Agent Controller has a critical role to play by facilitating Agent Proxy registration. Ongoing reliability and availability are instrumental in ensuring your workloads remain serviceable and operational for production usage. 

  • Trust Provider Attestation - Provides identity authenticity by third parties. Best practice for your production environment
    • Device Codes - Intended for development and non-production usage
  • TLS Enabled
    • Kubernetes - Default enabled
    • Virtual Machine - AEMBIT_MANAGED_TLS_HOSTNAME parameter populated
  • Health - Validating Agent Controller health and related endpoints will ensure ongoing operational continuity. Routine checks and alerting add operational stability to your infrastructure.

 

Deployment - Virtual Machine 

  • Targeted virtual machine(s) for Agent Controller administration is recommended. Co-locating Agent Controller and Agent Proxy virtual machine deployment architecture increases administrative overhead, increases security vulnerability, and adds configuration complexity.
  • Continuous availability requires redundancy and reduces operational risk. Validate your deployment for production readiness by reviewing this deployment section (here).

Reference Material

Aembit - Operational Management

Environment and Compatibility

Aembit functionality and components are supported in wide array of deployments and services. Based on your business and architectural needs, we recommend reviewing our Support Matrix for an in-depth summary on supportability. 

Edge Components

Versions

Implementing supported versions of Aembit Edge Components maintain operational usage and hygiene for continuous workload management. We recommend you leverage our latest releases if possible. See the Edge Component support versions page for compatibility.

Rotation Control

It is recommended to introduce versioning control for Edge Components as part of your deployment model. Routine validation and controlled rollout across environments is strongly encouraged. 

Related articles

Powered by Zendesk