[Webinar] Ditch Static Credentials: Embrace WIF for Enhanced Security | Nov 6 at 11 a.m. PT | Register Now

Aembit Earns Prestigious Runner-Up Spot at RSA Innovation Sandbox Contest! Watch the Announcement

Aembit Launches Prometheus Metrics Support

Prometheus metrics support is now available on the Aembit Edge to help customers monitor and troubleshoot edge components effectively.

Aembit Edge is a transparent proxy – deployed as a sidecar in Kubernetes or an agent in VMs – that manages non-human identity by validating workloads and injecting credentials. It integrates seamlessly with both new and existing applications, with no code changes required.

Security professionals and CSOs use observability tools, like the popular, open-source Prometheus, for real-time threat detection, anomaly detection, and incident response by monitoring metrics, logs, and cloud infrastructure.

These tools help detect unusual behaviors, monitor compliance, and ensure cloud security, while integrating with SIEM systems for enhanced incident management. They also aid in post-incident analysis, proactive vulnerability monitoring, and automated response to threats, making them vital for improving overall security posture.

Aembit implemented Prometheus-compatible metrics across all key Edge components, including the Agent Proxy, Agent Controller, and Agent Injector. This integration enables customers to seamlessly incorporate Aembit Edge into their existing observability stacks, allowing for real-time monitoring, alerting, and troubleshooting.

Aembit Edge includes a Prometheus exporter that exposes essential metrics – including request rates, error rates, and resource utilization. These metrics are available through a standardized /metrics endpoint that adheres to Prometheus naming conventions, ensuring seamless compatibility with Prometheus and other observability tools capable of scraping Prometheus metrics.

The metrics for each Aembit component are as follows:

Component
Metric
Description
Agent Proxy
aembit_agent_proxy_incoming_connections_total
Total incoming connections (connections established from a client workload to the Agent Proxy).
aembit_agent_proxy_active_incoming_connections
Active incoming connection (connections established from a client workload to the Agent Proxy).
aembit_agent_proxy_credentials_injections_total
Number of credentials injected by Agent Proxy.
credentials_cached_entries_total
The number of unexpired credentials currently cached by Agent Proxy.
directives_cached_entries_total
The number of unexpired directives currently cached by Agent Proxy.
machine_cpu_cores
Number of CPU cores available to Agent Proxy.
version
Agent Proxy version.

aembit_agent_proxy_token_expiration_unix_timestamp`

Expiration timestamp for Aembit Agent Proxy Token (to access Aembit Cloud).
aembit_agent_proxy_aembit_cloud_connection_status
Whether Agent Proxy has a connection to Aembit Cloud or not. Values:
  • 0 (Disconnected)
  • 1 (Connected)
process_cpu_seconds_total
Amount of CPU seconds used by the Agent Proxy.
process_memory_usage_bytes
Amount of memory (in bytes) used by Agent Proxy.
aembit_agent_controller_token_expiration_unix_timestamp
Expiration timestamp for Aembit Agent Controller Token (to access Aembit Cloud).
Agent Controller
aembit_agent_controller_access_token_requests_total
The number of Agent Controller requests to get access token (for Agent Controller use).
aembit_agent_controller_proxy_token_requests_total
The number of Agent Proxy requests received by the Agent Controller to get access token.
aembit_agent_controller_registration_status
Values:
  • 0 (Not registered)
  • 1 (Registered)
version
Agent Controller version
Agent Injector
aembit_injector_pods_seen_total
The number of pods preceded by the agent injector.
aembit_injector_pods_injection_total
The number of pods into which Aembit Edge components were injected.

While Aembit administrators can export logs using log streams to AWS S3 or GCP storage buckets – which can feed into SIEM or SOAR tools – Prometheus support adds the ability to trigger alerts.

Trigger alerts in Prometheus provide admins, DevOps teams, and SOCs with real-time monitoring of infrastructure, application performance, and security anomalies.

These alerts enable teams to detect and address issues such as system overloads, application failures, and security threats before they escalate.

Customizable thresholds, predictive monitoring, and integration with external tools facilitate proactive incident management, automated remediation, and efficient alert routing. By delivering actionable insights, Prometheus trigger alerts help ensure the smooth operation of your Aembit deployment.

Support is available across all Aembit deployment models.

Below we’ll highlight Kubernetes and virtual machine (VM) deployments.

Kubernetes Deployments

Automatic Prometheus-compatible metrics exposure is implemented through Kubernetes annotations. This setup allows Prometheus to automatically discover and scrape metrics from Aembit Edge components without requiring manual configuration for each client workload.

In Kubernetes deployments, Prometheus automatically detects annotations for the Agent Controller and Agent Injector.

Because the Agent Proxy runs as part of the client workload – which may already expose Prometheus metrics and include its own annotations – a new set of annotations has been introduced. These annotations can be added to client workload pods without conflicting with existing ones.

Below is the list of annotations automatically added to client workloads where the Agent Proxy is injected.

Annotation Name
Default value
aembit.io/metrics-scrape
“true”
aembit.io/metrics-path
“/metrics”
aembit.io/metrics-port
“9099”

Default values can be overridden by setting these annotations on a client workload deployment.

Virtual Machine Deployments

For virtual machine deployments, metrics are also enabled by default. Metrics can be disabled by setting the AEMBIT_METRICS_ENABLED=false environment variable during the installation of the Agent Controller or Agent Proxy.

  • The Agent Controller exposes metrics on port 9090.
  • The Agent Proxy exposes metrics on port 9099, though this port can be overridden using the AEMBIT_METRICS_PORT environment variable during installation.

Both the Agent Controller and Agent Proxy expose metrics at the ‘/metrics’ endpoint.

Pro tip:
Visualize your metrics easily with Grafana, which is also open-source and easily integrates with Prometheus.

Next Steps

Aembit continues to enable comprehensive, yet easy-to-use deployments by integrating with the tools you use today. By extending observability with security monitoring, organizations can improve their overall threat detection and response strategies as you enhance security and manage access for your workloads and non-human identities.

To learn more, visit our Docs page or watch the video below!

You might also like

AI workloads operate at machine speed – but their identities risk being exploited, turning innovation into vulnerability.
This step-by-step resource helps you deploy workloads, configure policies, and explore Aembit’s approach to securing non-human identities.
The identity layer’s most insidious threat is now setting its sights on a different group of targets. Here's how to be ready.