topic TrustSec approach for AWS workspaces in Network Access Control

TrustSec approach for AWS workspaces

Antonio Macia — Tue, 12 Aug 2025 11:00:39 GMT

Hi,

We use AWS workspaces for our endusers to reach on-prem resources through VPN/Direct Connect. For the endpoints connecting to on-prem through wired,wireless and VPN we leverage ISE and TrustSec architecture to enforce traffic based on SGTs across our network (switches and firewalls). We aim to keep the same SGT policies enforcing traffic coming in from AWS workspaces. What is the best approach?

Regards,

Antonio.

Re: TrustSec approach for AWS workspaces

Greg Gibbs — Tue, 12 Aug 2025 22:03:05 GMT

ISE 3.4 patch 1 provides a cloud workload connector as part of the Common Policy Framework. This would allow you to ingest workload tags from AWS, assign SGTs to those workloads, and share those IP/SGT mappings with your firewalls for consistent policy enforcement.

See the following link for more details on Common Policy and Workload Connector - https://www.cisco.com/c/en/us/td/docs/security/ise/collections/common-policy.html

Re: TrustSec approach for AWS workspaces

Antonio Macia — Fri, 15 Aug 2025 05:35:52 GMT

Hi @Greg Gibbs

Per my understanding with the cloud workload connector we can create rules to map SGTs to AWS instances based on some attributes that the instance has, but I'm not sure if it is possible to apply different SGTs to the same AWS workspace depending on the user logged in. Can this be done?

Regards.

Re: TrustSec approach for AWS workspaces

Greg Gibbs — Fri, 15 Aug 2025 06:05:46 GMT

Ah, so you're referring to AWS Workspaces, as in virtual desktops.

This would be a similar issue as with other VDI solutions. There would have to be a 1:1 mapping between the desktop instance and IP address and ISE would have to have some way identifying and authorizing the user logged in, similar to 802.1x.
I don't see how this would be possible.