Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
277
Views
1
Helpful
3
Replies

TrustSec approach for AWS workspaces

Go to solution
Antonio Macia
Level 3
Level 3

‎08-12-2025 04:00 AM

Hi,

We use AWS workspaces for our endusers to reach on-prem resources through VPN/Direct Connect. For the endpoints connecting to on-prem through wired,wireless and VPN we leverage ISE and TrustSec architecture to enforce traffic based on SGTs across our network (switches and firewalls). We aim to keep the same SGT policies enforcing traffic coming in from AWS workspaces. What is the best approach?

Regards,

Antonio.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-12-2025 03:03 PM

ISE 3.4 patch 1 provides a cloud workload connector as part of the Common Policy Framework. This would allow you to ingest workload tags from AWS, assign SGTs to those workloads, and share those IP/SGT mappings with your firewalls for consistent policy enforcement.

See the following link for more details on Common Policy and Workload Connector - https://www.cisco.com/c/en/us/td/docs/security/ise/collections/common-policy.html

 

View solution in original post

3 Replies 3

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-12-2025 03:03 PM

ISE 3.4 patch 1 provides a cloud workload connector as part of the Common Policy Framework. This would allow you to ingest workload tags from AWS, assign SGTs to those workloads, and share those IP/SGT mappings with your firewalls for consistent policy enforcement.

See the following link for more details on Common Policy and Workload Connector - https://www.cisco.com/c/en/us/td/docs/security/ise/collections/common-policy.html

 

Go to solution
Antonio Macia
Level 3
Level 3
In response to Greg Gibbs

‎08-14-2025 10:35 PM

Hi @Greg Gibbs 

Per my understanding with the cloud workload connector we can create rules to map SGTs to AWS instances based on some attributes that the instance has, but I'm not sure if it is possible to apply different SGTs to the same AWS workspace depending on the user logged in. Can this be done?

Regards.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Antonio Macia

‎08-14-2025 11:05 PM

Ah, so you're referring to AWS Workspaces, as in virtual desktops.

This would be a similar issue as with other VDI solutions. There would have to be a 1:1 mapping between the desktop instance and IP address and ISE would have to have some way identifying and authorizing the user logged in, similar to 802.1x.
I don't see how this would be possible.

0 Helpful
Customers Also Viewed These Support Documents