Cisco
Login
Search
Software Secure Workload
Activity Configure

Configure and Manage Connectors for Secure Workload Cloud Connectors AWS Connector Create a New AWS Connector

Last updated: Jun 09, 2025

Create a New AWS Connector

Procedure

1

In the navigation pane, choose Manage > Workloads > Connectors.
2

Click AWS Connector.
3

Click Generate Template and choose the desired capabilities.

Based on the capabilities selected, CloudFormation Template (CFT) is generated. Use the generated CFT template in your AWS CloudFormation to create the policy for the User or Role.

To enable segmentation, you must also enable Gather Labels.
4

Download the generated CloudFormation Template (CFT). The generated CFT can be used for both the user and role.

This template has the IAM privileges required for the capabilities that you selected in the previous step.

If you enabled the Kubernetes option, you must separately configure permissions for EKS. See Managed Kubernetes Services Running on AWS (EKS).
5

Upload the CFT to the AWS CloudFormation portal to assign privileges to the user for this connector. Ensure the AWS user have the required privileges before you can continue with the AWS connector configuration.


 

We recommend this task whether or not you are using AWS cross-account access.

You can apply the CFT using either the portal or the CLI. For more information, see:

When you upload the CFT, AWS requires the following details:

  1. Name of the policy (This can be anything. For example, Secure WorkloadConnector)

  2. Rolename: Name of the AWS IAM role to which you are applying the CFT

  3. List of bucket ARNs And Object ARNs (Default: *)

  4. Username: Name of the AWS user to which you are applying the CFT

  5. List of VPC ARNs (Default: *)

    To enter a specific list of VPC ARNs, enter the security group and network interface resources paired with the specific VPC to enable segmentation.

    1. arn:aws:ec2:<region>:<account_id>:security-group/*

    2. arn:aws:ec2:<region>:<account_id>:network-interface/*

    Sample Code

    Example 1

    {
			"Action": [
				"ec2:RevokeSecurityGroupIngress",
				"ec2:AuthorizeSecurityGroupEgress",
				"ec2:AuthorizeSecurityGroupIngress",
				"ec2:CreateSecurityGroup",
				"ec2:RevokeSecurityGroupEgress",
				"ec2:DeleteSecurityGroup",
				"ec2:ModifyNetworkInterfaceAttribute",
				"ec2:CreateTags"
			],
			"Resource": [
				"arn:aws:ec2:us-east-1:123456789:vpc/vpc-abcdef",
				"arn:aws:ec2:us-east-1:123456789:security-group/*",
				"arn:aws:ec2:us-east-1:123456789:network-interface/*"	
			],
			"Effect": "Allow"
		},

    Example 2

    {
			"Action": [
				"ec2:RevokeSecurityGroupIngress",
				"ec2:AuthorizeSecurityGroupEgress",
				"ec2:AuthorizeSecurityGroupIngress",
				"ec2:CreateSecurityGroup",
				"ec2:RevokeSecurityGroupEgress",
				"ec2:DeleteSecurityGroup",
				"ec2:ModifyNetworkInterfaceAttribute",
				"ec2:CreateTags"
			],
			"Resource": [
				"arn:aws:ec2:us-east-1:123456789:vpc/vpc-abcdef",
				"arn:aws:ec2:*:*:security-group/*",
				"arn:aws:ec2:*:*:network-interface/*"	
			],
			"Effect": "Allow"
		},
6

If you are using AWS role based authentication to connect to the Secure Workload Connector, see EKS Roles and Access privileges section.
7

If you are using AWS cross-account access, follow the additional steps:

  1. You can use the same uploaded CFT to give access to role/user. If you have multiple account use the same CFT on each account.

  2. Upload the CFT to the AWS CloudFormation portal of each AWS account where the desired IAM role exists.

    You can apply the CFT using either the portal or the CLI, as described in the previous step.

    When you upload the CFT, AWS asks for the following:

    1. Name of the policy (This can be anything. For example, Secure WorkloadConnector)

    2. List of bucket ARNs And Object ARNs (Default: *)

    3. Rolename: Name of the AWS IAM role to which you are applying the CFT

    4. List of VPC ARNs (Default: *)
8

Click Getting started guide (recommended) or Configure your new connector here button to configure the connector.
9

Understand and meet the Requirements and Prerequisites for AWS,, EKS Roles and Access Privileges and Segmentation policy enforcement, then click Get Started. Or if you are configuring using the Configure your new connector button, then click yes.
10

Name the connector and enter the description.
11

Configure settings:

You can use either of the one option to connect to AWS account.

  1. Credential Keys

  2. Roles

Parameter Name

Attribute

Description

Credential Keys

Access Key

ACCESS KEY ID associated with the AWS user that has the privileges described in the CFT above.

Secret Key

SECRET KEY associated with the ACCESS KEY ID above.

Roles

External Id

It is auto generated unique identifier for granting access to AWS resources. It is used by the user to add trust relationship to the role.

User ARN

It is auto generated unique identifier assigned to an IAM. It is used by the user to add trust relationship to the role.

ARN

A unique identifier assigned to each AWS resource.

HTTP Proxy

(Optional) Proxy required for Secure Workload to reach AWS.

Full Scan Interval

Frequency with which Secure Workload refreshes complete inventory data from AWS. Default and minimum is 3600 seconds.

Delta Scan Interval

Frequency with which Secure Workload fetches incremental changes in inventory data from AWS. Default and minimum is 600 seconds.
12

Click Next.
13

The next page displays a Resource Tree where the user can expands to view various region and inside the region you can select or unselect the resource check boxes to obtain the list of VPCs and EKS clusters from AWS.
14

From the list of VPCs (Virtual Networks), choose the VPCs for which you want to enable your selected capabilities.

Generally, you should enable flow ingestion as soon as possible, so that Secure Workload can begin to collect enough data required to suggest accurate policies.

Note that since EKS only supports Gather Labels capability, no explicit capability selection has been provided. Selecting an EKS cluster will implicitly enable the supported capability. For each cluster for which you enable this capability, enter the Assume Role ARN (The Amazon resource number of the role to assume while connecting to Secure Workload.)

Enable Segmentation on VPCs will remove existing Security Group(s) and provides default access to all VPCs.

Generally, you should not choose Enable Segmentation during initial configuration. Later, when you are ready to enforce segmentation policy for specific VPCs, you can edit the connector and enable segmentation for those VPCs. See the Best Practices When Enforcing Segmentation Policy for AWS Inventory.
15

For the EKS cluster, you can allow AWS IAM role access by providing the Assume Role ARN access id to connect to the AWS connector.
16

Once your selections are complete, click Create and wait a few minutes for the validation check to complete.

What to do next

If you have enabled gathering labels, ingesting flow data, and/or segmentation:

  • If you enable flow ingestion, it may take up to 25 minutes for flows to begin appearing on the Investigate > Traffic page.

  • (Optional) For richer flow data and other benefits including visibility into host vulnerabilities (CVEs), install the appropriate agent for your operating system on your VPC-based workloads. For requirements and details, see the agent installation chapter.

  • After you have successfully configured the AWS connector to gather labels and ingest flows, follow the standard process for building segmentation policies. For example: Allow Secure Workload to gather sufficient flow data to generate reliable policies; define or modify scopes (typically one for each VPC); create a workspace for each scope; automatically discover policies based on your flow data, and/or manually create policies; analyze and refine your policies; ensure that your policies meet the guidelines and best practices below; and then, when you are ready, approve and enforce those policies in the workspace. When you are ready to enforce segmentation policy for a particular VPC, return to the connector configuration to enable segmentation for the VPC. For details, see Best Practices When Enforcing Segmentation Policy for AWS Inventory.

If you have enabled the Kubernetes managed services (EKS) option:

  • Install Kubernetes agents on your container-based workloads. For details, see the Kubernetes/Openshift Agents - Deep Visibility and Enforcement section in the agent deployment chapter.

Event Log:

The event logs can be used to know significant events happening per connector from different capabilities. We can filter them using various attributes like Component, Namespace, Messages and Timestamp.

Previous topic AWS Connector Configuration Overview Next topic Edit a New AWS Connector