Login

Managing AWS with Security Cloud Control

Introduction
- About Cisco Security Cloud Control
- Products Managed by Cisco Security Cloud Control
- About Firewall in Security Cloud Control
- Managing AWS with Firewall in Security Cloud Control
- The Firewall Dashboard
Get Started
- Create a Security Cloud Control Tenant
- Browsers Supported in Security Cloud Control
- Login Requirements for Security Cloud Control
  - Initial Login to Your New Security Cloud Control Tenant
  - Signing in to Security Cloud Control in Different Regions
  - Troubleshooting Login Failures
- Migrate to Cisco Security Cloud Sign On Identity Provider
  - Troubleshooting Login Failures after Migration
- Launch a Security Cloud Control Tenant
- Security Cloud Control Services Page
- About Security Cloud Control Licenses
  - Cloud-Delivered Firewall Management Center and Threat Defense Licenses
- Security Cloud Control Platform Maintenance Schedule
- Cloud-delivered Firewall Management Center Maintenance Schedule
- Manage Objects
  - Object Types
  - Shared Objects
  - Object Overrides
  - Unassociated Objects
  - Compare Objects
  - Filters
    - Object Filters
      - Configure Object Filters
      - When to Exclude a Device from Filter Criteria
  - Unignore Objects
  - Deleting Objects
    - Delete a Single Object
    - Delete a Group of Unused Objects
  - Network Objects
  - AWS Security Groups and Cloud Security Group Objects
    - Sharing Objects Between AWS and other Managed Devices
  - Service Objects
- Network Address Translation
- Order of Processing NAT Rules
- Network Address Translation Wizard
  - Create a NAT Rule by using the NAT Wizard
- Common Use Cases for NAT
  - Enable a Server on the Inside Network to Reach the Internet Using a Public IP address
  - Enable Users on the Inside Network to Access the Internet Using the Outside Interface's Public IP Address
  - Make a Server on the Inside Network Available on a Specific Port of a Public IP Address
    - NAT Incoming FTP Traffic to an FTP Server
    - NAT Incoming HTTP Traffic to an HTTP Server
    - NAT Incoming SMTP Traffic to an SMTP Server
  - Translate a Range of Private IP Addresses to a Range of Public IP Addresses
    - Translate a Pool of Inside Addresses to a Pool of Outside Addresses
  - Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface
    - Create a Twice NAT Rule
Manage Tenants and Users
- Manage a Security Cloud Control Tenant
  - Configure User Preferences
    - General Preferences
      - Change the Security Cloud Control Web Interface Appearance
    - User Notification Preferences
    - View Security Cloud Control Notifications
  - Tenant Settings
    - Enable Change Request Tracking
    - Prevent Cisco Support from Viewing your Tenant
    - Enable the Option to Auto-accept Device Changes
    - Default Conflict Detection Interval
    - Enable the Option to Schedule Automatic Deployments
    - Web Analytics
    - Share Event Data with Cisco Talos
    - Tenant ID
    - Tenant Name
    - Security Cloud Control Platform Navigator
  - Organization Notification Settings
    - Enable Email Subscribers
      - Add an Email Subscription
      - Edit Email Subscriptions
      - Delete an Email Subscription
    - Enable Service Integrations for Security Cloud Control Notifications
      - Incoming Webhooks for Webex Teams
      - Incoming Webhooks for Slack
      - Incoming Webhooks for a Custom Integration
  - Logging Settings
  - Integrate Your SAML Single Sign-On with Security Cloud Control
  - Renew SSO Certificate
  - My Tokens
  - API Tokens
    - API Token Format and Claims
    - Manage API-only Users for Firewall in Security Cloud Control
    - Token Management
      - Generate an API Token
      - Renew an API Token
      - Revoke an API Token
  - Relationship Between the Identity Provider Accounts and Security Cloud Control User Records
    - Login Workflow
    - Implications of this Architecture
      - Customers Who Use Cisco Security Cloud Sign On
      - Customers Who Have Their Own Identity Provider
      - Cisco Managed Service Providers
      - Related Topics
  - Manage Multi-Tenant Portal
    - Add a Tenant to a Multi-Tenant Portal
    - Delete a Tenant from a Multi-Tenant Portal
    - Manage-Tenant Portal Settings
      - Settings
      - Switch Tenant
  - The Cisco Success Network
- Manage Users in Security Cloud Control
  - Manage Super Admins on Your Tenant
  - View the User Records Associated with your Tenant
- Active Directory Groups in User Management
  - Prerequisites for Adding an Active Directory Group to Security Cloud Control
  - Add an Active Directory Group for User Management
  - Edit an Active Directory Group for User Management
  - Delete an Active Directory Group for User Management
- Create a New Security Cloud Control User
  - Create a Cisco Security Cloud Sign On Account for the New User
    - About Logging in to Security Cloud Control
    - Before You Log In
    - Create a New Cisco Security Cloud Sign On Account and Configure Duo Multi-factor Authentication
  - Create a User Record with Your Security Cloud Control Username
  - The New User Opens Security Cloud Control from the Cisco Secure Sign-On Dashboard
- User Roles in Security Cloud Control
  - Read-only Role
  - Edit-Only Role
  - Deploy-Only Role
  - VPN Sessions Manager Role
  - Admin Role
  - Super Admin Role
  - Change The Record of the User Role
- Add a User Account to Security Cloud Control
  - Create a User Record
  - Create API Only Users
- Edit a User Record for a User Role
  - Edit a User Role
- Delete a User Record for a User Role
  - Delete a User Record
Onboard Devices and Services
- Onboard an AWS VPC
- Supported Devices, Software, and Hardware
Manage Onboarded Device Settings
- Changing a Device's IP Address in Security Cloud Control
- Changing a Device's Name in Security Cloud Control
- Export a List of Devices and Services
- Export Device Configuration
- External Links for Devices
  - Create an External Link from your Device
  - Create an External Link to
  - Create an External Link for Multiple Devices
  - Edit or Delete External Links
  - Edit or Delete External Links for Multiple Devices
- Bulk Reconnect Devices to Security Cloud Control
- Moving Devices Between Tenants
- Device Certificate Expiry Detection
- Write a Device Note
- Delete a Device from Security Cloud Control
- Manage Security Devices
- About Security Devices Page
- Security Cloud Control Labels and Filtering
  - Applying Labels to Devices and Objects
  - Labels and Tags in AWS VPC
  - Filters
- Use Security Cloud Control Search Functionality
  - Page Level Search
Configuring AWS Devices
- Update AWS VPC Connection Credentials
- Monitor AWS VPC Tunnels using AWS Transit Gateway
- Search and Filter Site-to-Site VPN Tunnels
- View a history of changes made to the AWS VPC tunnels
- Manage Security Policies in Security Cloud Control
  - AWS VPC Policy
    - AWS VPCs and Security Groups in Security Cloud Control
    - AWS VPC Security Groups Rules
    - Create a Security Group Rule
    - Edit a Security Group Rule
    - Delete a Security Group Rule
- Reading, Discarding, and Deploying Configuration Changes
  - Read All Device Configurations
  - Preview and Deploy Configuration Changes for All Devices
  - Deploy Changes to a Device
    - Cancelling Changes
    - Discarding Changes
  - Bulk Deploy Device Configurations
  - About Scheduled Automatic Deployments
    - Schedule an Automatic Deployment
    - Edit a Scheduled Deployment
    - Delete a Scheduled Deployment
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Out-of-Band Changes on Devices
- Synchronizing Configurations Between Security Cloud Control and Device
  - Conflict Detection
    - Enable Conflict Detection
  - Automatically Accept Out-of-Band Changes from your Device
    - Configure Auto-Accept Changes
    - Disabling Auto-Accept Changes for All Devices on the Tenant
  - Resolve Configuration Conflicts
    - Resolve the Not Synced Status
    - Resolve the Conflict Detected Status
  - Schedule Polling for Device Changes
Manage Device Configuration
- Reading, Discarding, and Deploying Configuration Changes
  - Read All Device Configurations
  - Preview and Deploy Configuration Changes for All Devices
  - Deploy Changes to a Device
    - Cancelling Changes
    - Discarding Changes
  - Bulk Deploy Device Configurations
  - About Scheduled Automatic Deployments
    - Schedule an Automatic Deployment
    - Edit a Scheduled Deployment
    - Delete a Scheduled Deployment
  - Check for Configuration Changes
  - Discard Configuration Changes
  - Out-of-Band Changes on Devices
- Synchronizing Configurations Between Security Cloud Control and Device
  - Conflict Detection
    - Enable Conflict Detection
  - Automatically Accept Out-of-Band Changes from your Device
    - Configure Auto-Accept Changes
    - Disabling Auto-Accept Changes for All Devices on the Tenant
  - Resolve Configuration Conflicts
    - Resolve the Not Synced Status
    - Resolve the Conflict Detected Status
  - Schedule Polling for Device Changes
Monitoring and Reporting Change Logs, Workflows, and Jobs
- Manage Change Logs in Security Cloud Control
- View Change Log Differences
- Export the Change Log
  - Differences Between Change Log Capacity in Security Cloud Control and Size of an Exported Change Log
- Change Request Management
  - Enable Change Request Management
  - Create a Change Request
  - Associate a Change Request with a Change Log Event
  - Search for Change Log Events with Change Requests
  - Search for a Change Request
  - Filter Change Requests
  - Clear the Change Request Toolbar
  - Clear a Change Request Associated with a Change Log Event
  - Delete a Change Request
  - Disable Change Request Management
  - Change Request Management Use Cases
- Monitor Jobs in Security Cloud Control
  - Reinitiate a Bulk Action
  - Cancel a Bulk Action
- Monitor Workflows in Security Cloud Control
Integrating Security Cloud Control with Cisco Security Cloud Sign On
- Merge Your Security Cloud Control and Cisco XDR Tenant Accounts
Terraform
- About Terraform
Troubleshooting
- Troubleshoot Security Cloud Control
  - Troubleshooting Access and Certificates
    - Resolve New Fingerprint Detected State
    - Troubleshooting Network Problems Using Security and Analytics Logging Events
    - Troubleshooting SSL Decryption Issues
  - Troubleshooting Login Failures after Migration
  - Troubleshooting Objects
    - Resolve Duplicate Object Issues
    - Resolve Unused Object Issues
      - Resolve an Unused Object Issue
      - Remove Unused Objects in Bulk
    - Resolve Inconsistent Object Issues
    - Resolve Object Issues in Bulk
- Device Connectivity States
  - Troubleshoot Insufficient Licenses
  - Troubleshoot Invalid Credentials
  - Troubleshoot New Certificate Issues
    - New Certificate Detected
  - Troubleshoot Onboarding Error
  - Resolve the Conflict Detected Status
  - Resolve the Not Synced Status
FAQ and Support
- Security Cloud Control
- FAQ About Onboarding Devices to Security Cloud Control
  - FAQs About Onboarding Secure Firewall ASA to Security Cloud Control
  - FAQs About Onboarding FDM-Managed Devices to Security Cloud Control
  - FAQs About Onboarding Secure Firewall Threat Defense to Cloud-delivered Firewall Management Center
  - FAQs About On-Premises Secure Firewall Management Center
  - FAQs About Onboarding Meraki Devices to Security Cloud Control
  - FAQs About Onboarding SSH Devices to Security Cloud Control
  - FAQs About Onboarding IOS Devices to Security Cloud Control
- Device Types
- Security
- Troubleshooting
- Terminologies and Definitions used in Zero-Touch Provisioning
- Policy Optimization
- Connectivity
- About Data Interfaces
- How Security Cloud Control Processes Personal Information
- Contact Security Cloud Control Support
  - Export The Workflow
  - Open a Support Ticket with TAC
    - How Security Cloud Control Customers Open a Support Ticket with TAC
    - How Security Cloud Control Trial Customers Open a Support Ticket with TAC
  - Security Cloud Control Service Status Page

Software Amazon Web Services VPC

Activity Onboard

Get Started Manage Objects AWS Security Groups and Cloud Security Group Objects

Last updated: Jun 09, 2025

AWS Security Groups and Cloud Security Group Objects

Relationship between AWS Security Groups and Cloud Security Group Objects

A security group in the Amazon Web Services (AWS) console is a collection of rules that act as a virtual firewall for the instances and other entities contained in the security group. A security group can be associated with other security groups, ports, port ranges, IPV4 or IPV6 addresses, subnets, and load balancers.

When you onboard an AWS VPC to Security Cloud Control, AWS security groups are translated into Security Cloud Controlcloud security group objects. The AWS console does not support rules that contain more than one source, destination, or port/port range. If you define more than one source, destination, or port/port range within a single rule in Security Cloud Control and deploy, Security Cloud Control translates the rule into separate rules before deploying it to the AWS VPC. For example, if you create an outbound rule in Security Cloud Control that allows traffic from one security group, "A" to another security group "B" and an IPv6 address, Security Cloud Control deploys this to AWS as two separate rules: (1) to allow outbound traffic from security group object A to security group object B and (2) to allow outbound traffic from security group object A to the IPv6 address.

Note that security groups are associated with individual AWS VPCs and cannot be shared across device types. That means that you cannot share a cloud security group object with an ASA, FTD, IOS, SSH, or Meraki device.

Previous topic Network Objects Next topic Sharing Objects Between AWS and other Managed Devices