The aws:verifiedaccess/instance:Instance resource, part of the Pulumi AWS provider, provisions a Verified Access Instance that serves as the container for zero-trust network access policies. This guide focuses on three capabilities: basic instance creation, FIPS compliance enablement, and custom subdomain configuration.
Verified Access Instances are the foundation for zero-trust access policies. Trust providers, endpoints, and access groups are configured separately. The examples are intentionally small. Combine them with your own trust providers and endpoint configurations.
Create a Verified Access Instance with metadata
Most deployments start by creating an instance with a description and tags for organization and cost tracking.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.Instance("example", {
description: "example",
tags: {
Name: "example",
},
});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.Instance("example",
description="example",
tags={
"Name": "example",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstance(ctx, "example", &verifiedaccess.InstanceArgs{
Description: pulumi.String("example"),
Tags: pulumi.StringMap{
"Name": pulumi.String("example"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.Instance("example", new()
{
Description = "example",
Tags =
{
{ "Name", "example" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.Instance;
import com.pulumi.aws.verifiedaccess.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Instance("example", InstanceArgs.builder()
.description("example")
.tags(Map.of("Name", "example"))
.build());
}
}
resources:
example:
type: aws:verifiedaccess:Instance
properties:
description: example
tags:
Name: example
The description property provides human-readable context for the instance. The tags property adds key-value metadata for organization and cost allocation. This creates the foundation instance; trust providers and endpoints are attached separately.
Enable FIPS compliance for government workloads
Government and regulated workloads often require FIPS 140-2 validated cryptographic modules.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.Instance("example", {fipsEnabled: true});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.Instance("example", fips_enabled=True)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstance(ctx, "example", &verifiedaccess.InstanceArgs{
FipsEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.Instance("example", new()
{
FipsEnabled = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.Instance;
import com.pulumi.aws.verifiedaccess.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Instance("example", InstanceArgs.builder()
.fipsEnabled(true)
.build());
}
}
resources:
example:
type: aws:verifiedaccess:Instance
properties:
fipsEnabled: true
The fipsEnabled property activates FIPS-validated cryptography for all operations on this instance. This property is immutable; you cannot change it after instance creation. If you need to switch FIPS mode, you must create a new instance.
Configure custom subdomains for CIDR endpoints
Organizations with custom DNS requirements can specify a subdomain for CIDR-based endpoints.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.Instance("example", {cidrEndpointsCustomSubdomain: "test.example.com"});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.Instance("example", cidr_endpoints_custom_subdomain="test.example.com")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstance(ctx, "example", &verifiedaccess.InstanceArgs{
CidrEndpointsCustomSubdomain: pulumi.String("test.example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.Instance("example", new()
{
CidrEndpointsCustomSubdomain = "test.example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.Instance;
import com.pulumi.aws.verifiedaccess.InstanceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Instance("example", InstanceArgs.builder()
.cidrEndpointsCustomSubdomain("test.example.com")
.build());
}
}
resources:
example:
type: aws:verifiedaccess:Instance
properties:
cidrEndpointsCustomSubdomain: test.example.com
The cidrEndpointsCustomSubdomain property sets the DNS subdomain for CIDR endpoints, allowing integration with your existing domain structure. You must own and control the specified domain. The instance outputs nameServers that you’ll use to configure DNS delegation.
Beyond these examples
These snippets focus on specific instance-level features: instance creation with metadata, FIPS compliance configuration, and custom subdomain assignment. They’re intentionally minimal rather than full zero-trust access deployments.
The examples may reference pre-existing infrastructure such as DNS domain ownership for custom subdomains. They focus on configuring the instance rather than provisioning the complete Verified Access architecture.
To keep things focused, common Verified Access patterns are omitted, including:
- Trust provider attachment (verifiedAccessTrustProviders)
- Endpoint and group configuration
- Access policy definition
- Integration with identity providers
These omissions are intentional: the goal is to illustrate how each instance feature is wired, not provide drop-in zero-trust modules. See the Verified Access Instance resource reference for all available configuration options.
Let's create AWS Verified Access Instances
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & FIPS
fipsEnabled is immutable. To change FIPS support, you must replace the instance.fipsEnabled to true when creating the instance.Custom Subdomains
cidrEndpointsCustomSubdomain property sets a custom subdomain for CIDR endpoints.cidrEndpointsCustomSubdomain to your desired subdomain (e.g., "test.example.com").Resource Management
pulumi import aws:verifiedaccess/instance:Instance <name> <instance-id>, where the instance ID follows the format vai-1234567890abcdef0.region property is required but defaults to the region configured in your provider.