The aws:verifiedaccess/instanceLoggingConfiguration:InstanceLoggingConfiguration resource, part of the Pulumi AWS provider, configures where and how Verified Access instances send access logs. This guide focuses on three capabilities: CloudWatch, Kinesis Firehose, and S3 log destinations, trust context enrichment, and log format versioning.
Logging configurations reference existing Verified Access instances and log destinations. The examples are intentionally small. Combine them with your own Verified Access infrastructure and log processing pipelines.
Send access logs to CloudWatch Logs
Teams monitoring Verified Access often route logs to CloudWatch for centralized aggregation and real-time analysis.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.InstanceLoggingConfiguration("example", {
accessLogs: {
cloudwatchLogs: {
enabled: true,
logGroup: exampleAwsCloudwatchLogGroup.id,
},
},
verifiedaccessInstanceId: exampleAwsVerifiedaccessInstance.id,
});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.InstanceLoggingConfiguration("example",
access_logs={
"cloudwatch_logs": {
"enabled": True,
"log_group": example_aws_cloudwatch_log_group["id"],
},
},
verifiedaccess_instance_id=example_aws_verifiedaccess_instance["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstanceLoggingConfiguration(ctx, "example", &verifiedaccess.InstanceLoggingConfigurationArgs{
AccessLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsArgs{
CloudwatchLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs{
Enabled: pulumi.Bool(true),
LogGroup: pulumi.Any(exampleAwsCloudwatchLogGroup.Id),
},
},
VerifiedaccessInstanceId: pulumi.Any(exampleAwsVerifiedaccessInstance.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.InstanceLoggingConfiguration("example", new()
{
AccessLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsArgs
{
CloudwatchLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs
{
Enabled = true,
LogGroup = exampleAwsCloudwatchLogGroup.Id,
},
},
VerifiedaccessInstanceId = exampleAwsVerifiedaccessInstance.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfiguration;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfigurationArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new InstanceLoggingConfiguration("example", InstanceLoggingConfigurationArgs.builder()
.accessLogs(InstanceLoggingConfigurationAccessLogsArgs.builder()
.cloudwatchLogs(InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs.builder()
.enabled(true)
.logGroup(exampleAwsCloudwatchLogGroup.id())
.build())
.build())
.verifiedaccessInstanceId(exampleAwsVerifiedaccessInstance.id())
.build());
}
}
resources:
example:
type: aws:verifiedaccess:InstanceLoggingConfiguration
properties:
accessLogs:
cloudwatchLogs:
enabled: true
logGroup: ${exampleAwsCloudwatchLogGroup.id}
verifiedaccessInstanceId: ${exampleAwsVerifiedaccessInstance.id}
When enabled is true, Verified Access sends access logs to the specified CloudWatch log group. The logGroup property references an existing log group by ID. Each access request generates a log entry with connection details, authentication results, and policy decisions.
Stream access logs through Kinesis Data Firehose
Applications that need to transform or route logs to multiple destinations use Kinesis Data Firehose for flexible delivery pipelines.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.InstanceLoggingConfiguration("example", {
accessLogs: {
kinesisDataFirehose: {
deliveryStream: exampleAwsKinesisFirehoseDeliveryStream.name,
enabled: true,
},
},
verifiedaccessInstanceId: exampleAwsVerifiedaccessInstance.id,
});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.InstanceLoggingConfiguration("example",
access_logs={
"kinesis_data_firehose": {
"delivery_stream": example_aws_kinesis_firehose_delivery_stream["name"],
"enabled": True,
},
},
verifiedaccess_instance_id=example_aws_verifiedaccess_instance["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstanceLoggingConfiguration(ctx, "example", &verifiedaccess.InstanceLoggingConfigurationArgs{
AccessLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsArgs{
KinesisDataFirehose: &verifiedaccess.InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs{
DeliveryStream: pulumi.Any(exampleAwsKinesisFirehoseDeliveryStream.Name),
Enabled: pulumi.Bool(true),
},
},
VerifiedaccessInstanceId: pulumi.Any(exampleAwsVerifiedaccessInstance.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.InstanceLoggingConfiguration("example", new()
{
AccessLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsArgs
{
KinesisDataFirehose = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs
{
DeliveryStream = exampleAwsKinesisFirehoseDeliveryStream.Name,
Enabled = true,
},
},
VerifiedaccessInstanceId = exampleAwsVerifiedaccessInstance.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfiguration;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfigurationArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new InstanceLoggingConfiguration("example", InstanceLoggingConfigurationArgs.builder()
.accessLogs(InstanceLoggingConfigurationAccessLogsArgs.builder()
.kinesisDataFirehose(InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs.builder()
.deliveryStream(exampleAwsKinesisFirehoseDeliveryStream.name())
.enabled(true)
.build())
.build())
.verifiedaccessInstanceId(exampleAwsVerifiedaccessInstance.id())
.build());
}
}
resources:
example:
type: aws:verifiedaccess:InstanceLoggingConfiguration
properties:
accessLogs:
kinesisDataFirehose:
deliveryStream: ${exampleAwsKinesisFirehoseDeliveryStream.name}
enabled: true
verifiedaccessInstanceId: ${exampleAwsVerifiedaccessInstance.id}
The kinesisDataFirehose block routes logs through a Firehose delivery stream, enabling transformation via Lambda and delivery to S3, Redshift, or third-party services. The deliveryStream property references the stream by name.
Archive access logs to S3
Long-term retention and compliance requirements often drive teams to store access logs in S3 for cost-effective archival.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.InstanceLoggingConfiguration("example", {
accessLogs: {
s3: {
bucketName: exampleAwsS3Bucket.id,
enabled: true,
prefix: "example",
},
},
verifiedaccessInstanceId: exampleAwsVerifiedaccessInstance.id,
});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.InstanceLoggingConfiguration("example",
access_logs={
"s3": {
"bucket_name": example_aws_s3_bucket["id"],
"enabled": True,
"prefix": "example",
},
},
verifiedaccess_instance_id=example_aws_verifiedaccess_instance["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstanceLoggingConfiguration(ctx, "example", &verifiedaccess.InstanceLoggingConfigurationArgs{
AccessLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsArgs{
S3: &verifiedaccess.InstanceLoggingConfigurationAccessLogsS3Args{
BucketName: pulumi.Any(exampleAwsS3Bucket.Id),
Enabled: pulumi.Bool(true),
Prefix: pulumi.String("example"),
},
},
VerifiedaccessInstanceId: pulumi.Any(exampleAwsVerifiedaccessInstance.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.InstanceLoggingConfiguration("example", new()
{
AccessLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsArgs
{
S3 = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsS3Args
{
BucketName = exampleAwsS3Bucket.Id,
Enabled = true,
Prefix = "example",
},
},
VerifiedaccessInstanceId = exampleAwsVerifiedaccessInstance.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfiguration;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfigurationArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsS3Args;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new InstanceLoggingConfiguration("example", InstanceLoggingConfigurationArgs.builder()
.accessLogs(InstanceLoggingConfigurationAccessLogsArgs.builder()
.s3(InstanceLoggingConfigurationAccessLogsS3Args.builder()
.bucketName(exampleAwsS3Bucket.id())
.enabled(true)
.prefix("example")
.build())
.build())
.verifiedaccessInstanceId(exampleAwsVerifiedaccessInstance.id())
.build());
}
}
resources:
example:
type: aws:verifiedaccess:InstanceLoggingConfiguration
properties:
accessLogs:
s3:
bucketName: ${exampleAwsS3Bucket.id}
enabled: true
prefix: example
verifiedaccessInstanceId: ${exampleAwsVerifiedaccessInstance.id}
The s3 block writes logs directly to an S3 bucket. The prefix property organizes logs under a specific path within the bucket. This configuration is useful for compliance archival and batch analysis with tools like Athena.
Enable multiple logging destinations simultaneously
Some deployments need logs in multiple places: CloudWatch for real-time monitoring, Firehose for transformation, and S3 for archival.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.InstanceLoggingConfiguration("example", {
accessLogs: {
cloudwatchLogs: {
enabled: true,
logGroup: exampleAwsCloudwatchLogGroup.id,
},
kinesisDataFirehose: {
deliveryStream: exampleAwsKinesisFirehoseDeliveryStream.name,
enabled: true,
},
s3: {
bucketName: exampleAwsS3Bucket.id,
enabled: true,
},
},
verifiedaccessInstanceId: exampleAwsVerifiedaccessInstance.id,
});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.InstanceLoggingConfiguration("example",
access_logs={
"cloudwatch_logs": {
"enabled": True,
"log_group": example_aws_cloudwatch_log_group["id"],
},
"kinesis_data_firehose": {
"delivery_stream": example_aws_kinesis_firehose_delivery_stream["name"],
"enabled": True,
},
"s3": {
"bucket_name": example_aws_s3_bucket["id"],
"enabled": True,
},
},
verifiedaccess_instance_id=example_aws_verifiedaccess_instance["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstanceLoggingConfiguration(ctx, "example", &verifiedaccess.InstanceLoggingConfigurationArgs{
AccessLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsArgs{
CloudwatchLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs{
Enabled: pulumi.Bool(true),
LogGroup: pulumi.Any(exampleAwsCloudwatchLogGroup.Id),
},
KinesisDataFirehose: &verifiedaccess.InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs{
DeliveryStream: pulumi.Any(exampleAwsKinesisFirehoseDeliveryStream.Name),
Enabled: pulumi.Bool(true),
},
S3: &verifiedaccess.InstanceLoggingConfigurationAccessLogsS3Args{
BucketName: pulumi.Any(exampleAwsS3Bucket.Id),
Enabled: pulumi.Bool(true),
},
},
VerifiedaccessInstanceId: pulumi.Any(exampleAwsVerifiedaccessInstance.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.InstanceLoggingConfiguration("example", new()
{
AccessLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsArgs
{
CloudwatchLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs
{
Enabled = true,
LogGroup = exampleAwsCloudwatchLogGroup.Id,
},
KinesisDataFirehose = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs
{
DeliveryStream = exampleAwsKinesisFirehoseDeliveryStream.Name,
Enabled = true,
},
S3 = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsS3Args
{
BucketName = exampleAwsS3Bucket.Id,
Enabled = true,
},
},
VerifiedaccessInstanceId = exampleAwsVerifiedaccessInstance.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfiguration;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfigurationArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsS3Args;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new InstanceLoggingConfiguration("example", InstanceLoggingConfigurationArgs.builder()
.accessLogs(InstanceLoggingConfigurationAccessLogsArgs.builder()
.cloudwatchLogs(InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs.builder()
.enabled(true)
.logGroup(exampleAwsCloudwatchLogGroup.id())
.build())
.kinesisDataFirehose(InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs.builder()
.deliveryStream(exampleAwsKinesisFirehoseDeliveryStream.name())
.enabled(true)
.build())
.s3(InstanceLoggingConfigurationAccessLogsS3Args.builder()
.bucketName(exampleAwsS3Bucket.id())
.enabled(true)
.build())
.build())
.verifiedaccessInstanceId(exampleAwsVerifiedaccessInstance.id())
.build());
}
}
resources:
example:
type: aws:verifiedaccess:InstanceLoggingConfiguration
properties:
accessLogs:
cloudwatchLogs:
enabled: true
logGroup: ${exampleAwsCloudwatchLogGroup.id}
kinesisDataFirehose:
deliveryStream: ${exampleAwsKinesisFirehoseDeliveryStream.name}
enabled: true
s3:
bucketName: ${exampleAwsS3Bucket.id}
enabled: true
verifiedaccessInstanceId: ${exampleAwsVerifiedaccessInstance.id}
You can enable all three destinations in a single configuration. Verified Access sends logs to each destination independently. This approach supports different use cases: CloudWatch for alerting, Firehose for enrichment, and S3 for long-term storage.
Include trust context in access logs
Security teams analyzing access patterns need trust context data to understand device posture and authentication details.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.InstanceLoggingConfiguration("example", {
accessLogs: {
includeTrustContext: true,
},
verifiedaccessInstanceId: exampleAwsVerifiedaccessInstance.id,
});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.InstanceLoggingConfiguration("example",
access_logs={
"include_trust_context": True,
},
verifiedaccess_instance_id=example_aws_verifiedaccess_instance["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstanceLoggingConfiguration(ctx, "example", &verifiedaccess.InstanceLoggingConfigurationArgs{
AccessLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsArgs{
IncludeTrustContext: pulumi.Bool(true),
},
VerifiedaccessInstanceId: pulumi.Any(exampleAwsVerifiedaccessInstance.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.InstanceLoggingConfiguration("example", new()
{
AccessLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsArgs
{
IncludeTrustContext = true,
},
VerifiedaccessInstanceId = exampleAwsVerifiedaccessInstance.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfiguration;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfigurationArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new InstanceLoggingConfiguration("example", InstanceLoggingConfigurationArgs.builder()
.accessLogs(InstanceLoggingConfigurationAccessLogsArgs.builder()
.includeTrustContext(true)
.build())
.verifiedaccessInstanceId(exampleAwsVerifiedaccessInstance.id())
.build());
}
}
resources:
example:
type: aws:verifiedaccess:InstanceLoggingConfiguration
properties:
accessLogs:
includeTrustContext: true
verifiedaccessInstanceId: ${exampleAwsVerifiedaccessInstance.id}
Setting includeTrustContext to true enriches logs with device trust signals and authentication context. This data helps security teams correlate access patterns with device compliance state and user identity verification.
Specify log format version
Applications that parse Verified Access logs need to specify the log schema version to ensure consistent field structure.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.InstanceLoggingConfiguration("example", {
accessLogs: {
logVersion: "ocsf-1.0.0-rc.2",
},
verifiedaccessInstanceId: exampleAwsVerifiedaccessInstance.id,
});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.InstanceLoggingConfiguration("example",
access_logs={
"log_version": "ocsf-1.0.0-rc.2",
},
verifiedaccess_instance_id=example_aws_verifiedaccess_instance["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstanceLoggingConfiguration(ctx, "example", &verifiedaccess.InstanceLoggingConfigurationArgs{
AccessLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsArgs{
LogVersion: pulumi.String("ocsf-1.0.0-rc.2"),
},
VerifiedaccessInstanceId: pulumi.Any(exampleAwsVerifiedaccessInstance.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.InstanceLoggingConfiguration("example", new()
{
AccessLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsArgs
{
LogVersion = "ocsf-1.0.0-rc.2",
},
VerifiedaccessInstanceId = exampleAwsVerifiedaccessInstance.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfiguration;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfigurationArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new InstanceLoggingConfiguration("example", InstanceLoggingConfigurationArgs.builder()
.accessLogs(InstanceLoggingConfigurationAccessLogsArgs.builder()
.logVersion("ocsf-1.0.0-rc.2")
.build())
.verifiedaccessInstanceId(exampleAwsVerifiedaccessInstance.id())
.build());
}
}
resources:
example:
type: aws:verifiedaccess:InstanceLoggingConfiguration
properties:
accessLogs:
logVersion: ocsf-1.0.0-rc.2
verifiedaccessInstanceId: ${exampleAwsVerifiedaccessInstance.id}
The logVersion property controls the log schema format. Specifying a version like “ocsf-1.0.0-rc.2” ensures your log parsing logic remains stable across Verified Access updates.
Beyond these examples
These snippets focus on specific logging configuration features: CloudWatch, Kinesis Firehose, and S3 destinations, trust context enrichment, and log format versioning. They’re intentionally minimal rather than full logging pipelines.
The examples reference pre-existing infrastructure such as Verified Access instances, CloudWatch log groups, Kinesis Firehose delivery streams, and S3 buckets. They focus on configuring log delivery rather than provisioning the underlying infrastructure.
To keep things focused, common logging patterns are omitted, including:
- IAM permissions for log delivery
- Log retention and lifecycle policies
- Cross-region logging configuration
- Log encryption settings
These omissions are intentional: the goal is to illustrate how each logging feature is wired, not provide drop-in monitoring solutions. See the Verified Access Instance Logging Configuration resource reference for all available configuration options.
Let's configure AWS Verified Access Logging
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
Can I change the Verified Access instance after creating the logging configuration?
No,
verifiedaccessInstanceId is immutable. To use a different instance, you must destroy and recreate the logging configuration.What's required to create a logging configuration?
You need
accessLogs (logging configuration block) and verifiedaccessInstanceId (the instance to configure logging for).Logging Destinations
What logging destinations are supported?
Three destinations are available: CloudWatch Logs, Kinesis Data Firehose, and S3.
Can I send logs to multiple destinations simultaneously?
Yes, you can enable CloudWatch Logs, Kinesis Data Firehose, and S3 together in the same configuration.
Advanced Options
What does includeTrustContext do?
includeTrustContext is an optional boolean flag in the accessLogs configuration that controls whether trust context information is included in logs.What is logVersion used for?
logVersion specifies the log format version (e.g., ocsf-1.0.0-rc.2) for the access logs.