The aws:verifiedaccess/instanceLoggingConfiguration:InstanceLoggingConfiguration resource, part of the Pulumi AWS provider, configures where Verified Access instances send access logs and what metadata they include. This guide focuses on three capabilities: destination configuration (CloudWatch, Kinesis Firehose, S3), multi-destination logging, and trust context enrichment.
Logging configurations attach to existing Verified Access instances and route logs to CloudWatch log groups, Kinesis Firehose delivery streams, or S3 buckets. The examples are intentionally small. Combine them with your own IAM policies and destination resources.
Send access logs to CloudWatch Logs
Teams monitoring Verified Access often route logs to CloudWatch for centralized aggregation and real-time analysis.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.InstanceLoggingConfiguration("example", {
accessLogs: {
cloudwatchLogs: {
enabled: true,
logGroup: exampleAwsCloudwatchLogGroup.id,
},
},
verifiedaccessInstanceId: exampleAwsVerifiedaccessInstance.id,
});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.InstanceLoggingConfiguration("example",
access_logs={
"cloudwatch_logs": {
"enabled": True,
"log_group": example_aws_cloudwatch_log_group["id"],
},
},
verifiedaccess_instance_id=example_aws_verifiedaccess_instance["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstanceLoggingConfiguration(ctx, "example", &verifiedaccess.InstanceLoggingConfigurationArgs{
AccessLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsArgs{
CloudwatchLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs{
Enabled: pulumi.Bool(true),
LogGroup: pulumi.Any(exampleAwsCloudwatchLogGroup.Id),
},
},
VerifiedaccessInstanceId: pulumi.Any(exampleAwsVerifiedaccessInstance.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.InstanceLoggingConfiguration("example", new()
{
AccessLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsArgs
{
CloudwatchLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs
{
Enabled = true,
LogGroup = exampleAwsCloudwatchLogGroup.Id,
},
},
VerifiedaccessInstanceId = exampleAwsVerifiedaccessInstance.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfiguration;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfigurationArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new InstanceLoggingConfiguration("example", InstanceLoggingConfigurationArgs.builder()
.accessLogs(InstanceLoggingConfigurationAccessLogsArgs.builder()
.cloudwatchLogs(InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs.builder()
.enabled(true)
.logGroup(exampleAwsCloudwatchLogGroup.id())
.build())
.build())
.verifiedaccessInstanceId(exampleAwsVerifiedaccessInstance.id())
.build());
}
}
resources:
example:
type: aws:verifiedaccess:InstanceLoggingConfiguration
properties:
accessLogs:
cloudwatchLogs:
enabled: true
logGroup: ${exampleAwsCloudwatchLogGroup.id}
verifiedaccessInstanceId: ${exampleAwsVerifiedaccessInstance.id}
When enabled, the Verified Access instance sends access logs to the specified CloudWatch log group. The cloudwatchLogs block requires enabled set to true and a logGroup ID. This integrates with CloudWatch Insights for querying and alerting.
Stream access logs through Kinesis Data Firehose
Applications that need to transform or route logs to multiple destinations use Kinesis Data Firehose as an intermediary.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.InstanceLoggingConfiguration("example", {
accessLogs: {
kinesisDataFirehose: {
deliveryStream: exampleAwsKinesisFirehoseDeliveryStream.name,
enabled: true,
},
},
verifiedaccessInstanceId: exampleAwsVerifiedaccessInstance.id,
});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.InstanceLoggingConfiguration("example",
access_logs={
"kinesis_data_firehose": {
"delivery_stream": example_aws_kinesis_firehose_delivery_stream["name"],
"enabled": True,
},
},
verifiedaccess_instance_id=example_aws_verifiedaccess_instance["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstanceLoggingConfiguration(ctx, "example", &verifiedaccess.InstanceLoggingConfigurationArgs{
AccessLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsArgs{
KinesisDataFirehose: &verifiedaccess.InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs{
DeliveryStream: pulumi.Any(exampleAwsKinesisFirehoseDeliveryStream.Name),
Enabled: pulumi.Bool(true),
},
},
VerifiedaccessInstanceId: pulumi.Any(exampleAwsVerifiedaccessInstance.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.InstanceLoggingConfiguration("example", new()
{
AccessLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsArgs
{
KinesisDataFirehose = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs
{
DeliveryStream = exampleAwsKinesisFirehoseDeliveryStream.Name,
Enabled = true,
},
},
VerifiedaccessInstanceId = exampleAwsVerifiedaccessInstance.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfiguration;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfigurationArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new InstanceLoggingConfiguration("example", InstanceLoggingConfigurationArgs.builder()
.accessLogs(InstanceLoggingConfigurationAccessLogsArgs.builder()
.kinesisDataFirehose(InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs.builder()
.deliveryStream(exampleAwsKinesisFirehoseDeliveryStream.name())
.enabled(true)
.build())
.build())
.verifiedaccessInstanceId(exampleAwsVerifiedaccessInstance.id())
.build());
}
}
resources:
example:
type: aws:verifiedaccess:InstanceLoggingConfiguration
properties:
accessLogs:
kinesisDataFirehose:
deliveryStream: ${exampleAwsKinesisFirehoseDeliveryStream.name}
enabled: true
verifiedaccessInstanceId: ${exampleAwsVerifiedaccessInstance.id}
The kinesisDataFirehose block routes logs through a delivery stream, enabling transformation via Lambda and delivery to S3, Redshift, or third-party tools. The deliveryStream property references the Firehose stream name.
Archive access logs to S3 with a prefix
Long-term retention and compliance workflows often store access logs in S3 for cost-effective archival.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.InstanceLoggingConfiguration("example", {
accessLogs: {
s3: {
bucketName: exampleAwsS3Bucket.id,
enabled: true,
prefix: "example",
},
},
verifiedaccessInstanceId: exampleAwsVerifiedaccessInstance.id,
});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.InstanceLoggingConfiguration("example",
access_logs={
"s3": {
"bucket_name": example_aws_s3_bucket["id"],
"enabled": True,
"prefix": "example",
},
},
verifiedaccess_instance_id=example_aws_verifiedaccess_instance["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstanceLoggingConfiguration(ctx, "example", &verifiedaccess.InstanceLoggingConfigurationArgs{
AccessLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsArgs{
S3: &verifiedaccess.InstanceLoggingConfigurationAccessLogsS3Args{
BucketName: pulumi.Any(exampleAwsS3Bucket.Id),
Enabled: pulumi.Bool(true),
Prefix: pulumi.String("example"),
},
},
VerifiedaccessInstanceId: pulumi.Any(exampleAwsVerifiedaccessInstance.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.InstanceLoggingConfiguration("example", new()
{
AccessLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsArgs
{
S3 = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsS3Args
{
BucketName = exampleAwsS3Bucket.Id,
Enabled = true,
Prefix = "example",
},
},
VerifiedaccessInstanceId = exampleAwsVerifiedaccessInstance.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfiguration;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfigurationArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsS3Args;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new InstanceLoggingConfiguration("example", InstanceLoggingConfigurationArgs.builder()
.accessLogs(InstanceLoggingConfigurationAccessLogsArgs.builder()
.s3(InstanceLoggingConfigurationAccessLogsS3Args.builder()
.bucketName(exampleAwsS3Bucket.id())
.enabled(true)
.prefix("example")
.build())
.build())
.verifiedaccessInstanceId(exampleAwsVerifiedaccessInstance.id())
.build());
}
}
resources:
example:
type: aws:verifiedaccess:InstanceLoggingConfiguration
properties:
accessLogs:
s3:
bucketName: ${exampleAwsS3Bucket.id}
enabled: true
prefix: example
verifiedaccessInstanceId: ${exampleAwsVerifiedaccessInstance.id}
The s3 block writes logs to the specified bucket with an optional prefix for organization. This supports batch analysis and meets compliance requirements for log retention.
Enable multiple destinations simultaneously
Some organizations need logs in multiple destinations: CloudWatch for real-time monitoring, Firehose for transformation, and S3 for archival.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.InstanceLoggingConfiguration("example", {
accessLogs: {
cloudwatchLogs: {
enabled: true,
logGroup: exampleAwsCloudwatchLogGroup.id,
},
kinesisDataFirehose: {
deliveryStream: exampleAwsKinesisFirehoseDeliveryStream.name,
enabled: true,
},
s3: {
bucketName: exampleAwsS3Bucket.id,
enabled: true,
},
},
verifiedaccessInstanceId: exampleAwsVerifiedaccessInstance.id,
});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.InstanceLoggingConfiguration("example",
access_logs={
"cloudwatch_logs": {
"enabled": True,
"log_group": example_aws_cloudwatch_log_group["id"],
},
"kinesis_data_firehose": {
"delivery_stream": example_aws_kinesis_firehose_delivery_stream["name"],
"enabled": True,
},
"s3": {
"bucket_name": example_aws_s3_bucket["id"],
"enabled": True,
},
},
verifiedaccess_instance_id=example_aws_verifiedaccess_instance["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstanceLoggingConfiguration(ctx, "example", &verifiedaccess.InstanceLoggingConfigurationArgs{
AccessLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsArgs{
CloudwatchLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs{
Enabled: pulumi.Bool(true),
LogGroup: pulumi.Any(exampleAwsCloudwatchLogGroup.Id),
},
KinesisDataFirehose: &verifiedaccess.InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs{
DeliveryStream: pulumi.Any(exampleAwsKinesisFirehoseDeliveryStream.Name),
Enabled: pulumi.Bool(true),
},
S3: &verifiedaccess.InstanceLoggingConfigurationAccessLogsS3Args{
BucketName: pulumi.Any(exampleAwsS3Bucket.Id),
Enabled: pulumi.Bool(true),
},
},
VerifiedaccessInstanceId: pulumi.Any(exampleAwsVerifiedaccessInstance.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.InstanceLoggingConfiguration("example", new()
{
AccessLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsArgs
{
CloudwatchLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs
{
Enabled = true,
LogGroup = exampleAwsCloudwatchLogGroup.Id,
},
KinesisDataFirehose = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs
{
DeliveryStream = exampleAwsKinesisFirehoseDeliveryStream.Name,
Enabled = true,
},
S3 = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsS3Args
{
BucketName = exampleAwsS3Bucket.Id,
Enabled = true,
},
},
VerifiedaccessInstanceId = exampleAwsVerifiedaccessInstance.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfiguration;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfigurationArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsS3Args;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new InstanceLoggingConfiguration("example", InstanceLoggingConfigurationArgs.builder()
.accessLogs(InstanceLoggingConfigurationAccessLogsArgs.builder()
.cloudwatchLogs(InstanceLoggingConfigurationAccessLogsCloudwatchLogsArgs.builder()
.enabled(true)
.logGroup(exampleAwsCloudwatchLogGroup.id())
.build())
.kinesisDataFirehose(InstanceLoggingConfigurationAccessLogsKinesisDataFirehoseArgs.builder()
.deliveryStream(exampleAwsKinesisFirehoseDeliveryStream.name())
.enabled(true)
.build())
.s3(InstanceLoggingConfigurationAccessLogsS3Args.builder()
.bucketName(exampleAwsS3Bucket.id())
.enabled(true)
.build())
.build())
.verifiedaccessInstanceId(exampleAwsVerifiedaccessInstance.id())
.build());
}
}
resources:
example:
type: aws:verifiedaccess:InstanceLoggingConfiguration
properties:
accessLogs:
cloudwatchLogs:
enabled: true
logGroup: ${exampleAwsCloudwatchLogGroup.id}
kinesisDataFirehose:
deliveryStream: ${exampleAwsKinesisFirehoseDeliveryStream.name}
enabled: true
s3:
bucketName: ${exampleAwsS3Bucket.id}
enabled: true
verifiedaccessInstanceId: ${exampleAwsVerifiedaccessInstance.id}
You can enable all three destinations in a single configuration. Each destination operates independently; logs flow to all enabled targets concurrently. This combines the real-time capabilities of CloudWatch with the transformation power of Firehose and the archival benefits of S3.
Include trust context in access logs
Security teams analyzing access patterns need trust context data to understand device posture and authentication details.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.verifiedaccess.InstanceLoggingConfiguration("example", {
accessLogs: {
includeTrustContext: true,
},
verifiedaccessInstanceId: exampleAwsVerifiedaccessInstance.id,
});
import pulumi
import pulumi_aws as aws
example = aws.verifiedaccess.InstanceLoggingConfiguration("example",
access_logs={
"include_trust_context": True,
},
verifiedaccess_instance_id=example_aws_verifiedaccess_instance["id"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/verifiedaccess"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedaccess.NewInstanceLoggingConfiguration(ctx, "example", &verifiedaccess.InstanceLoggingConfigurationArgs{
AccessLogs: &verifiedaccess.InstanceLoggingConfigurationAccessLogsArgs{
IncludeTrustContext: pulumi.Bool(true),
},
VerifiedaccessInstanceId: pulumi.Any(exampleAwsVerifiedaccessInstance.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VerifiedAccess.InstanceLoggingConfiguration("example", new()
{
AccessLogs = new Aws.VerifiedAccess.Inputs.InstanceLoggingConfigurationAccessLogsArgs
{
IncludeTrustContext = true,
},
VerifiedaccessInstanceId = exampleAwsVerifiedaccessInstance.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfiguration;
import com.pulumi.aws.verifiedaccess.InstanceLoggingConfigurationArgs;
import com.pulumi.aws.verifiedaccess.inputs.InstanceLoggingConfigurationAccessLogsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new InstanceLoggingConfiguration("example", InstanceLoggingConfigurationArgs.builder()
.accessLogs(InstanceLoggingConfigurationAccessLogsArgs.builder()
.includeTrustContext(true)
.build())
.verifiedaccessInstanceId(exampleAwsVerifiedaccessInstance.id())
.build());
}
}
resources:
example:
type: aws:verifiedaccess:InstanceLoggingConfiguration
properties:
accessLogs:
includeTrustContext: true
verifiedaccessInstanceId: ${exampleAwsVerifiedaccessInstance.id}
The includeTrustContext property enriches logs with device trust and authentication metadata. This adds context about the device’s security posture and user authentication method to each access log entry. You must configure at least one destination (CloudWatch, Firehose, or S3) separately for logs to be delivered.
Beyond these examples
These snippets focus on specific logging configuration features: destination configuration (CloudWatch, Firehose, S3) and log enrichment and formatting. They’re intentionally minimal rather than full logging solutions.
The examples reference pre-existing infrastructure such as Verified Access instances, and CloudWatch log groups, Kinesis Firehose delivery streams, or S3 buckets. They focus on configuring log delivery rather than provisioning the destination resources.
To keep things focused, common logging patterns are omitted, including:
- IAM permissions for log delivery
- Log retention and lifecycle policies
- Encryption configuration for log destinations
- Log format customization beyond logVersion
These omissions are intentional: the goal is to illustrate how each logging feature is wired, not provide drop-in monitoring modules. See the Verified Access Instance Logging Configuration resource reference for all available configuration options.
Let's configure AWS Verified Access Logging
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Logging Destinations & Configuration
What logging destinations are available for Verified Access?
You can send logs to three destinations:
- CloudWatch Logs - Configure
cloudwatchLogswithenabledandlogGroup - Kinesis Data Firehose - Configure
kinesisDataFirehosewithenabledanddeliveryStream - S3 - Configure
s3withenabled,bucketName, and optionalprefix
Can I send logs to multiple destinations at the same time?
Yes, you can enable CloudWatch Logs, Kinesis Data Firehose, and S3 simultaneously by configuring all three within the
accessLogs block.How do I add a prefix to S3 logs?
Set the
prefix property within the s3 configuration block. This is optional.Advanced Options
What does includeTrustContext do?
includeTrustContext is a boolean option in the accessLogs block that controls whether trust context information is included in logs.What log versions are supported?
You can specify a log format version using the
logVersion property (e.g., ocsf-1.0.0-rc.2).Resource Management
What happens if I change the Verified Access instance ID?
Changing
verifiedaccessInstanceId forces resource replacement because this property is immutable.Do I need to specify a region?
No, the
region property defaults to the region configured in your provider.