[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-74115":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":45,"readmeContent":46,"aiSummary":47,"trendingCount":16,"starSnapshotCount":16,"syncStatus":48,"lastSyncTime":49,"discoverSource":50},74115,"ministack","ministackorg\u002Fministack","ministackorg","Ministack: Free, open-source local AWS emulator - 55+ services, Terraform compatible, real databases. Free forever. MIT   licensed.","https:\u002F\u002Fministack.org",null,"Python",3196,282,6,11,0,59,146,457,177,29.36,"MIT License",false,"main",true,[27,28,29,30,31,32,33,34,35,36,37,38,5,39,40,41,42,43,44],"aws","aws-emulator","aws-local","aws-sdk","devtools","docker","dynamodb","ec2","emulator","lambda","localstack","localstack-alternative","mock-aws","open-source","python","s3","sqs","terraform","2026-06-12 02:03:22","\u003Cp align=\"center\">\n  \u003Cimg src=\"ministack_logo.png\" alt=\"MiniStack — Free Open-Source AWS Emulator\" width=\"400\"\u002F>\n\u003C\u002Fp>\n\n\u003Ch1 align=\"center\">MiniStack\u003C\u002Fh1>\n\u003Cp align=\"center\">\u003Cstrong>Free, open-source local AWS emulator. Free forever.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp align=\"center\">40+ AWS services on a single port · Terraform compatible · Real databases · MIT licensed\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fministackorg\u002Fministack\u002Freleases\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fv\u002Frelease\u002Fministackorg\u002Fministack\" alt=\"GitHub release\">\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fministackorg\u002Fministack\u002Factions\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Factions\u002Fworkflow\u002Fstatus\u002Fministackorg\u002Fministack\u002Fci.yml?branch=master\" alt=\"Build\">\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fhub.docker.com\u002Fr\u002Fministackorg\u002Fministack\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fpulls\u002Fministackorg\u002Fministack\" alt=\"Docker Pulls\">\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fhub.docker.com\u002Fr\u002Fministackorg\u002Fministack\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fimage-size\u002Fministackorg\u002Fministack\u002Flatest\" alt=\"Docker Image Size\">\u003C\u002Fa>\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fministackorg\u002Fministack\u002Fblob\u002Fmaster\u002FLICENSE\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Flicense\u002Fministackorg\u002Fministack\" alt=\"License\">\u003C\u002Fa>\n  \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fpython-3.12-blue\" alt=\"Python\">\n  \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fministackorg\u002Fministack\u002Fstargazers\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fstars\u002Fministackorg\u002Fministack\" alt=\"GitHub stars\">\u003C\u002Fa>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n  \u003Ca href=\"https:\u002F\u002Fministack.org\">Website\u003C\u002Fa> · \u003Ca href=\"https:\u002F\u002Fhub.docker.com\u002Fr\u002Fministackorg\u002Fministack\">Docker Hub\u003C\u002Fa> · \u003Ca href=\"https:\u002F\u002Fwww.linkedin.com\u002Fcompany\u002Fministackorg\u002F\">LinkedIn\u003C\u002Fa> · \u003Ca href=\"https:\u002F\u002Fwww.producthunt.com\u002Fproducts\u002Fministack\">Product Hunt\u003C\u002Fa>\n\u003C\u002Fp>\n\n---\n\n## Why MiniStack?\n\nLocalStack recently moved its core services behind a paid plan. If you relied on LocalStack Community for local development and CI\u002FCD pipelines, MiniStack is your free alternative.\n\n- **40+ AWS services** emulated on a single port (4566)\n- **Drop-in compatible** — works with `boto3`, AWS CLI, Terraform, CDK, Pulumi, any SDK\n- **Real infrastructure** — RDS spins up actual Postgres\u002FMySQL containers, ElastiCache spins up real Redis, Athena runs real SQL via DuckDB (full image only), ECS runs real Docker containers\n- **Tiny footprint** — ~270MB image, ~21MB RAM at idle vs LocalStack's ~1GB image and ~500MB RAM\n- **Fast startup** — under 2 seconds, HTTP\u002F2 (h2c) supported\n- **MIT licensed** — use it, fork it, contribute to it\n\n---\n\n## Quick Start\n\n```bash\n# Option 1: PyPI (simplest)\npip install ministack\nministack\n# Runs on http:\u002F\u002Flocalhost:4566 — use GATEWAY_PORT=XXXX to change\n\n# Option 2: Docker Hub\ndocker run -p 4566:4566 ministackorg\u002Fministack\n\n# Option 2b: Docker Hub with real infrastructure (RDS, ECS, Lambda containers)\ndocker run -p 4566:4566 -v \u002Fvar\u002Frun\u002Fdocker.sock:\u002Fvar\u002Frun\u002Fdocker.sock ministackorg\u002Fministack\n\n# Option 2c: Full image — Debian\u002Fglibc base with DuckDB (Athena), psycopg2, pymysql.\n# Larger (~360 MB vs ~110 MB) but enables Athena and native PostgreSQL\u002FMySQL drivers\n# that don't ship musllinux wheels. Reports `edition: full` on \u002F_ministack\u002Fhealth.\ndocker run -p 4566:4566 ministackorg\u002Fministack:full\n\n# Option 3: Clone and build\ngit clone https:\u002F\u002Fgithub.com\u002Fministackorg\u002Fministack\ncd ministack\ndocker compose up -d\n\n# Verify (any option)\ncurl http:\u002F\u002Flocalhost:4566\u002F_ministack\u002Fhealth\n```\n\nThat's it. No account, no API key, no sign-up.\n\n---\n\n## Internal API\n\nMiniStack exposes internal endpoints for test automation:\n\n```bash\n# Health check — returns service status\ncurl http:\u002F\u002Flocalhost:4566\u002F_ministack\u002Fhealth\n\n# Reset all state — wipe every service back to empty (useful between test runs)\ncurl -X POST http:\u002F\u002Flocalhost:4566\u002F_ministack\u002Freset\n\n# Reset and re-run init scripts (boot.d + ready.d)\ncurl -X POST http:\u002F\u002Flocalhost:4566\u002F_ministack\u002Freset?init=1\n\n# Runtime config — change service-level settings without restart\ncurl -X POST http:\u002F\u002Flocalhost:4566\u002F_ministack\u002Fconfig \\\n  -H \"Content-Type: application\u002Fjson\" \\\n  -d '{\"lambda_svc.LAMBDA_EXECUTOR\": \"docker\"}'\n\n# Inspect emails sent via SES — returns every message grouped by account\ncurl http:\u002F\u002Flocalhost:4566\u002F_ministack\u002Fses\u002Fmessages\n\n# Filter by account (12-digit access-key ID used as the account ID)\ncurl \"http:\u002F\u002Flocalhost:4566\u002F_ministack\u002Fses\u002Fmessages?account=000000000000\"\n```\n\nThe reset endpoint is especially useful in CI pipelines and test suites — call it in `setUp`\u002F`beforeEach` to get a clean environment for every test without restarting the container. Add `?init=1` to re-run your init scripts after the reset, restoring any resources they create (VPCs, queues, seed data, etc.).\n\nThe config endpoint supports these keys:\n\n| Key | Description |\n|-----|-------------|\n| `lambda_svc.LAMBDA_EXECUTOR` | Lambda execution mode (`local` or `docker`) |\n| `athena.ATHENA_ENGINE` | Athena query engine (`duckdb` or `mock`) |\n| `athena.ATHENA_DATA_DIR` | Directory for Athena DuckDB data files |\n| `stepfunctions._sfn_mock_config` | SFN mock config (AWS SFN Local compatible) |\n| `stepfunctions._SFN_WAIT_SCALE` | Scale factor for Wait state durations and retry sleeps (`0` = skip all waits) |\n\nTo set region or account ID, use environment variables at startup:\n\n```bash\ndocker run -p 4566:4566 \\\n  -e MINISTACK_REGION=eu-west-1 \\\n  -e MINISTACK_ACCOUNT_ID=123456789012 \\\n  ministackorg\u002Fministack\n```\n\nOr use the multi-tenancy feature — a 12-digit access key automatically becomes the account ID (see [Multi-Tenancy](#multi-tenancy) below).\n\nAlso compatible with LocalStack's health endpoint:\n\n```bash\ncurl http:\u002F\u002Flocalhost:4566\u002F_localstack\u002Fhealth\ncurl http:\u002F\u002Flocalhost:4566\u002Fhealth\n```\n\n---\n\n## Multi-Tenancy\n\nMiniStack supports lightweight multi-tenancy without any configuration. If the `AWS_ACCESS_KEY_ID` is a **12-digit number**, it is used as the **Account ID** for all ARN generation. Non-numeric keys (like `test`) fall back to the `MINISTACK_ACCOUNT_ID` env var or `000000000000`.\n\n```bash\n# Team A — gets account 111111111111\nexport AWS_ACCESS_KEY_ID=111111111111\nexport AWS_SECRET_ACCESS_KEY=anything\naws --endpoint-url=http:\u002F\u002Flocalhost:4566 sts get-caller-identity\n# → { \"Account\": \"111111111111\", ... }\n\n# Team B — gets account 222222222222\nexport AWS_ACCESS_KEY_ID=222222222222\nexport AWS_SECRET_ACCESS_KEY=anything\naws --endpoint-url=http:\u002F\u002Flocalhost:4566 sts get-caller-identity\n# → { \"Account\": \"222222222222\", ... }\n```\n\nAll ARNs and resource state (SQS queues, Lambda functions, IAM roles, S3 buckets, DynamoDB tables, etc.) are fully isolated per account. Resources with the same name in different accounts never collide. This allows multiple developers or CI pipelines to share a single MiniStack endpoint with complete tenant isolation — no extra setup needed.\n\n| Access Key | Account ID Used |\n|---|---|\n| `111111111111` | `111111111111` |\n| `048408301323` | `048408301323` |\n| `test` | `000000000000` (default) |\n| `AKIAIOSFODNN7EXAMPLE` | `000000000000` (default) |\n\n**Terraform** — set `access_key` in your provider block:\n```hcl\nprovider \"aws\" {\n  access_key = \"048408301323\"\n  secret_key = \"test\"\n  region     = \"us-east-1\"\n  endpoints { ... }\n}\n```\n\n**boto3** — pass `aws_access_key_id`:\n```python\nboto3.client(\"s3\",\n    endpoint_url=\"http:\u002F\u002Flocalhost:4566\",\n    aws_access_key_id=\"048408301323\",\n    aws_secret_access_key=\"test\",\n)\n```\n\n---\n\n## Using with AWS CLI\n\n```bash\n# Option A — environment variables (no profile needed)\nexport AWS_ACCESS_KEY_ID=test\nexport AWS_SECRET_ACCESS_KEY=test\nexport AWS_DEFAULT_REGION=us-east-1\n\naws --endpoint-url=http:\u002F\u002Flocalhost:4566 s3 mb s3:\u002F\u002Fmy-bucket\naws --endpoint-url=http:\u002F\u002Flocalhost:4566 sqs create-queue --queue-name my-queue\naws --endpoint-url=http:\u002F\u002Flocalhost:4566 dynamodb list-tables\naws --endpoint-url=http:\u002F\u002Flocalhost:4566 sts get-caller-identity\n\n# Option B — named profile (must pass --profile on every command)\naws configure --profile local\n# AWS Access Key ID: test\n# AWS Secret Access Key: test\n# Default region: us-east-1\n# Default output format: json\n\naws --profile local --endpoint-url=http:\u002F\u002Flocalhost:4566 s3 mb s3:\u002F\u002Fmy-bucket\naws --profile local --endpoint-url=http:\u002F\u002Flocalhost:4566 s3 cp .\u002Ffile.txt s3:\u002F\u002Fmy-bucket\u002F\naws --profile local --endpoint-url=http:\u002F\u002Flocalhost:4566 sqs create-queue --queue-name my-queue\naws --profile local --endpoint-url=http:\u002F\u002Flocalhost:4566 dynamodb list-tables\naws --profile local --endpoint-url=http:\u002F\u002Flocalhost:4566 sts get-caller-identity\n```\n\n### awslocal wrapper\n\n```bash\nchmod +x bin\u002Fawslocal\n.\u002Fbin\u002Fawslocal s3 ls\n.\u002Fbin\u002Fawslocal dynamodb list-tables\n```\n\n---\n\n## Using with boto3\n\n```python\nimport boto3\n\n# All clients use the same endpoint\ndef client(service):\n    return boto3.client(\n        service,\n        endpoint_url=\"http:\u002F\u002Flocalhost:4566\",\n        aws_access_key_id=\"test\",\n        aws_secret_access_key=\"test\",\n        region_name=\"us-east-1\",\n    )\n\n# S3\ns3 = client(\"s3\")\ns3.create_bucket(Bucket=\"my-bucket\")\ns3.put_object(Bucket=\"my-bucket\", Key=\"hello.txt\", Body=b\"Hello, MiniStack!\")\nobj = s3.get_object(Bucket=\"my-bucket\", Key=\"hello.txt\")\nprint(obj[\"Body\"].read())  # b'Hello, MiniStack!'\n\n# SQS\nsqs = client(\"sqs\")\nq = sqs.create_queue(QueueName=\"my-queue\")\nsqs.send_message(QueueUrl=q[\"QueueUrl\"], MessageBody=\"hello\")\nmsgs = sqs.receive_message(QueueUrl=q[\"QueueUrl\"])\nprint(msgs[\"Messages\"][0][\"Body\"])  # hello\n\n# DynamoDB\nddb = client(\"dynamodb\")\nddb.create_table(\n    TableName=\"Users\",\n    KeySchema=[{\"AttributeName\": \"userId\", \"KeyType\": \"HASH\"}],\n    AttributeDefinitions=[{\"AttributeName\": \"userId\", \"AttributeType\": \"S\"}],\n    BillingMode=\"PAY_PER_REQUEST\",\n)\nddb.put_item(TableName=\"Users\", Item={\"userId\": {\"S\": \"u1\"}, \"name\": {\"S\": \"Alice\"}})\n\n# SSM Parameter Store\nssm = client(\"ssm\")\nssm.put_parameter(Name=\"\u002Fapp\u002Fdb\u002Fhost\", Value=\"localhost\", Type=\"String\")\nparam = ssm.get_parameter(Name=\"\u002Fapp\u002Fdb\u002Fhost\")\nprint(param[\"Parameter\"][\"Value\"])  # localhost\n\n# Secrets Manager\nsm = client(\"secretsmanager\")\nsm.create_secret(Name=\"db-password\", SecretString='{\"password\":\"s3cr3t\"}')\n\n# Kinesis\nkin = client(\"kinesis\")\nkin.create_stream(StreamName=\"events\", ShardCount=1)\nkin.put_record(StreamName=\"events\", Data=b'{\"event\":\"click\"}', PartitionKey=\"user1\")\n\n# EventBridge\neb = client(\"events\")\neb.put_events(Entries=[{\n    \"Source\": \"myapp\",\n    \"DetailType\": \"UserSignup\",\n    \"Detail\": '{\"userId\": \"123\"}',\n    \"EventBusName\": \"default\",\n}])\n\n# Step Functions\nsfn = client(\"stepfunctions\")\nsfn.create_state_machine(\n    name=\"my-workflow\",\n    definition='{\"StartAt\":\"Hello\",\"States\":{\"Hello\":{\"Type\":\"Pass\",\"End\":true}}}',\n    roleArn=\"arn:aws:iam::000000000000:role\u002Frole\",\n)\n\n# Step Functions — TestState API (test a single state in isolation)\n# Note: inject_host_prefix=False prevents boto3 from prepending \"sync-\" to the hostname\nfrom botocore.config import Config as BotoConfig\nsfn_test = client(\"stepfunctions\", config=BotoConfig(inject_host_prefix=False))\n\nresult = sfn_test.test_state(\n    definition='{\"Type\":\"Pass\",\"Result\":{\"greeting\":\"hello\"},\"End\":true}',\n    input='{\"name\":\"world\"}',\n)\nprint(result[\"status\"])  # SUCCEEDED\nprint(result[\"output\"])  # {\"greeting\": \"hello\"}\n\n# TestState with mock — test error handling without calling real services\nresult = sfn_test.test_state(\n    definition=json.dumps({\n        \"Type\": \"Task\",\n        \"Resource\": \"arn:aws:lambda:us-east-1:000000000000:function:my-fn\",\n        \"Catch\": [{\"ErrorEquals\": [\"States.ALL\"], \"Next\": \"Fallback\"}],\n        \"End\": True\n    }),\n    input='{}',\n    inspectionLevel=\"DEBUG\",\n    mock={\"errorOutput\": {\"error\": \"ServiceError\", \"cause\": \"Timeout\"}},\n)\nprint(result[\"status\"])  # CAUGHT_ERROR\nprint(result[\"nextState\"])  # Fallback\n\n# EC2\nec2 = client(\"ec2\")\nreservation = ec2.run_instances(\n    ImageId=\"ami-00000001\",\n    MinCount=1,\n    MaxCount=1,\n    InstanceType=\"t3.micro\",\n)\ninstance_id = reservation[\"Instances\"][0][\"InstanceId\"]\nprint(instance_id)  # i-xxxxxxxxxxxxxxxxx\n\n# Security Groups\nsg = ec2.create_security_group(GroupName=\"my-sg\", Description=\"My SG\")\nec2.authorize_security_group_ingress(\n    GroupId=sg[\"GroupId\"],\n    IpPermissions=[{\"IpProtocol\": \"tcp\", \"FromPort\": 80, \"ToPort\": 80,\n                    \"IpRanges\": [{\"CidrIp\": \"0.0.0.0\u002F0\"}]}],\n)\n\n# VPC \u002F Subnet\nvpc = ec2.create_vpc(CidrBlock=\"10.0.0.0\u002F16\")\nsubnet = ec2.create_subnet(\n    VpcId=vpc[\"Vpc\"][\"VpcId\"],\n    CidrBlock=\"10.0.1.0\u002F24\",\n    AvailabilityZone=\"us-east-1a\",\n)\n```\n\n---\n\n## Supported Services\n\n### Core Services\n\n| Service | Operations | Notes |\n|---------|-----------|-------|\n| **S3** | CreateBucket, DeleteBucket, ListBuckets, HeadBucket, PutObject, GetObject, DeleteObject, HeadObject, CopyObject, ListObjects v1\u002Fv2, DeleteObjects, GetBucketVersioning, PutBucketVersioning, GetBucketEncryption, PutBucketEncryption, DeleteBucketEncryption, GetBucketLifecycleConfiguration, PutBucketLifecycleConfiguration, DeleteBucketLifecycle, GetBucketCors, PutBucketCors, DeleteBucketCors, GetBucketAcl, PutBucketAcl, GetBucketTagging, PutBucketTagging, DeleteBucketTagging, GetBucketPolicy, PutBucketPolicy, DeleteBucketPolicy, GetBucketNotificationConfiguration, PutBucketNotificationConfiguration, GetBucketLogging, PutBucketLogging, ListObjectVersions, CreateMultipartUpload, UploadPart, CompleteMultipartUpload, AbortMultipartUpload, PutObjectLockConfiguration, GetObjectLockConfiguration, PutObjectRetention, GetObjectRetention, PutObjectLegalHold, GetObjectLegalHold, PutBucketReplication, GetBucketReplication, DeleteBucketReplication | Optional disk persistence via `S3_PERSIST=1`; Object Lock with retention & legal hold enforcement on delete |\n| **SQS** | CreateQueue, DeleteQueue, ListQueues, GetQueueUrl, GetQueueAttributes, SetQueueAttributes, PurgeQueue, SendMessage, ReceiveMessage, DeleteMessage, ChangeMessageVisibility, ChangeMessageVisibilityBatch, SendMessageBatch, DeleteMessageBatch, TagQueue, UntagQueue, ListQueueTags | Both Query API and JSON protocol; FIFO queues with deduplication; DLQ support |\n| **SNS** | CreateTopic, DeleteTopic, ListTopics, GetTopicAttributes, SetTopicAttributes, Subscribe, Unsubscribe, ListSubscriptions, ListSubscriptionsByTopic, GetSubscriptionAttributes, SetSubscriptionAttributes, ConfirmSubscription, Publish, PublishBatch, TagResource, UntagResource, ListTagsForResource, CreatePlatformApplication, CreatePlatformEndpoint | SNS→SQS fanout delivery; SNS→Lambda fanout (synchronous invocation); FIFO topics with 5-minute deduplication, sequence numbers, content-based deduplication, and subscription validation |\n| **DynamoDB** | CreateTable, UpdateTable, DeleteTable, DescribeTable, ListTables, PutItem, GetItem, DeleteItem, UpdateItem, Query, Scan, BatchWriteItem, BatchGetItem, TransactWriteItems, TransactGetItems, DescribeTimeToLive, UpdateTimeToLive, DescribeContinuousBackups, UpdateContinuousBackups, DescribeEndpoints, TagResource, UntagResource, ListTagsOfResource, EnableKinesisStreamingDestination, DisableKinesisStreamingDestination, DescribeKinesisStreamingDestination, UpdateKinesisStreamingDestination | TTL enforced via thread-safe background reaper (60s cadence); DynamoDB Streams — `StreamSpecification` emits INSERT\u002FMODIFY\u002FREMOVE records on all write operations, respects `StreamViewType`; Kinesis streaming destinations (`aws_dynamodb_kinesis_streaming_destination`) fan item mutations out into any Kinesis stream by ARN while the destination is ACTIVE |\n| **DynamoDB Streams** | ListStreams, DescribeStream, GetShardIterator, GetRecords | Reads records emitted by the main DynamoDB service via `boto3.client(\"dynamodbstreams\")` — single synthetic shard per stream; `TRIM_HORIZON`\u002F`LATEST`\u002F`AT_SEQUENCE_NUMBER`\u002F`AFTER_SEQUENCE_NUMBER` iterator types; `NEW_AND_OLD_IMAGES`, `NEW_IMAGE`, `OLD_IMAGE`, `KEYS_ONLY` view types; opaque base64 iterator tokens |\n| **Lambda** | CreateFunction, DeleteFunction, GetFunction, GetFunctionConfiguration, ListFunctions, Invoke, UpdateFunctionCode, UpdateFunctionConfiguration, AddPermission, RemovePermission, GetPolicy, ListVersionsByFunction, PublishVersion, CreateAlias, GetAlias, UpdateAlias, DeleteAlias, ListAliases, TagResource, UntagResource, ListTags, CreateEventSourceMapping, DeleteEventSourceMapping, GetEventSourceMapping, ListEventSourceMappings, UpdateEventSourceMapping, CreateFunctionUrlConfig, GetFunctionUrlConfig, UpdateFunctionUrlConfig, DeleteFunctionUrlConfig, ListFunctionUrlConfigs, PutFunctionConcurrency, GetFunctionConcurrency, DeleteFunctionConcurrency, PutFunctionEventInvokeConfig, GetFunctionEventInvokeConfig, DeleteFunctionEventInvokeConfig, PublishLayerVersion, GetLayerVersion, GetLayerVersionByArn, ListLayerVersions, DeleteLayerVersion, ListLayers, AddLayerVersionPermission, RemoveLayerVersionPermission, GetLayerVersionPolicy | Python and Node.js runtimes execute with warm worker pool; `provided.al2023`\u002F`provided.al2` runtimes execute via Docker RIE (Go, Rust, C++ support); `Publish=True` creates immutable numbered versions; Code via `ZipFile`, `S3Bucket`\u002F`S3Key` (with optional `S3ObjectVersion`), or `ImageUri` (Docker image); `PackageType: Image` pulls and invokes user-provided Docker images via Lambda RIE; SQS, Kinesis, and DynamoDB Streams event source mappings; Function URL CRUD; Lambda Layers CRUD; Aliases; Concurrency; EventInvokeConfig |\n| **IAM** | CreateUser, GetUser, ListUsers, DeleteUser, CreateRole, GetRole, ListRoles, DeleteRole, CreatePolicy, GetPolicy, DeletePolicy, AttachRolePolicy, DetachRolePolicy, PutRolePolicy, GetRolePolicy, DeleteRolePolicy, ListRolePolicies, ListAttachedRolePolicies, CreateAccessKey, ListAccessKeys, DeleteAccessKey, CreateInstanceProfile, GetInstanceProfile, DeleteInstanceProfile, AddRoleToInstanceProfile, RemoveRoleFromInstanceProfile, ListInstanceProfiles, CreateGroup, GetGroup, AddUserToGroup, RemoveUserFromGroup, CreateServiceLinkedRole, DeleteServiceLinkedRole, GetServiceLinkedRoleDeletionStatus, CreateOpenIDConnectProvider, TagRole, UntagRole, TagUser, UntagUser, TagPolicy, UntagPolicy | |\n| **STS** | GetCallerIdentity, AssumeRole, GetSessionToken, AssumeRoleWithWebIdentity | |\n| **IMDS** (EC2 Instance Metadata) | `PUT \u002Flatest\u002Fapi\u002Ftoken`, `GET \u002Flatest\u002Fmeta-data\u002Finstance-id`, `GET \u002Flatest\u002Fmeta-data\u002Fiam\u002Fsecurity-credentials\u002F`, `GET \u002Flatest\u002Fmeta-data\u002Fiam\u002Fsecurity-credentials\u002F\u003Crole>`, `GET \u002Flatest\u002Fmeta-data\u002Fiam\u002Finfo`, `GET \u002Flatest\u002Fmeta-data\u002Fplacement\u002F{region,availability-zone,...}`, `GET \u002Flatest\u002Fdynamic\u002Finstance-identity\u002Fdocument` | IMDSv1 + IMDSv2; default credential chain falls through to a `ministack-instance-role` document with `ASIA*` session creds. Point SDKs at ministack via `AWS_EC2_METADATA_SERVICE_ENDPOINT=http:\u002F\u002Flocalhost:4566` (or `ec2_metadata_service_endpoint` in `~\u002F.aws\u002Fconfig`); set `MINISTACK_IMDS_V2_REQUIRED=1` to require the token PUT |\n| **ECS Task Metadata V4** | `GET \u002Fv4\u002F\u003Ctoken>`, `GET \u002Fv4\u002F\u003Ctoken>\u002Ftask`, `GET \u002Fv4\u002F\u003Ctoken>\u002Fstats`, `GET \u002Fv4\u002F\u003Ctoken>\u002Ftask\u002Fstats` | Per-container token injected as `ECS_CONTAINER_METADATA_URI_V4` on every container started by `RunTask`. `\u002Ftask` returns sibling containers in the same task. Containers reach the gateway via `host.docker.internal` (mapped through `extra_hosts: host-gateway`, so it works on user-defined Docker networks); `networkMode: host` containers use loopback. Volatile by design (stripped on persistence, cleared by `\u002F_ministack\u002Freset`) |\n| **ECS Container Credentials** | `GET \u002Fv2\u002Fcredentials\u002F\u003Cuuid>` | The path real ECS exposes via `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=\u002Fv2\u002Fcredentials\u002F\u003Cuuid>` (resolved by SDKs against `169.254.170.2`). MiniStack serves the same path on the gateway and returns the AWS-strict 5-field credentials document (`AccessKeyId`, `SecretAccessKey`, `Token`, `Expiration`, `RoleArn`) — distinct from the IMDS shape served at `\u002Flatest\u002Fmeta-data\u002Fiam\u002Fsecurity-credentials\u002F\u003Crole>`. `RunTask` injects `AWS_CONTAINER_CREDENTIALS_FULL_URI`, `AWS_CONTAINER_AUTHORIZATION_TOKEN` (satisfies botocore's allow-list for non-loopback gateway hosts), and `AWS_ENDPOINT_URL` so unmodified SDKs inside the task fetch credentials and route service calls through MiniStack with no client config |\n| **SecretsManager** | CreateSecret, GetSecretValue, ListSecrets, DeleteSecret, UpdateSecret, DescribeSecret, PutSecretValue, UpdateSecretVersionStage, RestoreSecret, RotateSecret, GetRandomPassword, ListSecretVersionIds, ReplicateSecretToRegions, TagResource, UntagResource, PutResourcePolicy, GetResourcePolicy, DeleteResourcePolicy, ValidateResourcePolicy | |\n| **CloudWatch Logs** | CreateLogGroup, DeleteLogGroup, DescribeLogGroups, CreateLogStream, DeleteLogStream, DescribeLogStreams, PutLogEvents, GetLogEvents, FilterLogEvents, PutRetentionPolicy, DeleteRetentionPolicy, PutSubscriptionFilter, DeleteSubscriptionFilter, DescribeSubscriptionFilters, PutMetricFilter, DeleteMetricFilter, DescribeMetricFilters, TagLogGroup, UntagLogGroup, ListTagsLogGroup, TagResource, UntagResource, ListTagsForResource, StartQuery, GetQueryResults, StopQuery, PutDestination, DeleteDestination, DescribeDestinations, PutDestinationPolicy | `FilterLogEvents` supports `*`\u002F`?` globs, multi-term AND, `-term` exclusion |\n\n### Extended Services\n\n| Service | Operations | Notes |\n|---------|-----------|-------|\n| **SSM Parameter Store** | PutParameter, GetParameter, GetParameters, GetParametersByPath, DeleteParameter, DeleteParameters, DescribeParameters, GetParameterHistory, LabelParameterVersion, AddTagsToResource, RemoveTagsFromResource, ListTagsForResource | Supports String, SecureString, StringList |\n| **EventBridge** | CreateEventBus, UpdateEventBus, DeleteEventBus, ListEventBuses, DescribeEventBus, PutRule, DeleteRule, ListRules, DescribeRule, EnableRule, DisableRule, PutTargets, RemoveTargets, ListTargetsByRule, ListRuleNamesByTarget, PutEvents, TestEventPattern, TagResource, UntagResource, ListTagsForResource, CreateArchive, DeleteArchive, DescribeArchive, UpdateArchive, ListArchives, PutPermission, RemovePermission, CreateConnection, DescribeConnection, DeleteConnection, UpdateConnection, DeauthorizeConnection, ListConnections, CreateApiDestination, DescribeApiDestination, DeleteApiDestination, UpdateApiDestination, ListApiDestinations, StartReplay, DescribeReplay, ListReplays, CancelReplay, CreateEndpoint, DeleteEndpoint, DescribeEndpoint, ListEndpoints, UpdateEndpoint, ActivateEventSource, DeactivateEventSource, DescribeEventSource, CreatePartnerEventSource, DeletePartnerEventSource, DescribePartnerEventSource, ListPartnerEventSources, ListPartnerEventSourceAccounts, ListEventSources, PutPartnerEvents | Lambda target dispatch on PutEvents; S3 EventBridge notifications; archives capture matching events and `StartReplay` re-dispatches them to the destination bus in a background thread; SaaS\u002Fpartner APIs are control-plane stubs |\n| **Kinesis** | CreateStream, DeleteStream, DescribeStream, DescribeStreamSummary, ListStreams, ListShards, PutRecord, PutRecords, GetShardIterator, GetRecords, IncreaseStreamRetentionPeriod, DecreaseStreamRetentionPeriod, MergeShards, SplitShard, UpdateShardCount, StartStreamEncryption, StopStreamEncryption, EnableEnhancedMonitoring, DisableEnhancedMonitoring, RegisterStreamConsumer, DeregisterStreamConsumer, ListStreamConsumers, DescribeStreamConsumer, AddTagsToStream, RemoveTagsFromStream, ListTagsForStream | Partition key → shard routing; AWS limits enforced (1 MB\u002Frecord, 500 records\u002Fbatch, 5 MB payload, 256-char partition key) |\n| **CloudWatch Metrics** | PutMetricData, GetMetricStatistics, GetMetricData, ListMetrics, PutMetricAlarm, PutCompositeAlarm, DescribeAlarms, DescribeAlarmsForMetric, DescribeAlarmHistory, DeleteAlarms, SetAlarmState, EnableAlarmActions, DisableAlarmActions, TagResource, UntagResource, ListTagsForResource, PutDashboard, GetDashboard, DeleteDashboards, ListDashboards | CBOR and JSON protocol |\n| **SES** | SendEmail, SendRawEmail, SendTemplatedEmail, SendBulkTemplatedEmail, VerifyEmailIdentity, VerifyEmailAddress, VerifyDomainIdentity, VerifyDomainDkim, ListIdentities, ListVerifiedEmailAddresses, GetIdentityVerificationAttributes, GetIdentityDkimAttributes, DeleteIdentity, GetSendQuota, GetSendStatistics, SetIdentityNotificationTopic, SetIdentityFeedbackForwardingEnabled, CreateConfigurationSet, DeleteConfigurationSet, DescribeConfigurationSet, ListConfigurationSets, CreateTemplate, GetTemplate, UpdateTemplate, DeleteTemplate, ListTemplates | Emails stored in-memory, not sent |\n| **SES v2** | SendEmail, CreateEmailIdentity, GetEmailIdentity, DeleteEmailIdentity, ListEmailIdentities, CreateConfigurationSet, GetConfigurationSet, DeleteConfigurationSet, ListConfigurationSets, GetAccount, PutAccountSuppressionAttributes, ListSuppressedDestinations | REST API (`\u002Fv2\u002Femail\u002F`); identities auto-verified; emails stored in-memory, not sent |\n| **ACM** | RequestCertificate, DescribeCertificate, ListCertificates, DeleteCertificate, GetCertificate, ImportCertificate, AddTagsToCertificate, RemoveTagsFromCertificate, ListTagsForCertificate, UpdateCertificateOptions, RenewCertificate, ResendValidationEmail | Certificates auto-issued; DNS validation records generated; supports SANs |\n| **Backup** | CreateBackupVault, DescribeBackupVault, DeleteBackupVault, ListBackupVaults, CreateBackupPlan, GetBackupPlan, UpdateBackupPlan, DeleteBackupPlan, ListBackupPlans, ListBackupPlanVersions, CreateBackupSelection, GetBackupSelection, DeleteBackupSelection, ListBackupSelections, StartBackupJob, StopBackupJob, DescribeBackupJob, ListBackupJobs, TagResource, UntagResource, ListTags | In-memory; jobs complete immediately; vaults and plans participate in Resource Groups Tagging API |\n| **WAF v2** | CreateWebACL, GetWebACL, UpdateWebACL, DeleteWebACL, ListWebACLs, AssociateWebACL, DisassociateWebACL, GetWebACLForResource, ListResourcesForWebACL, CreateIPSet, GetIPSet, UpdateIPSet, DeleteIPSet, ListIPSets, CreateRuleGroup, GetRuleGroup, UpdateRuleGroup, DeleteRuleGroup, ListRuleGroups, TagResource, UntagResource, ListTagsForResource, CheckCapacity, DescribeManagedRuleGroup | LockToken enforced on Update\u002FDelete; resource associations tracked |\n| **Step Functions** | CreateStateMachine, DeleteStateMachine, DescribeStateMachine, UpdateStateMachine, ListStateMachines, StartExecution, StartSyncExecution, StopExecution, DescribeExecution, DescribeStateMachineForExecution, ListExecutions, GetExecutionHistory, SendTaskSuccess, SendTaskFailure, SendTaskHeartbeat, CreateActivity, DeleteActivity, DescribeActivity, ListActivities, GetActivityTask, TestState, TagResource, UntagResource, ListTagsForResource | Full ASL interpreter; Retry\u002FCatch; waitForTaskToken; Activities (worker pattern); Pass\u002FTask\u002FChoice\u002FWait\u002FSucceed\u002FFail\u002FMap\u002FParallel; TestState API with mock and inspectionLevel support; SFN_MOCK_CONFIG for AWS SFN Local compatible mock testing; intrinsic functions (States.StringToJson, States.JsonToString, States.JsonMerge, States.Format); nested startExecution.sync |\n| **API Gateway v2** | CreateApi, GetApi, GetApis, UpdateApi, DeleteApi, CreateRoute, GetRoute, GetRoutes, UpdateRoute, DeleteRoute, CreateIntegration, GetIntegration, GetIntegrations, UpdateIntegration, DeleteIntegration, CreateRouteResponse, GetRouteResponse, GetRouteResponses, UpdateRouteResponse, DeleteRouteResponse, CreateIntegrationResponse, GetIntegrationResponse, GetIntegrationResponses, UpdateIntegrationResponse, DeleteIntegrationResponse, CreateStage, GetStage, GetStages, UpdateStage, DeleteStage, CreateDeployment, GetDeployment, GetDeployments, DeleteDeployment, CreateAuthorizer, GetAuthorizer, GetAuthorizers, UpdateAuthorizer, DeleteAuthorizer, TagResource, UntagResource, GetTags, PostToConnection, GetConnection, DeleteConnection | **HTTP API** and **WebSocket API** (`protocolType=WEBSOCKET`); Lambda proxy (`AWS_PROXY`), HTTP proxy (`HTTP_PROXY`), and MOCK integrations; HTTP data plane via `{apiId}.execute-api.localhost` Host header or path-based `\u002F_aws\u002Fexecute-api\u002F{apiId}\u002F{stage}\u002F{path}` (no DNS\u002FHost override needed — works from browsers on macOS and strict clients); `$default` stage served from the URL root (no stage segment in the path); per-API `corsConfiguration` applied to preflights + dispatched responses; request parameter mapping for HTTP_PROXY (`append\u002Foverwrite\u002Fremove` for headers\u002Fquerystring plus `overwrite:path`) with context variables including `$context.authorizer.jwt.claims`; JWT data-plane authorization for HTTP routes (issuer\u002Faudience\u002Ftime\u002Fscope checks) and claim propagation to integrations; qualified-alias integration URIs (`arn:...:function:\u003Cname>:\u003Calias>`) resolve to the alias's target version; WebSocket data plane on the same two URL forms, with `$connect` \u002F `$disconnect` \u002F `$default` \u002F custom-action routing, `$request.body.*` RouteSelectionExpression, `@connections` management API (PostToConnection \u002F GetConnection \u002F DeleteConnection), per-connection outbox for server-side push; `{param}` \u002F `{proxy+}` matching; JWT\u002FLambda authorizer CRUD; pin `apiId` across runs with the `ms-custom-id` tag |\n| **API Gateway v1** | CreateRestApi, GetRestApi, GetRestApis, UpdateRestApi, DeleteRestApi, CreateResource, GetResource, GetResources, UpdateResource, DeleteResource, PutMethod, GetMethod, DeleteMethod, UpdateMethod, PutMethodResponse, GetMethodResponse, DeleteMethodResponse, PutIntegration, GetIntegration, DeleteIntegration, UpdateIntegration, PutIntegrationResponse, GetIntegrationResponse, DeleteIntegrationResponse, CreateDeployment, GetDeployment, GetDeployments, UpdateDeployment, DeleteDeployment, CreateStage, GetStage, GetStages, UpdateStage, DeleteStage, CreateAuthorizer, GetAuthorizer, GetAuthorizers, UpdateAuthorizer, DeleteAuthorizer, CreateModel, GetModel, GetModels, DeleteModel, CreateApiKey, GetApiKey, GetApiKeys, UpdateApiKey, DeleteApiKey, CreateUsagePlan, GetUsagePlan, GetUsagePlans, UpdateUsagePlan, DeleteUsagePlan, CreateUsagePlanKey, GetUsagePlanKeys, DeleteUsagePlanKey, CreateDomainName, GetDomainName, GetDomainNames, DeleteDomainName, CreateBasePathMapping, GetBasePathMapping, GetBasePathMappings, DeleteBasePathMapping, TagResource, UntagResource, GetTags | REST API (v1) protocol; Lambda proxy format 1.0 (AWS_PROXY), HTTP proxy (HTTP_PROXY), MOCK integration; data plane via `{apiId}.execute-api.localhost` Host header, path-based `\u002F_aws\u002Fexecute-api\u002F{apiId}\u002F{stage}\u002F{path}`, or legacy `\u002Frestapis\u002F{apiId}\u002F{stage}\u002F_user_request_\u002F{path}`; qualified-alias integration URIs (`arn:...:function:\u003Cname>:\u003Calias>`) resolve to the alias's target version; resource tree with `{param}` and `{proxy+}` path matching; JSON Patch for all PATCH operations; state persistence; pin `id` across runs with the `ms-custom-id` tag |\n| **ELBv2 \u002F ALB** | CreateLoadBalancer, DescribeLoadBalancers, DeleteLoadBalancer, DescribeLoadBalancerAttributes, ModifyLoadBalancerAttributes, CreateTargetGroup, DescribeTargetGroups, ModifyTargetGroup, DeleteTargetGroup, DescribeTargetGroupAttributes, ModifyTargetGroupAttributes, CreateListener, DescribeListeners, ModifyListener, DeleteListener, CreateRule, DescribeRules, ModifyRule, DeleteRule, SetRulePriorities, RegisterTargets, DeregisterTargets, DescribeTargetHealth, AddTags, RemoveTags, DescribeTags | Control plane + data plane; ALB→Lambda live traffic routing; `path-pattern`, `host-header`, `http-method`, `query-string`, `http-header` rule conditions; `forward`, `redirect`, `fixed-response` actions; data plane via `{lb-name}.alb.localhost` Host header or `\u002F_alb\u002F{lb-name}\u002F` path prefix |\n| **KMS** | CreateKey, ListKeys, DescribeKey, GetPublicKey, Sign, Verify, Encrypt, Decrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, CreateAlias, DeleteAlias, ListAliases, UpdateAlias, EnableKeyRotation, DisableKeyRotation, GetKeyRotationStatus, GetKeyPolicy, PutKeyPolicy, ListKeyPolicies, EnableKey, DisableKey, ScheduleKeyDeletion, CancelKeyDeletion, TagResource, UntagResource, ListResourceTags | 27 actions; RSA (2048\u002F4096), ECC (SECG_P256K1, NIST P-256\u002F384\u002F521), and symmetric keys; PKCS1v15, PSS, and ECDSA signing; envelope encryption; alias resolution; key rotation; key policies; tags; enable\u002Fdisable\u002Fschedule deletion; full Terraform `aws_kms_key` compatible; `cryptography` package included in Docker image |\n| **CloudFront** | CreateDistribution, GetDistribution, GetDistributionConfig, ListDistributions, UpdateDistribution, DeleteDistribution, CreateInvalidation, ListInvalidations, GetInvalidation, CreateOriginAccessControl, GetOriginAccessControl, GetOriginAccessControlConfig, ListOriginAccessControls, UpdateOriginAccessControl, DeleteOriginAccessControl, CreateFunction, DeleteFunction, DescribeFunction, GetFunction, ListFunctions, PublishFunction, UpdateFunction, **KeyValueStore (mgmt)**: CreateKeyValueStore, DescribeKeyValueStore, ListKeyValueStores, UpdateKeyValueStore, DeleteKeyValueStore, TagResource, UntagResource, ListTagsForResource | REST\u002FXML API; ETag-based optimistic concurrency; Origin Access Control (OAC) with SigV4 signing for S3, MediaStore, Lambda, MediaPackageV2 origins; **CloudFront Functions** are API stubs (in-memory code + DEVELOPMENT\u002FLIVE ETags for Terraform `aws_cloudfront_function`) with `KeyValueStoreAssociations` round-tripped — no `TestFunction`, no viewer-request JS execution at the edge; `UpdateFunction` clears the emulated LIVE stage until `PublishFunction` runs again |\n| **CloudFront KeyValueStore (data plane)** | DescribeKeyValueStore, ListKeys, GetKey, PutKey, DeleteKey, UpdateKeys | Separate `cloudfront-keyvaluestore` SDK service (REST\u002FJSON, signing name `cloudfront-keyvaluestore`); ETag-based optimistic concurrency on every mutating op; `UpdateKeys` is atomic (validates whole batch, rejects on first invalid entry); `ListKeys` paginates with opaque `NextToken` capped at 50 results per AWS spec; bridges to the management plane via the shared KVS ARN |\n| **CloudTrail** | LookupEvents, CreateTrail, DeleteTrail, GetTrail, DescribeTrails, ListTrails, UpdateTrail, GetTrailStatus, StartLogging, StopLogging, PutEventSelectors, GetEventSelectors, AddTags, ListTags, RemoveTags | In-memory audit log; recording opt-in via `CLOUDTRAIL_RECORDING=1` (or runtime config endpoint); per-account ring buffer (`CLOUDTRAIL_MAX_EVENTS=10000`); `LookupEvents` supports all 8 AWS `LookupAttributes`; `IsLogging` flips on Start\u002FStopLogging |\n| **Resource Groups** | CreateGroup, GetGroup, DeleteGroup, UpdateGroup, ListGroups, GetGroupQuery, UpdateGroupQuery, GetGroupConfiguration, PutGroupConfiguration, GroupResources, UngroupResources, ListGroupResources, ListGroupingStatuses, SearchResources, Tag, Untag, GetTags, GetAccountSettings, UpdateAccountSettings | 19 of 23 spec ops; tag-sync ops omitted (not exposed by AWS CLI \u002F Terraform); `Group` accepts bare name or full ARN |\n| **Cost & Usage Reports** | DeleteReportDefinition, DescribeReportDefinitions, ListTagsForResource, ModifyReportDefinition, PutReportDefinition, TagResource, UntagResource | 7 of 7 spec ops |\n\n\n### CloudFormation\n\n| Feature | Details |\n|---------|---------|\n| **Stack Operations** | CreateStack, UpdateStack, DeleteStack, DescribeStacks, ListStacks, DescribeStackEvents, DescribeStackResource, DescribeStackResources, GetTemplate, ValidateTemplate, GetTemplateSummary |\n| **Change Sets** | CreateChangeSet, DescribeChangeSet, ExecuteChangeSet, DeleteChangeSet, ListChangeSets |\n| **Exports** | ListExports — cross-stack references via `Fn::ImportValue` |\n| **Template Formats** | JSON and YAML (including `!Ref`, `!Sub`, `!GetAtt` shorthand tags) |\n| **Intrinsic Functions** | Ref, Fn::GetAtt, Fn::Join, Fn::Sub (both forms), Fn::Select, Fn::Split, Fn::If, Fn::Equals, Fn::And, Fn::Or, Fn::Not, Fn::Base64, Fn::FindInMap, Fn::ImportValue, Fn::GetAZs, Fn::Cidr |\n| **Pseudo-Parameters** | AWS::StackName, AWS::StackId, AWS::Region, AWS::AccountId, AWS::URLSuffix, AWS::Partition, AWS::NoValue |\n| **Parameters** | Default values, AllowedValues validation, NoEcho masking, String\u002FNumber\u002FCommaDelimitedList types |\n| **Conditions** | Fn::Equals, Fn::And, Fn::Or, Fn::Not — conditional resource creation |\n| **Rollback** | Configurable via `DisableRollback` — on failure, previously created resources are cleaned up in reverse dependency order |\n| **Async Status** | Stacks deploy asynchronously (`CREATE_IN_PROGRESS` → `CREATE_COMPLETE`) — poll with DescribeStacks |\n\n**Supported Resource Types:**\n\n| Resource Type | Ref Returns | GetAtt |\n|---------------|-------------|--------|\n| `AWS::S3::Bucket` | Bucket name | Arn, DomainName, RegionalDomainName, WebsiteURL |\n| `AWS::SQS::Queue` | Queue URL | Arn, QueueName, QueueUrl |\n| `AWS::SNS::Topic` | Topic ARN | TopicArn, TopicName |\n| `AWS::SNS::Subscription` | Subscription ARN | — |\n| `AWS::DynamoDB::Table` | Table name | Arn, StreamArn |\n| `AWS::Lambda::Function` | Function name | Arn |\n| `AWS::IAM::Role` | Role name | Arn, RoleId |\n| `AWS::IAM::Policy` | Policy ARN | — |\n| `AWS::IAM::InstanceProfile` | Profile name | Arn |\n| `AWS::SSM::Parameter` | Parameter name | Type, Value |\n| `AWS::Logs::LogGroup` | Log group name | Arn |\n| `AWS::Events::EventBus` | EventBus name | Arn, Name |\n| `AWS::Events::Rule` | Rule name | Arn |\n| `AWS::Kinesis::Stream` | Stream name | Arn, StreamId |\n| `AWS::Lambda::Permission` | Statement ID | — |\n| `AWS::Lambda::Version` | Version ARN | Version |\n| `AWS::Lambda::Alias` | Alias ARN | — |\n| `AWS::Lambda::EventSourceMapping` | UUID | — |\n| `AWS::S3::BucketPolicy` | Bucket name | — |\n| `AWS::SQS::QueuePolicy` | Policy ID | — |\n| `AWS::SNS::TopicPolicy` | Policy ID | — |\n| `AWS::ApiGateway::RestApi` | API ID | RootResourceId |\n| `AWS::ApiGateway::Resource` | Resource ID | — |\n| `AWS::ApiGateway::Method` | Method ID | — |\n| `AWS::ApiGateway::Deployment` | Deployment ID | — |\n| `AWS::ApiGateway::Stage` | Stage name | — |\n| `AWS::AppSync::GraphQLApi` | API ID | Arn, GraphQLUrl, ApiId |\n| `AWS::AppSync::DataSource` | DataSource name | DataSourceArn |\n| `AWS::AppSync::Resolver` | Resolver ARN | ResolverArn |\n| `AWS::AppSync::GraphQLSchema` | Schema ID | — |\n| `AWS::AppSync::ApiKey` | API key ID | ApiKey, Arn |\n| `AWS::SecretsManager::Secret` | Secret ARN | — |\n| `AWS::Cognito::UserPool` | Pool ID | Arn, ProviderName |\n| `AWS::Cognito::UserPoolClient` | Client ID | — |\n| `AWS::Cognito::IdentityPool` | Pool ID | — |\n| `AWS::Cognito::UserPoolDomain` | Domain | — |\n| `AWS::ECR::Repository` | Repo name | Arn, RepositoryUri |\n| `AWS::IAM::ManagedPolicy` | Policy ARN | — |\n| `AWS::KMS::Key` | Key ID | Arn, KeyId |\n| `AWS::KMS::Alias` | Alias name | — |\n| `AWS::EC2::VPC` | VPC ID | VpcId, DefaultSecurityGroup, DefaultNetworkAcl |\n| `AWS::EC2::Subnet` | Subnet ID | SubnetId, AvailabilityZone |\n| `AWS::EC2::SecurityGroup` | SG ID | GroupId, VpcId |\n| `AWS::EC2::InternetGateway` | IGW ID | InternetGatewayId |\n| `AWS::EC2::VPCGatewayAttachment` | Attachment ID | — |\n| `AWS::EC2::RouteTable` | RTB ID | RouteTableId |\n| `AWS::EC2::Route` | Route ID | — |\n| `AWS::EC2::SubnetRouteTableAssociation` | Association ID | — |\n| `AWS::EC2::LaunchTemplate` | LT ID | LaunchTemplateId, LaunchTemplateName, DefaultVersionNumber, LatestVersionNumber |\n| `AWS::ECS::Cluster` | Cluster name | Arn, ClusterName |\n| `AWS::ECS::TaskDefinition` | Task def ARN | TaskDefinitionArn |\n| `AWS::ECS::Service` | Service ARN | ServiceArn, Name |\n| `AWS::ElasticLoadBalancingV2::LoadBalancer` | LB ARN | Arn, DNSName, LoadBalancerFullName, CanonicalHostedZoneID, SecurityGroups |\n| `AWS::ElasticLoadBalancingV2::Listener` | Listener ARN | ListenerArn, Arn |\n| `AWS::Lambda::LayerVersion` | Layer version ARN | LayerVersionArn, Arn |\n| `AWS::StepFunctions::StateMachine` | State machine ARN | Arn, Name |\n| `AWS::Route53::HostedZone` | Zone ID | Id, NameServers |\n| `AWS::Route53::RecordSet` | Record FQDN (trailing dot) | Name |\n| `AWS::ApiGatewayV2::Api` | API ID | ApiId, ApiEndpoint |\n| `AWS::ApiGatewayV2::Stage` | Stage ID | StageName |\n| `AWS::ApiGatewayV2::Integration` | Integration ID | IntegrationId |\n| `AWS::ApiGatewayV2::Route` | Route ID | RouteId |\n| `AWS::SES::EmailIdentity` | Identity | EmailIdentity |\n| `AWS::WAFv2::WebACL` | WebACL ID | Arn, Id |\n| `AWS::CloudFront::Distribution` | Distribution ID | Arn, DomainName, Id |\n| `AWS::CloudWatch::Alarm` | Alarm name | Arn |\n| `AWS::RDS::DBCluster` | Cluster ID | Arn, Endpoint.Address, Endpoint.Port, ReadEndpoint.Address |\n| `AWS::AutoScaling::AutoScalingGroup` | ASG name | Arn |\n| `AWS::AutoScaling::LaunchConfiguration` | LC name | Arn |\n| `AWS::AutoScaling::ScalingPolicy` | Policy ARN | Arn, PolicyName |\n| `AWS::AutoScaling::LifecycleHook` | Hook name | LifecycleHookName |\n| `AWS::AutoScaling::ScheduledAction` | Action ARN | Arn, ScheduledActionName |\n| `AWS::Scheduler::Schedule` | Schedule name | Arn |\n| `AWS::Scheduler::ScheduleGroup` | Group name | Arn |\n| `AWS::CloudFormation::WaitCondition` | Condition ID | — |\n| `AWS::CloudFormation::WaitConditionHandle` | Handle URL | — |\n\nUnsupported resource types fail with `CREATE_FAILED` (or `ROLLBACK_COMPLETE` if rollback is enabled), so templates with unsupported types won't silently succeed.\n\n### Infrastructure Services\n\n| Service | Operations | Notes |\n|---------|-----------|-------|\n| **ECS** | CreateCluster, DeleteCluster, DescribeClusters, ListClusters, UpdateCluster, UpdateClusterSettings, PutClusterCapacityProviders, RegisterTaskDefinition, DeregisterTaskDefinition, DescribeTaskDefinition, ListTaskDefinitions, ListTaskDefinitionFamilies, DeleteTaskDefinitions, CreateService, DeleteService, DescribeServices, UpdateService, ListServices, ListServicesByNamespace, RunTask, StopTask, DescribeTasks, ListTasks, ExecuteCommand, UpdateTaskProtection, GetTaskProtection, CreateCapacityProvider, UpdateCapacityProvider, DeleteCapacityProvider, DescribeCapacityProviders, TagResource, UntagResource, ListTagsForResource, ListAccountSettings, PutAccountSetting, PutAccountSettingDefault, DeleteAccountSetting, PutAttributes, DeleteAttributes, ListAttributes, DescribeServiceDeployments, ListServiceDeployments, DescribeServiceRevisions, SubmitTaskStateChange, SubmitContainerStateChange, SubmitAttachmentStateChanges, DiscoverPollEndpoint | 47 actions; `RunTask` starts real Docker containers via Docker socket; full Terraform ECS coverage |\n| **RDS** | CreateDBInstance, DeleteDBInstance, DescribeDBInstances, ModifyDBInstance, StartDBInstance, StopDBInstance, RebootDBInstance, CreateDBInstanceReadReplica, RestoreDBInstanceFromDBSnapshot, CreateDBCluster, DeleteDBCluster, DescribeDBClusters, ModifyDBCluster, StartDBCluster, StopDBCluster, CreateDBSnapshot, DeleteDBSnapshot, DescribeDBSnapshots, CreateDBClusterSnapshot, DescribeDBClusterSnapshots, DeleteDBClusterSnapshot, CreateDBSubnetGroup, DeleteDBSubnetGroup, DescribeDBSubnetGroups, ModifyDBSubnetGroup, CreateDBParameterGroup, DeleteDBParameterGroup, DescribeDBParameterGroups, DescribeDBParameters, ModifyDBParameterGroup, CreateDBClusterParameterGroup, DescribeDBClusterParameterGroups, DeleteDBClusterParameterGroup, DescribeDBClusterParameters, ModifyDBClusterParameterGroup, CreateOptionGroup, DeleteOptionGroup, DescribeOptionGroups, DescribeOptionGroupOptions, ListTagsForResource, AddTagsToResource, RemoveTagsFromResource, DescribeDBEngineVersions, DescribeOrderableDBInstanceOptions, CreateGlobalCluster, DescribeGlobalClusters, DeleteGlobalCluster, RemoveFromGlobalCluster, ModifyGlobalCluster | `CreateDBInstance` spins up real Postgres\u002FMySQL Docker container, returns actual `host:port` endpoint |\n| **ElastiCache** | CreateCacheCluster, DeleteCacheCluster, DescribeCacheClusters, ModifyCacheCluster, RebootCacheCluster, CreateReplicationGroup, DeleteReplicationGroup, DescribeReplicationGroups, ModifyReplicationGroup, IncreaseReplicaCount, DecreaseReplicaCount, CreateCacheSubnetGroup, DescribeCacheSubnetGroups, ModifyCacheSubnetGroup, DeleteCacheSubnetGroup, CreateCacheParameterGroup, DescribeCacheParameterGroups, ModifyCacheParameterGroup, ResetCacheParameterGroup, DeleteCacheParameterGroup, DescribeCacheParameters, DescribeCacheEngineVersions, CreateUser, DescribeUsers, DeleteUser, ModifyUser, CreateUserGroup, DescribeUserGroups, DeleteUserGroup, ModifyUserGroup, ListTagsForResource, AddTagsToResource, RemoveTagsFromResource, CreateSnapshot, DeleteSnapshot, DescribeSnapshots, DescribeEvents | `CreateCacheCluster` spins up real Redis\u002FMemcached Docker container |\n| **Glue** | CreateDatabase, DeleteDatabase, GetDatabase, GetDatabases, UpdateDatabase, CreateTable, DeleteTable, GetTable, GetTables, UpdateTable, BatchDeleteTable, CreatePartition, DeletePartition, GetPartition, GetPartitions, BatchCreatePartition, BatchGetPartition, CreatePartitionIndex, GetPartitionIndexes, CreateConnection, DeleteConnection, GetConnection, GetConnections, CreateCrawler, DeleteCrawler, GetCrawler, GetCrawlers, UpdateCrawler, StartCrawler, StopCrawler, GetCrawlerMetrics, CreateJob, DeleteJob, GetJob, GetJobs, UpdateJob, StartJobRun, GetJobRun, GetJobRuns, BatchStopJobRun, CreateTrigger, GetTrigger, DeleteTrigger, UpdateTrigger, StartTrigger, StopTrigger, ListTriggers, BatchGetTriggers, GetTriggers, CreateWorkflow, GetWorkflow, DeleteWorkflow, UpdateWorkflow, StartWorkflowRun, CreateSecurityConfiguration, DeleteSecurityConfiguration, GetSecurityConfiguration, GetSecurityConfigurations, CreateClassifier, GetClassifier, GetClassifiers, DeleteClassifier, TagResource, UntagResource, GetTags | Python shell jobs actually execute via subprocess |\n| **Athena** | StartQueryExecution, GetQueryExecution, GetQueryResults, StopQueryExecution, ListQueryExecutions, BatchGetQueryExecution, CreateWorkGroup, DeleteWorkGroup, GetWorkGroup, ListWorkGroups, UpdateWorkGroup, CreateNamedQuery, DeleteNamedQuery, GetNamedQuery, ListNamedQueries, BatchGetNamedQuery, CreateDataCatalog, GetDataCatalog, ListDataCatalogs, DeleteDataCatalog, UpdateDataCatalog, CreatePreparedStatement, GetPreparedStatement, DeletePreparedStatement, ListPreparedStatements, GetTableMetadata, ListTableMetadata, TagResource, UntagResource, ListTagsForResource | Real SQL via **DuckDB** when installed (`pip install duckdb`), otherwise returns mock results; result pagination; column type metadata |\n| **Firehose** | CreateDeliveryStream, DeleteDeliveryStream, DescribeDeliveryStream, ListDeliveryStreams, PutRecord, PutRecordBatch, UpdateDestination, TagDeliveryStream, UntagDeliveryStream, ListTagsForDeliveryStream, StartDeliveryStreamEncryption, StopDeliveryStreamEncryption | S3 destinations write records to the local S3 emulator; all other destination types buffer in-memory; concurrency-safe `UpdateDestination` via `VersionId` |\n| **Route53** | CreateHostedZone, GetHostedZone, DeleteHostedZone, ListHostedZones, ListHostedZonesByName, UpdateHostedZoneComment, ChangeResourceRecordSets (CREATE\u002FUPSERT\u002FDELETE), ListResourceRecordSets, GetChange, CreateHealthCheck, GetHealthCheck, DeleteHealthCheck, ListHealthChecks, UpdateHealthCheck, ChangeTagsForResource, ListTagsForResource | REST\u002FXML protocol; SOA + NS records auto-created; CallerReference idempotency; alias records, weighted\u002Ffailover\u002Flatency routing; marker-based pagination |\n| **EC2** | RunInstances, DescribeInstances, DescribeInstanceAttribute, DescribeInstanceTypes, DescribeVpcAttribute, TerminateInstances, StopInstances, StartInstances, RebootInstances, DescribeImages, CreateSecurityGroup, DeleteSecurityGroup, DescribeSecurityGroups, AuthorizeSecurityGroupIngress, RevokeSecurityGroupIngress, AuthorizeSecurityGroupEgress, RevokeSecurityGroupEgress, DescribeSecurityGroupRules, CreateKeyPair, DeleteKeyPair, DescribeKeyPairs, ImportKeyPair, CreateVpc, DeleteVpc, DescribeVpcs, ModifyVpcAttribute, CreateSubnet, DeleteSubnet, DescribeSubnets, ModifySubnetAttribute, CreateInternetGateway, DeleteInternetGateway, DescribeInternetGateways, AttachInternetGateway, DetachInternetGateway, CreateRouteTable, DeleteRouteTable, DescribeRouteTables, AssociateRouteTable, DisassociateRouteTable, ReplaceRouteTableAssociation, CreateRoute, ReplaceRoute, DeleteRoute, CreateNetworkInterface, DeleteNetworkInterface, DescribeNetworkInterfaces, AttachNetworkInterface, DetachNetworkInterface, CreateVpcEndpoint, DeleteVpcEndpoints, DescribeVpcEndpoints, ModifyVpcEndpoint, DescribePrefixLists, DescribeAvailabilityZones, AllocateAddress, ReleaseAddress, AssociateAddress, DisassociateAddress, DescribeAddresses, DescribeAddressesAttribute, CreateTags, DeleteTags, DescribeTags, CreateNatGateway, DescribeNatGateways, DeleteNatGateway, CreateNetworkAcl, DescribeNetworkAcls, DeleteNetworkAcl, CreateNetworkAclEntry, DeleteNetworkAclEntry, ReplaceNetworkAclEntry, ReplaceNetworkAclAssociation, CreateFlowLogs, DescribeFlowLogs, DeleteFlowLogs, CreateVpcPeeringConnection, AcceptVpcPeeringConnection, DescribeVpcPeeringConnections, DeleteVpcPeeringConnection, CreateDhcpOptions, AssociateDhcpOptions, DescribeDhcpOptions, DeleteDhcpOptions, CreateEgressOnlyInternetGateway, DescribeEgressOnlyInternetGateways, DeleteEgressOnlyInternetGateway, CreateManagedPrefixList, DescribeManagedPrefixLists, GetManagedPrefixListEntries, ModifyManagedPrefixList, DeleteManagedPrefixList, CreateVpnGateway, DescribeVpnGateways, AttachVpnGateway, DetachVpnGateway, DeleteVpnGateway, EnableVgwRoutePropagation, DisableVgwRoutePropagation, CreateCustomerGateway, DescribeCustomerGateways, DeleteCustomerGateway, DescribeInstanceCreditSpecifications, DescribeInstanceMaintenanceOptions, DescribeInstanceAutoRecoveryAttribute, ModifyInstanceMaintenanceOptions, DescribeInstanceTopology, DescribeSpotInstanceRequests, DescribeCapacityReservations, DescribeInstanceStatus, DescribeVpcClassicLink, DescribeVpcClassicLinkDnsSupport, CreateLaunchTemplate, CreateLaunchTemplateVersion, DescribeLaunchTemplates, DescribeLaunchTemplateVersions, ModifyLaunchTemplate, DeleteLaunchTemplate | 136 actions; `AuthorizeSecurityGroupIngress` is idempotent on duplicate rules (same behavior as egress; avoids Terraform re-apply failures); in-memory state only — no real VMs; CreateVpc provisions per-VPC default route table, network ACL, and security group; full Terraform VPC module v6.6.0 compatible; VPN\u002FCustomer gateways, managed prefix lists, VPC endpoints with modify support; launch templates with versioning ($Latest\u002F$Default) |\n| **EBS** | CreateVolume, DeleteVolume, DescribeVolumes, DescribeVolumeStatus, AttachVolume, DetachVolume, ModifyVolume, DescribeVolumesModifications, EnableVolumeIO, ModifyVolumeAttribute, DescribeVolumeAttribute, CreateSnapshot, DeleteSnapshot, DescribeSnapshots, CopySnapshot, ModifySnapshotAttribute, DescribeSnapshotAttribute | Part of EC2 Query\u002FXML service; attach\u002Fdetach updates volume state; snapshots stored as completed immediately; Pro-only on LocalStack — free here |\n| **EFS** | CreateFileSystem, DescribeFileSystems, DeleteFileSystem, UpdateFileSystem, CreateMountTarget, DescribeMountTargets, DeleteMountTarget, DescribeMountTargetSecurityGroups, ModifyMountTargetSecurityGroups, CreateAccessPoint, DescribeAccessPoints, DeleteAccessPoint, TagResource, UntagResource, ListTagsForResource, PutLifecycleConfiguration, DescribeLifecycleConfiguration, PutBackupPolicy, DescribeBackupPolicy, DescribeAccountPreferences, PutAccountPreferences | REST\u002FJSON `\u002F2015-02-01\u002F*`; CreationToken idempotency; FileSystem deletion blocked when mount targets exist; Pro-only on LocalStack — free here |\n| **EMR** | RunJobFlow, DescribeCluster, ListClusters, TerminateJobFlows, ModifyCluster, SetTerminationProtection, SetVisibleToAllUsers, AddJobFlowSteps, DescribeStep, ListSteps, CancelSteps, AddInstanceFleet, ListInstanceFleets, ModifyInstanceFleet, AddInstanceGroups, ListInstanceGroups, ModifyInstanceGroups, ListBootstrapActions, AddTags, RemoveTags, GetBlockPublicAccessConfiguration, PutBlockPublicAccessConfiguration | Control plane only — no real Spark\u002FHadoop; clusters start in WAITING (KeepAlive=true) or TERMINATED (KeepAlive=false); steps stored as COMPLETED immediately; all three instance modes (simple, InstanceGroups, InstanceFleets); TerminationProtected enforced; Pro-only on LocalStack — free here |\n| **Cognito** | **User Pools**: CreateUserPool, DeleteUserPool, DescribeUserPool, ListUserPools, UpdateUserPool, CreateUserPoolClient, DeleteUserPoolClient, DescribeUserPoolClient, ListUserPoolClients, UpdateUserPoolClient, AdminCreateUser, AdminDeleteUser, AdminGetUser, ListUsers, AdminSetUserPassword, AdminUpdateUserAttributes, AdminConfirmSignUp, AdminDisableUser, AdminEnableUser, AdminResetUserPassword, AdminUserGlobalSignOut, AdminAddUserToGroup, AdminRemoveUserFromGroup, AdminListGroupsForUser, AdminListUserAuthEvents, AdminInitiateAuth, AdminRespondToAuthChallenge, InitiateAuth, RespondToAuthChallenge, GlobalSignOut, RevokeToken, SignUp, ConfirmSignUp, ForgotPassword, ConfirmForgotPassword, ChangePassword, GetUser, UpdateUserAttributes, DeleteUser, CreateGroup, DeleteGroup, GetGroup, ListGroups, ListUsersInGroup, CreateUserPoolDomain, DeleteUserPoolDomain, DescribeUserPoolDomain, GetUserPoolMfaConfig, SetUserPoolMfaConfig, AssociateSoftwareToken, VerifySoftwareToken, AdminSetUserMFAPreference, SetUserMFAPreference, TagResource, UntagResource, ListTagsForResource; **Identity Pools**: CreateIdentityPool, DeleteIdentityPool, DescribeIdentityPool, ListIdentityPools, UpdateIdentityPool, GetId, GetCredentialsForIdentity, GetOpenIdToken, SetIdentityPoolRoles, GetIdentityPoolRoles, ListIdentities, DescribeIdentity, MergeDeveloperIdentities, UnlinkDeveloperIdentity, UnlinkIdentity, TagResource, UntagResource, ListTagsForResource; **OAuth2**: \u002Foauth2\u002Ftoken (client_credentials) | Stub JWT tokens (structurally valid base64url JWTs); SRP auth returns PASSWORD_VERIFIER challenge; confirmation codes hardcoded (signup: 123456, forgot-password: 654321); TOTP SOFTWARE_TOKEN_MFA challenge flow; MFA config and per-user enrollment stored in-memory |\n| **ECR** | CreateRepository, DescribeRepositories, DeleteRepository, ListImages, DescribeImages, PutImage, BatchGetImage, BatchDeleteImage, GetAuthorizationToken, GetRepositoryPolicy, SetRepositoryPolicy, DeleteRepositoryPolicy, PutLifecyclePolicy, GetLifecyclePolicy, DeleteLifecyclePolicy, ListTagsForResource, TagResource, UntagResource, PutImageTagMutability, PutImageScanningConfiguration, DescribeRegistry, GetDownloadUrlForLayer, BatchCheckLayerAvailability, InitiateLayerUpload, UploadLayerPart, CompleteLayerUpload | In-memory image registry; Docker V2 manifest support; authorization token generation; lifecycle policies; tag mutability; Pro-only on LocalStack — free here |\n| **AppSync** | **GraphQL APIs**: CreateGraphQLApi, GetGraphQLApi, ListGraphQLApis, UpdateGraphQLApi, DeleteGraphQLApi, CreateApiKey, DeleteApiKey, ListApiKeys, CreateDataSource, GetDataSource, ListDataSources, DeleteDataSource, CreateResolver, GetResolver, ListResolvers, DeleteResolver, CreateType, ListTypes, GetType, TagResource, UntagResource, ListTagsForResource; **Event APIs**: CreateApi, GetApi, ListApis, UpdateApi, DeleteApi, CreateChannelNamespace, GetChannelNamespace, ListChannelNamespaces, UpdateChannelNamespace, DeleteChannelNamespace, CreateApiKey, ListApiKeys, DeleteApiKey, HTTP Publish, WebSocket subscribe\u002Fpublish | GraphQL queries\u002Fmutations execute against DynamoDB resolvers; Lambda resolvers supported. Event APIs support AWS-shaped `\u002Fv2\u002Fapis` management, `\u002Fv1\u002Fapis\u002F{apiId}\u002Fapikeys` API-key operations, `POST \u002Fevent` on `*.appsync-api.*`, and realtime `*.appsync-realtime-api.*` WebSocket flows with API-key and Lambda-authorizer checks |\n| **Cloud Map** | CreateHttpNamespace, CreatePrivateDnsNamespace, CreatePublicDnsNamespace, GetNamespace, ListNamespaces, DeleteNamespace, UpdateHttpNamespace, UpdatePrivateDnsNamespace, UpdatePublicDnsNamespace, CreateService, GetService, ListServices, DeleteService, UpdateService, RegisterInstance, DeregisterInstance, DiscoverInstances, DiscoverInstancesRevision, ListInstances, GetInstancesHealthStatus, UpdateInstanceCustomHealthStatus, GetServiceAttributes, UpdateServiceAttributes, DeleteServiceAttributes, GetOperation, ListOperations, TagResource, UntagResource, ListTagsForResource | DNS namespaces create Route53 hosted zones; operation tracking; Terraform `aws_service_discovery_*` compatible |\n| **RDS Data API** | ExecuteStatement, BatchExecuteStatement, BeginTransaction, CommitTransaction, RollbackTransaction | Routes SQL to real Docker-backed RDS database containers; supports MySQL (pymysql) and PostgreSQL (psycopg2); REST paths (`\u002FExecute`, `\u002FBeginTransaction`, etc.) |\n| **S3 Files** | CreateFileSystem, GetFileSystem, ListFileSystems, DeleteFileSystem, CreateMountTarget, GetMountTarget, ListMountTargets, UpdateMountTarget, DeleteMountTarget, CreateAccessPoint, GetAccessPoint, ListAccessPoints, DeleteAccessPoint, GetFileSystemPolicy, PutFileSystemPolicy, DeleteFileSystemPolicy, GetSynchronizationConfiguration, PutSynchronizationConfiguration, TagResource, UntagResource, ListTagsForResource | 21 operations; control plane for the new S3 Files service (launched April 2026); file systems, mount targets, access points, policies |\n| **AutoScaling** | CreateAutoScalingGroup, DescribeAutoScalingGroups, UpdateAutoScalingGroup, DeleteAutoScalingGroup, DescribeAutoScalingInstances, CreateLaunchConfiguration, DescribeLaunchConfigurations, DeleteLaunchConfiguration, PutScalingPolicy, DescribePolicies, DeletePolicy, PutLifecycleHook, DescribeLifecycleHooks, DeleteLifecycleHook, CompleteLifecycleAction, RecordLifecycleActionHeartbeat, PutScheduledUpdateGroupAction, DescribeScheduledActions, DeleteScheduledAction, CreateOrUpdateTags, DescribeTags, DeleteTags | 23 actions; in-memory state — no real instance scaling; full ASG lifecycle (launch configs, scaling policies, lifecycle hooks, scheduled actions, tags); CDK\u002FTerraform compatible |\n| **CodeBuild** | CreateProject, BatchGetProjects, ListProjects, UpdateProject, DeleteProject, StartBuild, BatchGetBuilds, StopBuild, ListBuilds, ListBuildsForProject, BatchDeleteBuilds | 11 actions; builds complete immediately with SUCCEEDED status; project and build metadata stored in-memory |\n| **AppConfig** | CreateApplication, GetApplication, ListApplications, UpdateApplication, DeleteApplication, CreateEnvironment, GetEnvironment, ListEnvironments, UpdateEnvironment, DeleteEnvironment, CreateConfigurationProfile, GetConfigurationProfile, ListConfigurationProfiles, UpdateConfigurationProfile, DeleteConfigurationProfile, CreateHostedConfigurationVersion, GetHostedConfigurationVersion, ListHostedConfigurationVersions, DeleteHostedConfigurationVersion, CreateDeploymentStrategy, GetDeploymentStrategy, ListDeploymentStrategies, UpdateDeploymentStrategy, DeleteDeploymentStrategy, StartDeployment, GetDeployment, ListDeployments, StopDeployment, TagResource, UntagResource, ListTagsForResource, StartConfigurationSession, GetLatestConfiguration | 33 operations; control plane + data plane; hosted configuration versions; deployments complete immediately; session-based configuration retrieval with token rotation |\n| **Transfer Family** | CreateServer, DescribeServer, DeleteServer, ListServers, StartServer, StopServer, CreateUser, DescribeUser, DeleteUser, ListUsers, ImportSshPublicKey, DeleteSshPublicKey | 12 operations; **real SFTP listener** on `:2222` (override with `SFTP_PORT`) backed by S3 — `ls`, `put`, `get`, `mkdir`, `rename` work end-to-end against the local S3 emulator; `SFTP_PORT_PER_SERVER=1` allocates one port per `CreateServer` from `SFTP_BASE_PORT` (default 2300); SSH key auth scans every user across every server and account; `LOGICAL` and `PATH` home-directory mappings; host key persists across restarts when `PERSIST_STATE=1` |\n| **EventBridge Scheduler** | CreateSchedule, GetSchedule, UpdateSchedule, DeleteSchedule, ListSchedules, CreateScheduleGroup, GetScheduleGroup, DeleteScheduleGroup, ListScheduleGroups, TagResource, UntagResource, ListTagsForResource | 12 actions; schedule groups with cascading deletes; `rate()`, `cron()`, `at()` expressions; group\u002Fprefix\u002Fstate filters on list; default group auto-created; CFN `AWS::Scheduler::Schedule` and `AWS::Scheduler::ScheduleGroup` supported |\n| **EKS** | CreateCluster, DescribeCluster, ListClusters, DeleteCluster, CreateNodegroup, DescribeNodegroup, ListNodegroups, DeleteNodegroup, TagResource, UntagResource, ListTagsForResource | 11 operations; `CreateCluster` spawns a real **k3s** container (75 MB) with a full Kubernetes API server; `kubectl`, Helm, and any K8s tooling work out of the box; cascading delete removes nodegroups and k3s container; CFN `AWS::EKS::Cluster` and `AWS::EKS::Nodegroup` supported |\n| **OpenSearch Service** | CreateDomain, DescribeDomain, DescribeDomains, DeleteDomain, ListDomainNames, UpdateDomainConfig, DescribeDomainConfig, DescribeDomainChangeProgress, ListVersions, GetCompatibleVersions, AddTags, ListTags, RemoveTags | Management plane on `\u002F2021-01-01\u002F*` (`boto3.client(\"opensearch\")`, SigV4 scope `es`). Default data plane is a stub endpoint (`\u003Cdomain>.ministack.local:9200`) — set `OPENSEARCH_DATAPLANE=1` to spawn one real `opensearchproject\u002Fopensearch` container per `CreateDomain` (same pattern as ElastiCache\u002FRDS); `DescribeDomain.Endpoint` then points at that container and `_cluster\u002Fhealth`\u002F`\u002F_search` work end-to-end. Add `OPENSEARCH_DASHBOARDS=1` (with dataplane on) to also spawn a per-domain `opensearch-dashboards` sidecar; `DescribeDomain.DashboardEndpoint` is populated. ARNs follow `arn:aws:es:\u003Cregion>:\u003Caccount>:domain\u002F\u003Cname>`; Terraform `aws_opensearch_domain` resource compatible. |\n| **Organizations** | DescribeOrganization, ListRoots, ListAccounts, ListAccountsForParent, DescribeAccount, CreateOrganizationalUnit, DescribeOrganizationalUnit, DeleteOrganizationalUnit, ListOrganizationalUnitsForParent | Single-master-account org auto-initialised on first call; nested OUs with `Path` field (additive 2026-03 AWS change); `FeatureSet=ALL` |\n| **Account** | GetAccountInformation, GetContactInformation, ListRegions, GetRegionOptStatus | rest-json `\u002FgetAccountInformation`, etc.; returns `AccountState=ACTIVE` (additive 2026-04 AWS change); 31-region opt-in matrix |\n| **WAF (Classic + Regional)** | List* (17 ops), Get*, GetChangeToken, GetChangeTokenStatus, GetPermissionPolicy, Create*\u002FUpdate*\u002FDelete* (stubbed) | Minimal v1 stub — empty lists for all `List*`, valid ChangeToken on Create\u002FUpdate\u002FDelete; for full features use **wafv2** (also supported) |\n| **Batch** | CreateComputeEnvironment, DescribeComputeEnvironments, CreateJobQueue, DescribeJobQueues, RegisterJobDefinition, DescribeJobDefinitions, SubmitJob, DescribeJobs, ListJobs | Control-plane stub — submitted jobs immediately transition to `SUCCEEDED`; multi-revision job definitions; `jobQueue` lookup by name or ARN; account-scoped state |\n\n---\n\n## Real Database Endpoints (RDS)\n\nWhen you create an RDS instance, MiniStack starts a real database container and returns the actual connection endpoint:\n\n```python\nimport boto3\nimport psycopg2  # pip install psycopg2-binary\n\nrds = boto3.client(\"rds\", endpoint_url=\"http:\u002F\u002Flocalhost:4566\",\n                   aws_access_key_id=\"test\", aws_secret_access_key=\"test\", region_name=\"us-east-1\")\n\nresp = rds.create_db_instance(\n    DBInstanceIdentifier=\"mydb\",\n    DBInstanceClass=\"db.t3.micro\",\n    Engine=\"postgres\",\n    MasterUsername=\"admin\",\n    MasterUserPassword=\"password\",\n    DBName=\"appdb\",\n    AllocatedStorage=20,\n)\n\nendpoint = resp[\"DBInstance\"][\"Endpoint\"]\n# Connect directly — it's a real Postgres instance\nconn = psycopg2.connect(\n    host=endpoint[\"Address\"],   # localhost\n    port=endpoint[\"Port\"],      # 15432 (auto-assigned)\n    user=\"admin\",\n    password=\"password\",\n    dbname=\"appdb\",\n)\n```\n\nSupported engines: `postgres`, `mysql`, `mariadb`, `aurora-postgresql`, `aurora-mysql`\n\n---\n\n## Real Redis Endpoints (ElastiCache)\n\n```python\nimport boto3\nimport redis  # pip install redis\n\nec = boto3.client(\"elasticache\", endpoint_url=\"http:\u002F\u002Flocalhost:4566\",\n                  aws_access_key_id=\"test\", aws_secret_access_key=\"test\", region_name=\"us-east-1\")\n\nresp = ec.create_cache_cluster(\n    CacheClusterId=\"my-redis\",\n    Engine=\"redis\",\n    CacheNodeType=\"cache.t3.micro\",\n    NumCacheNodes=1,\n)\n\nnode = resp[\"CacheCluster\"][\"CacheNodes\"][0][\"Endpoint\"]\nr = redis.Redis(host=node[\"Address\"], port=node[\"Port\"])\nr.set(\"key\", \"value\")\nprint(r.get(\"key\"))  # b'value'\n```\n\nA Redis sidecar is also always available at `localhost:6379` when using Docker Compose.\n\n---\n\n## Athena with Real SQL\n\n> **Requires the full image** (`ministackorg\u002Fministack:full`). The default light image ships without DuckDB and returns mocked results — `SELECT 1+1` will return `1`, not `2`.\n\nAthena queries run via DuckDB and can query files in your local S3 data directory:\n\n```python\nimport boto3, time\n\nathena = boto3.client(\"athena\", endpoint_url=\"http:\u002F\u002Flocalhost:4566\",\n                      aws_access_key_id=\"test\", aws_secret_access_key=\"test\", region_name=\"us-east-1\")\n\n# Query runs real SQL via DuckDB\nresp = athena.start_query_execution(\n    QueryString=\"SELECT 42 AS answer, 'hello' AS greeting\",\n    ResultConfiguration={\"OutputLocation\": \"s3:\u002F\u002Fathena-results\u002F\"},\n)\nquery_id = resp[\"QueryExecutionId\"]\n\n# Poll for result\nwhile True:\n    status = athena.get_query_execution(QueryExecutionId=query_id)\n    if status[\"QueryExecution\"][\"Status\"][\"State\"] == \"SUCCEEDED\":\n        break\n    time.sleep(0.1)\n\nresults = athena.get_query_results(QueryExecutionId=query_id)\nfor row in results[\"ResultSet\"][\"Rows\"][1:]:  # skip header\n    print([col[\"VarCharValue\"] for col in row[\"Data\"]])\n# ['42', 'hello']\n```\n\n---\n\n## ECS with Real Containers\n\n```python\nimport boto3\n\necs = boto3.client(\"ecs\", endpoint_url=\"http:\u002F\u002Flocalhost:4566\",\n                   aws_access_key_id=\"test\", aws_secret_access_key=\"test\", region_name=\"us-east-1\")\n\necs.create_cluster(clusterName=\"dev\")\n\nec","MiniStack 是一个免费且开源的本地 AWS 服务模拟器，支持40多种 AWS 服务，并与 Terraform 兼容。其核心功能包括在一个端口上运行所有服务、使用真实数据库和基础设施（如 RDS 的实际 PostgreSQL\u002FMySQL 容器）、以及极小的资源占用（约270MB镜像大小）。MiniStack 适用于需要在本地环境或 CI\u002FCD 流水线中进行开发和测试的场景，特别适合那些希望从 LocalStack 社区版迁移而来的用户。此外，它还支持快速启动（少于2秒），并提供多种安装选项，包括 PyPI 和 Docker Hub。",2,"2026-06-11 03:48:52","high_star"]