MiniStack Blog

IAM AWS-managed policies (arn:aws:iam::aws:policy/<Name>) now resolve from any session account, pre-seeded with 20 of the most-referenced canonical documents (Administrator/PowerUser/ReadOnly/SecurityAudit, the AmazonS3/EC2/DynamoDB/SQS/SNS Full and ReadOnly variants, AWSLambdaBasicExecutionRole / VPCAccessExecutionRole, AmazonSSMManagedInstanceCore, AmazonECSTaskExecutionRolePolicy, CloudWatchAgentServerPolicy / LogsFullAccess, AWSCloudFormationFullAccess). Unknown AWS-managed ARNs return NoSuchEntity so typos surface locally; opt in to permissive autovivify with MINISTACK_AUTOCREATE_AWS_MANAGED=1. AttachmentCount is per-session-account. Full 7-operation Cost and Usage Reports service for IaC validation (no cost data emulation — Terraform / CDK / Bash that manages aws_cur_report_definition can now plan and apply locally). Lambda ruby4.0 wired to AWS's official base image (tracking botocore 1.42.94). RDS DescribeDBClusters serialization fixed for DatabaseName / NetworkType / EngineLifecycleSupport; DescribeDBClusterParameters emits <Source>. Two warm-boot persistence gaps closed (CUR was never loading state on import; IAM AttachmentCount sidecar was missing from get_state / restore_state).

EKS CreateCluster works again — the k3s server container is now launched with privileged=True (k3s needs to remount /sys/fs/cgroup, which no granular capability set permits, so it was exiting on boot with failed to evacuate root cgroup). SNS FIFO topics can now subscribe standard SQS queues, matching AWS behaviour since 2023-09-14 — the stale validation that returned InvalidParameterException is removed. RDS CreateDBInstance now honours caller-supplied PreferredMaintenanceWindow instead of hardcoding sun:05:00-sun:06:00.

ECR now speaks the Docker Registry HTTP API V2 protocol on the same gateway as the AWS API. docker push and docker pull against MiniStack work end-to-end: /v2/ ping, _catalog, chunked and single-shot blob uploads, cross-repo blob mounts, manifest PUT/GET/HEAD/DELETE, and tags/list. Pushed images show up immediately in aws ecr describe-images. CloudFormation Custom::* and AWS::CloudFormation::CustomResource resources run the full Create / Update / Delete lifecycle through a local /_ministack/cfn-response/{token} intercept — CDK cr.Provider Lambdas are now supported. Cognito OAuth2 id_token now echoes the client-supplied nonce per OIDC Core 1.0 §3.1.3.7.

CFN templates that declare AWS::DynamoDB::GlobalTable — what CDK TableV2 emits — now provision in MiniStack. KeySchema, AttributeDefinitions, BillingMode, StreamSpecification, GSIs, LSIs, SSESpecification, TimeToLiveSpecification, TableName are honoured. For PROVISIONED billing, WriteProvisionedThroughputSettings.WriteCapacityAutoScalingSettings.MinCapacity (and the read counterpart) translate to static ProvisionedThroughput since the emulator doesn't simulate auto-scaling. Replicas, MultiRegionConsistency, GlobalTableWitnesses, GlobalTableSourceArn, WarmThroughput, and the on-demand throughput settings are accepted and ignored.

Cognito /.well-known/openid-configuration now returns reachable URLs at the MiniStack gateway (was pointing at cognito-idp.<region>.amazonaws.com URLs that don't serve OAuth2 anywhere); response_types_supported advertises both code and token per AWS. Cognito OAuth2 / OIDC endpoints (/oauth2/authorize, /oauth2/token, /oauth2/userInfo, /logout, /.well-known/*) now send wildcard CORS so Amplify, oidc-client-ts, and react-oidc-context work cross-origin. EC2 VPN Connection CRUD plus a DescribeRouteTables fix that emits propagatingVgwSet. EC2 RunInstances honours --private-ip-address and --iam-instance-profile (both were silently dropped; default IPs were malformed). DynamoDB GSI Query pagination now tiebreaks on the base table primary key, so ExclusiveStartKey doesn't drop or cycle items when the GSI sort key collides.

Lambda workers now derive AWS_ACCESS_KEY_ID from the function ARN (warm pool keyed per account), so STS GetCallerIdentity from inside the handler resolves to the owning tenant. EC2 RunInstances auto-attaches a root EBS volume so DescribeInstances emits BlockDeviceMappings matching real AWS — Cloud Custodian and AWS Config policies no longer break. S3 versioned GetObject emits RFC 7231 Last-Modified, fixing AWS SDK for JavaScript v3's strict header parser. EC2 AWS-managed prefix lists return deterministic CIDRs (s3, dynamodb, s3express, vpc-lattice, route53-healthchecks, ec2-instance-connect, cloudfront, groundstation) for Gateway-type VPC endpoints.

Step Functions REST-JSON aws-sdk integrations (e.g. aws-sdk:rdsdata:executeStatement) now expose output keys with the same PascalCase convention as the query and REST-XML dispatchers (Records, NumberOfRecordsUpdated) instead of raw camelCase wire keys, so ResultSelector paths like $.Records resolve correctly.

EC2 DescribeVpcEndpointServices with the standard 2 Gateway + 17 Interface PrivateLink catalog. DynamoDB legacy AttributeUpdates (PUT / DELETE / ADD) for .NET SDK upserts. Step Functions aws-sdk:ec2 security-group dispatch now uses EC2-shaped Filter.1.Value.1 instead of generic member.N; aws-sdk:s3 integrations gain a REST-XML dispatcher covering ListBuckets, CreateBucket, DeleteBucket, HeadBucket, GetBucketVersioning, ListObjectsV2, ListObjects, HeadObject, CopyObject, DeleteObject, GetObjectTagging, PutObjectTagging. SQS ReceiveMessage honours the modern MessageSystemAttributeNames for AWS SDK v2 (Java/Kotlin). CFN AWS::SNS::Subscription honours RawMessageDelivery.

ECS Task Metadata V4 endpoint — every container started by RunTask gets ECS_CONTAINER_METADATA_URI_V4 injected, and the gateway serves /v4/<token>, /v4/<token>/task (with sibling Containers), and /stats. RunTask also translates privileged, linuxParameters.capabilities.add, pidMode: host, and volumes + mountPoints into Docker bind mounts. DynamoDB legacy Expected (PutItem / UpdateItem / DeleteItem) and KeyConditions (Query) now evaluated correctly with all 13 comparison operators and type-aware numeric compare. TransactWriteItems CancellationReasons now reports every failing item, not just the first.

AWS CloudTrail (in-memory audit log + control plane; opt-in via CLOUDTRAIL_RECORDING=1; all 8 LookupAttributes) and AWS Resource Groups (19 of 23 spec ops). Plus a sweep of AWS-spec parity fixes: API Gateway v1 GetUsagePlanKey / HTTP_PROXY path-param substitution / UpdateModel; Transfer Family LOGICAL root home directories; STS Credentials.Expiration int epoch; DynamoDB Item populated on ConditionalCheckFailedException when ReturnValuesOnConditionCheckFailure="ALL_OLD"; CloudFormation AWS::S3::Bucket physical-id preservation across stack updates; CloudFormation AWS::Lambda::Function returns real CodeSize and CodeSha256.

S3 Files (s3files-2025-05-05) routes and shapes now match the published AWS spec end to end: PUT /file-systems (was POST), camelCase request/response bodies, /resource-tags/{resourceId} for tagging, PutSynchronizationConfiguration optimistic concurrency. OpenSearch non-VPC domains stop emitting empty VPCOptions alongside Endpoint, which was causing the Terraform AWS provider to misclassify the domain as VPC-backed and fail. CloudFormation AWS::CloudFront::KeyValueStore provisioning lands with in-place Comment update + ImportSource support on the native CloudFront API.

AWS AppSync Events API (HTTP publish + WebSocket subscribe/publish on the aws-appsync-event-ws subprotocol) and CloudFront KeyValueStore (management plane + the separate cloudfront-keyvaluestore data-plane SDK service). EventBridge cron() now has full AWS-spec parity — L, LW, <n>W, <n>L, <n>#<k> operators and DoM/DoW mutual-exclusion enforced at PutRule. Plus 8 EventBridge AWS-spec divergences fixed (CreatedBy/ManagedBy, PutEvents 10-cap, int Time, exists:false on absent keys, ListRules pagination, opaque NextToken, omitted empty Policy, EventSource state enum).

Bug-fix release. Every JSON-protocol error now carries the x-amzn-errortype response header that Java SDK v2, Go SDK v2, and Rust SDK read — without it they surface SdkClientException: unknown error type instead of the actual code. AppConfig 404 bodies include __type alongside the existing Code/Message. Three previously-stateless services (account, waf-classic, resourcegroupstaggingapi) expose a no-op reset() so /_ministack/reset no longer logs warnings.

Docker image now ships with aws CLI. Write init scripts in Shell or Python with automatic credentials.

We ship multiple releases daily. See the complete changelog with every fix, feature, and contributor credit.