claudeers.

🔓 unclaimed — this page was auto-generated from GitHub. Are you the creator?

Claim this page →
// Uncategorized / Others

ministack

Ministack: Free, open-source local AWS emulator - 55+ services, Terraform compatible, real databases. Free forever. MIT licensed.

// Uncategorized / Others[ cli ][ api ][ web ][ mobile ][ claude ]#claude#aws#aws-emulator#aws-local#aws-sdk#devtools#docker#dynamodb#uncategorizedMIT$open-sourceupdated about 3 hours ago
// install
git clone https://github.com/ministackorg/ministack

MiniStack — Free Open-Source AWS Emulator

MiniStack

Free, open-source local AWS emulator. Free forever.

60+ AWS services on a single port · Multi-account & multi-region · Terraform compatible · Real databases · MIT licensed

Ministack.org · Docker Hub · LinkedIn


Why MiniStack?

LocalStack recently moved its core services behind a paid plan. If you relied on LocalStack Community for local development and CI/CD pipelines, MiniStack is your free alternative.

  • 60+ AWS services emulated on a single port (4566)
  • Drop-in compatible — works with boto3, AWS CLI, Terraform, CDK, Pulumi, any SDK
  • Multi-account & multi-region — a 12-digit access key becomes the account, the SigV4 region scopes the state; isolated tenants and regions on one endpoint, like real AWS
  • Amazon Bedrock locally — Converse / InvokeModel with AWS-exact wire shapes; point MINISTACK_BEDROCK_PROXY_URL at Ollama, llama.cpp, or vLLM and get real completions through the Bedrock API
  • Real infrastructure — RDS spins up actual Postgres/MySQL containers, ElastiCache spins up real Redis, Athena runs real SQL via DuckDB (full image only), ECS runs real Docker containers
  • Tiny footprint — ~270MB image, ~30MB RAM at idle vs LocalStack's ~1GB image and ~500MB RAM
  • Fast startup — under 2 seconds, HTTP/2 (h2c) supported
  • MIT licensed — use it, fork it, contribute to it

Quick Start

# Option 1: PyPI (simplest)
pip install ministack
ministack
# Runs on http://localhost:4566 — use GATEWAY_PORT=XXXX to change

# Option 2: Docker Hub
docker run -p 4566:4566 ministackorg/ministack

# Option 2b: Docker Hub with real infrastructure (RDS, ECS, Lambda containers)
docker run -p 4566:4566 -v /var/run/docker.sock:/var/run/docker.sock ministackorg/ministack

# Option 2c: Full image — Debian/glibc base with DuckDB (Athena), psycopg2, pymysql.
# Larger (~360 MB vs ~110 MB) but enables Athena and native PostgreSQL/MySQL drivers
# that don't ship musllinux wheels. Reports `edition: full` on /_ministack/health.
docker run -p 4566:4566 ministackorg/ministack:full

# Option 3: Clone and build
git clone https://github.com/ministackorg/ministack
cd ministack
docker compose up -d

# Verify (any option)
curl http://localhost:4566/_ministack/health

That's it. No account, no API key, no sign-up.


Internal API

MiniStack exposes internal endpoints for test automation:

# Health check — returns service status
curl http://localhost:4566/_ministack/health

# Reset all state — wipe every service back to empty (useful between test runs)
curl -X POST http://localhost:4566/_ministack/reset

# Reset and re-run init scripts (boot.d + ready.d)
curl -X POST http://localhost:4566/_ministack/reset?init=1

# Runtime config — change service-level settings without restart
curl -X POST http://localhost:4566/_ministack/config \
  -H "Content-Type: application/json" \
  -d '{"lambda_svc.LAMBDA_EXECUTOR": "docker"}'

# Inspect emails sent via SES — returns every message grouped by account
curl http://localhost:4566/_ministack/ses/messages

# Filter by account (12-digit access-key ID used as the account ID)
curl "http://localhost:4566/_ministack/ses/messages?account=000000000000"

# Inspect SQS messages — returns every queue's messages grouped by account
# (includes Body, MessageId, ReceiveCount, VisibleAt, IsVisible, MessageAttributes, FIFO group/dedup)
curl http://localhost:4566/_ministack/sqs/messages

# Filter by account and/or a specific queue
curl "http://localhost:4566/_ministack/sqs/messages?account=000000000000&QueueUrl=http://localhost:4566/000000000000/my-queue"

The reset endpoint is especially useful in CI pipelines and test suites — call it in setUp/beforeEach to get a clean environment for every test without restarting the container. Add ?init=1 to re-run your init scripts after the reset, restoring any resources they create (VPCs, queues, seed data, etc.).

The config endpoint supports these keys:

KeyDescription
lambda_svc.LAMBDA_EXECUTORLambda execution mode (local or docker)
athena.ATHENA_ENGINEAthena query engine (duckdb or mock)
athena.ATHENA_DATA_DIRDirectory for Athena DuckDB data files
stepfunctions._sfn_mock_configSFN mock config (AWS SFN Local compatible)
stepfunctions._SFN_WAIT_SCALEScale factor for Wait state durations and retry sleeps (0 = skip all waits)

To set region or account ID, use environment variables at startup:

docker run -p 4566:4566 \
  -e MINISTACK_REGION=eu-west-1 \
  -e MINISTACK_ACCOUNT_ID=123456789012 \
  ministackorg/ministack

Or use the multi-tenancy feature — a 12-digit access key automatically becomes the account ID (see Multi-Tenancy below).

Also compatible with LocalStack's health endpoint:

curl http://localhost:4566/_localstack/health
curl http://localhost:4566/health

Multi-Tenancy

MiniStack supports lightweight multi-tenancy without any configuration. If the AWS_ACCESS_KEY_ID is a 12-digit number, it is used as the Account ID for all ARN generation. Non-numeric keys (like test) fall back to the MINISTACK_ACCOUNT_ID env var or 000000000000.

# Team A — gets account 111111111111
export AWS_ACCESS_KEY_ID=111111111111
export AWS_SECRET_ACCESS_KEY=anything
aws --endpoint-url=http://localhost:4566 sts get-caller-identity
# → { "Account": "111111111111", ... }

# Team B — gets account 222222222222
export AWS_ACCESS_KEY_ID=222222222222
export AWS_SECRET_ACCESS_KEY=anything
aws --endpoint-url=http://localhost:4566 sts get-caller-identity
# → { "Account": "222222222222", ... }

All ARNs and resource state (SQS queues, Lambda functions, IAM roles, S3 buckets, DynamoDB tables, etc.) are fully isolated per account. Resources with the same name in different accounts never collide. This allows multiple developers or CI pipelines to share a single MiniStack endpoint with complete tenant isolation — no extra setup needed.

Since 1.4.0 state is additionally isolated per region — see Multi-Region below.

Access KeyAccount ID Used
111111111111111111111111
048408301323048408301323
test000000000000 (default)
AKIAIOSFODNN7EXAMPLE000000000000 (default)

Terraform — set access_key in your provider block:

provider "aws" {
  access_key = "048408301323"
  secret_key = "test"
  region     = "us-east-1"
  endpoints { ... }
}

boto3 — pass aws_access_key_id:

boto3.client("s3",
    endpoint_url="http://localhost:4566",
    aws_access_key_id="048408301323",
    aws_secret_access_key="test",
)

Multi-Region

Since 1.4.0, state is isolated per region as well as per account — no configuration needed. The region comes from the SigV4 credential scope (the region_name your SDK or --region your CLI is configured with), so two clients pointed at different regions see fully independent resources, exactly like real AWS:

# Same queue name, two regions — two independent queues
aws --endpoint-url=http://localhost:4566 --region us-east-1 sqs create-queue --queue-name jobs
aws --endpoint-url=http://localhost:4566 --region eu-west-1 sqs create-queue --queue-name jobs

aws --endpoint-url=http://localhost:4566 --region us-east-1 sqs list-queues
# → .../000000000000/jobs   (the us-east-1 queue)
aws --endpoint-url=http://localhost:4566 --region eu-west-1 sqs list-queues
# → .../000000000000/jobs   (a different queue — eu-west-1's)
use1 = boto3.client("dynamodb", endpoint_url="http://localhost:4566",
                    aws_access_key_id="test", aws_secret_access_key="test",
                    region_name="us-east-1")
euw1 = boto3.client("dynamodb", endpoint_url="http://localhost:4566",
                    aws_access_key_id="test", aws_secret_access_key="test",
                    region_name="eu-west-1")

use1.create_table(TableName="users",
    KeySchema=[{"AttributeName": "id", "KeyType": "HASH"}],
    AttributeDefinitions=[{"AttributeName": "id", "AttributeType": "S"}],
    BillingMode="PAY_PER_REQUEST")

use1.list_tables()["TableNames"]   # → ["users"]
euw1.list_tables()["TableNames"]   # → [] — eu-west-1 is independent

Region-isolated services (1.4.0): AppConfig, Bedrock (all four services), CloudWatch, CloudWatch Logs, DynamoDB (tables, metadata, Streams), Lambda (functions, event source mappings, durable executions), MSK, RDS, S3 Tables, Secrets Manager, SQS, SSM Parameter Store, and Step Functions.

Cross-resource references resolve in the referenced ARN's own account and region (SNS→SQS fanout, EventBridge targets, event source mappings), and cross-region references that real AWS rejects return the same errors AWS returns — e.g. invoking a eu-west-1 Lambda from a us-east-1 Step Functions task fails with Functions from 'eu-west-1' are not reachable in this region, exactly as on AWS.

Not yet region-isolated: S3, SNS, IAM/STS, EC2, Kinesis, EventBridge, ECS, ECR, EKS, EFS, KMS, Glue, Athena, API Gateway v1/v2, Cognito, CloudFormation, CloudFront, Route 53, ElastiCache, EMR, Firehose, SES, CodeBuild, AutoScaling, WAF, ACM, Backup, Organizations, EventBridge Scheduler, Transfer Family, AppSync, CloudTrail, and the remaining control-plane services — these share state across regions within an account (as all services did before 1.4.0); use unique resource names there if your tests exercise two regions. Region isolation for them lands in subsequent releases.

Upgrading with PERSIST_STATE=1: existing state files load and migrate automatically (on-disk format v2 with a version stamp — a newer-format file is refused instead of mis-parsed on downgrade). Each record's region is recovered from its stored ARNs; legacy records that carry no ARN migrate to the default region (MINISTACK_REGION).


Using with AWS CLI

# Option A — environment variables (no profile needed)
export AWS_ACCESS_KEY_ID=test
export AWS_SECRET_ACCESS_KEY=test
export AWS_DEFAULT_REGION=us-east-1

aws --endpoint-url=http://localhost:4566 s3 mb s3://my-bucket
aws --endpoint-url=http://localhost:4566 sqs create-queue --queue-name my-queue
aws --endpoint-url=http://localhost:4566 dynamodb list-tables
aws --endpoint-url=http://localhost:4566 sts get-caller-identity

# Option B — named profile (must pass --profile on every command)
aws configure --profile local
# AWS Access Key ID: test
# AWS Secret Access Key: test
# Default region: us-east-1
# Default output format: json

aws --profile local --endpoint-url=http://localhost:4566 s3 mb s3://my-bucket
aws --profile local --endpoint-url=http://localhost:4566 s3 cp ./file.txt s3://my-bucket/
aws --profile local --endpoint-url=http://localhost:4566 sqs create-queue --queue-name my-queue
aws --profile local --endpoint-url=http://localhost:4566 dynamodb list-tables
aws --profile local --endpoint-url=http://localhost:4566 sts get-caller-identity

awslocal wrapper

chmod +x bin/awslocal
./bin/awslocal s3 ls
./bin/awslocal dynamodb list-tables

Using with boto3

import boto3

# All clients use the same endpoint
def client(service):
    return boto3.client(
        service,
        endpoint_url="http://localhost:4566",
        aws_access_key_id="test",
        aws_secret_access_key="test",
        region_name="us-east-1",
    )

# S3
s3 = client("s3")
s3.create_bucket(Bucket="my-bucket")
s3.put_object(Bucket="my-bucket", Key="hello.txt", Body=b"Hello, MiniStack!")
obj = s3.get_object(Bucket="my-bucket", Key="hello.txt")
print(obj["Body"].read())  # b'Hello, MiniStack!'

# SQS
sqs = client("sqs")
q = sqs.create_queue(QueueName="my-queue")
sqs.send_message(QueueUrl=q["QueueUrl"], MessageBody="hello")
msgs = sqs.receive_message(QueueUrl=q["QueueUrl"])
print(msgs["Messages"][0]["Body"])  # hello

# DynamoDB
ddb = client("dynamodb")
ddb.create_table(
    TableName="Users",
    KeySchema=[{"AttributeName": "userId", "KeyType": "HASH"}],
    AttributeDefinitions=[{"AttributeName": "userId", "AttributeType": "S"}],
    BillingMode="PAY_PER_REQUEST",
)
ddb.put_item(TableName="Users", Item={"userId": {"S": "u1"}, "name": {"S": "Alice"}})

# SSM Parameter Store
ssm = client("ssm")
ssm.put_parameter(Name="/app/db/host", Value="localhost", Type="String")
param = ssm.get_parameter(Name="/app/db/host")
print(param["Parameter"]["Value"])  # localhost

# Secrets Manager
sm = client("secretsmanager")
sm.create_secret(Name="db-password", SecretString='{"password":"s3cr3t"}')

# Kinesis
kin = client("kinesis")
kin.create_stream(StreamName="events", ShardCount=1)
kin.put_record(StreamName="events", Data=b'{"event":"click"}', PartitionKey="user1")

# EventBridge
eb = client("events")
eb.put_events(Entries=[{
    "Source": "myapp",
    "DetailType": "UserSignup",
    "Detail": '{"userId": "123"}',
    "EventBusName": "default",
}])

# Step Functions
sfn = client("stepfunctions")
sfn.create_state_machine(
    name="my-workflow",
    definition='{"StartAt":"Hello","States":{"Hello":{"Type":"Pass","End":true}}}',
    roleArn="arn:aws:iam::000000000000:role/role",
)

# Step Functions — TestState API (test a single state in isolation)
# Note: inject_host_prefix=False prevents boto3 from prepending "sync-" to the hostname
from botocore.config import Config as BotoConfig
sfn_test = client("stepfunctions", config=BotoConfig(inject_host_prefix=False))

result = sfn_test.test_state(
    definition='{"Type":"Pass","Result":{"greeting":"hello"},"End":true}',
    input='{"name":"world"}',
)
print(result["status"])  # SUCCEEDED
print(result["output"])  # {"greeting": "hello"}

# TestState with mock — test error handling without calling real services
result = sfn_test.test_state(
    definition=json.dumps({
        "Type": "Task",
        "Resource": "arn:aws:lambda:us-east-1:000000000000:function:my-fn",
        "Catch": [{"ErrorEquals": ["States.ALL"], "Next": "Fallback"}],
        "End": True
    }),
    input='{}',
    inspectionLevel="DEBUG",
    mock={"errorOutput": {"error": "ServiceError", "cause": "Timeout"}},
)
print(result["status"])  # CAUGHT_ERROR
print(result["nextState"])  # Fallback

# EC2
ec2 = client("ec2")
reservation = ec2.run_instances(
    ImageId="ami-00000001",
    MinCount=1,
    MaxCount=1,
    InstanceType="t3.micro",
)
instance_id = reservation["Instances"][0]["InstanceId"]
print(instance_id)  # i-xxxxxxxxxxxxxxxxx

# Security Groups
sg = ec2.create_security_group(GroupName="my-sg", Description="My SG")
ec2.authorize_security_group_ingress(
    GroupId=sg["GroupId"],
    IpPermissions=[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80,
                    "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}],
)

# VPC / Subnet
vpc = ec2.create_vpc(CidrBlock="10.0.0.0/16")
subnet = ec2.create_subnet(
    VpcId=vpc["Vpc"]["VpcId"],
    CidrBlock="10.0.1.0/24",
    AvailabilityZone="us-east-1a",
)

Supported Services

Core Services

ServiceOperationsNotes
S3CreateBucket, DeleteBucket, ListBuckets, HeadBucket, PutObject, GetObject, DeleteObject, HeadObject, CopyObject, ListObjects v1/v2, DeleteObjects, GetBucketVersioning, PutBucketVersioning, GetBucketEncryption, PutBucketEncryption, DeleteBucketEncryption, GetBucketLifecycleConfiguration, PutBucketLifecycleConfiguration, DeleteBucketLifecycle, GetBucketCors, PutBucketCors, DeleteBucketCors, GetBucketAcl, PutBucketAcl, GetBucketTagging, PutBucketTagging, DeleteBucketTagging, GetBucketPolicy, PutBucketPolicy, DeleteBucketPolicy, GetBucketNotificationConfiguration, PutBucketNotificationConfiguration, GetBucketLogging, PutBucketLogging, ListObjectVersions, CreateMultipartUpload, UploadPart, CompleteMultipartUpload, AbortMultipartUpload, PutObjectLockConfiguration, GetObjectLockConfiguration, PutObjectRetention, GetObjectRetention, PutObjectLegalHold, GetObjectLegalHold, PutBucketReplication, GetBucketReplication, DeleteBucketReplication, GetObjectTagging, PutObjectTagging, DeleteObjectTaggingOptional disk persistence via S3_PERSIST=1; Object Lock with retention & legal hold enforcement on delete; object tags are versioned (?tagging&versionId=… reads, writes, and deletes the per-version tag set)
SQSCreateQueue, DeleteQueue, ListQueues, GetQueueUrl, GetQueueAttributes, SetQueueAttributes, PurgeQueue, SendMessage, ReceiveMessage, DeleteMessage, ChangeMessageVisibility, ChangeMessageVisibilityBatch, SendMessageBatch, DeleteMessageBatch, TagQueue, UntagQueue, ListQueueTagsBoth Query API and JSON protocol; FIFO queues with deduplication; DLQ support
SNSCreateTopic, DeleteTopic, ListTopics, GetTopicAttributes, SetTopicAttributes, Subscribe, Unsubscribe, ListSubscriptions, ListSubscriptionsByTopic, GetSubscriptionAttributes, SetSubscriptionAttributes, ConfirmSubscription, Publish, PublishBatch, TagResource, UntagResource, ListTagsForResource, CreatePlatformApplication, CreatePlatformEndpoint, GetEndpointAttributes, SetEndpointAttributes, DeleteEndpoint, DeletePlatformApplicationSNS→SQS fanout delivery; SNS→Lambda fanout (asynchronous delivery); FIFO topics with 5-minute deduplication, sequence numbers, content-based deduplication, and subscription validation; mobile-push endpoint lifecycle with device-token dedup and Publish to platform-endpoint TargetArn
DynamoDBCreateTable, UpdateTable, DeleteTable, DescribeTable, ListTables, PutItem, GetItem, DeleteItem, UpdateItem, Query, Scan, BatchWriteItem, BatchGetItem, TransactWriteItems, TransactGetItems, DescribeTimeToLive, UpdateTimeToLive, DescribeContinuousBackups, UpdateContinuousBackups, DescribeEndpoints, TagResource, UntagResource, ListTagsOfResource, EnableKinesisStreamingDestination, DisableKinesisStreamingDestination, DescribeKinesisStreamingDestination, UpdateKinesisStreamingDestinationTTL enforced via thread-safe background reaper (60s cadence); DynamoDB Streams — StreamSpecification emits INSERT/MODIFY/REMOVE records on all write operations, respects StreamViewType; Kinesis streaming destinations (aws_dynamodb_kinesis_streaming_destination) fan item mutations out into any Kinesis stream by ARN while the destination is ACTIVE
DynamoDB StreamsListStreams, DescribeStream, GetShardIterator, GetRecordsReads records emitted by the main DynamoDB service via boto3.client("dynamodbstreams") — single synthetic shard per stream; TRIM_HORIZON/LATEST/AT_SEQUENCE_NUMBER/AFTER_SEQUENCE_NUMBER iterator types; NEW_AND_OLD_IMAGES, NEW_IMAGE, OLD_IMAGE, KEYS_ONLY view types; opaque base64 iterator tokens
LambdaCreateFunction, DeleteFunction, GetFunction, GetFunctionConfiguration, ListFunctions, Invoke, UpdateFunctionCode, UpdateFunctionConfiguration, AddPermission, RemovePermission, GetPolicy, ListVersionsByFunction, PublishVersion, CreateAlias, GetAlias, UpdateAlias, DeleteAlias, ListAliases, TagResource, UntagResource, ListTags, CreateEventSourceMapping, DeleteEventSourceMapping, GetEventSourceMapping, ListEventSourceMappings, UpdateEventSourceMapping, CreateFunctionUrlConfig, GetFunctionUrlConfig, UpdateFunctionUrlConfig, DeleteFunctionUrlConfig, ListFunctionUrlConfigs, PutFunctionConcurrency, GetFunctionConcurrency, DeleteFunctionConcurrency, PutFunctionEventInvokeConfig, GetFunctionEventInvokeConfig, DeleteFunctionEventInvokeConfig, PublishLayerVersion, GetLayerVersion, GetLayerVersionByArn, ListLayerVersions, DeleteLayerVersion, ListLayers, AddLayerVersionPermission, RemoveLayerVersionPermission, GetLayerVersionPolicy, CheckpointDurableExecution, GetDurableExecution, GetDurableExecutionState, GetDurableExecutionHistory, ListDurableExecutionsByFunction, StopDurableExecution, SendDurableExecutionCallbackSuccess, SendDurableExecutionCallbackFailure, SendDurableExecutionCallbackHeartbeatPython and Node.js runtimes execute with warm worker pool; provided.al2023/provided.al2 runtimes execute via Docker RIE (Go, Rust, C++ support); Publish=True creates immutable numbered versions; Code via ZipFile, S3Bucket/S3Key (with optional S3ObjectVersion), or ImageUri (Docker image); PackageType: Image pulls and invokes user-provided Docker images via Lambda RIE; SQS, Kinesis, and DynamoDB Streams event source mappings; Function URL CRUD; Lambda Layers CRUD; Aliases; Concurrency; EventInvokeConfig; Durable FunctionsCreateFunction accepts DurableConfig; checkpoint/state/history/list/stop ops at the preview API (2025-12-01); external SendCallback{Success,Failure,Heartbeat} resume the SDK across invocations; resume scheduler fires WAIT expiries, callback timeouts, and step-retry backoffs; verified against the official aws-durable-execution-sdk-python and aws-durable-execution-sdk-java; X-Ray active tracingTracingConfig.Mode=Active injects _X_AMZN_TRACE_ID (Root=1-<hex>-<hex>;Parent=<hex>;Sampled=1) into the runtime per invocation so the AWS X-Ray SDK runs without Missing AWS Lambda trace data; supported on the warm Python / Node executor, provided runtimes, and the local subprocess fallback (docker RIE upstream does not implement X-Ray and is logged but unsupported)
IAMCreateUser, GetUser, ListUsers, DeleteUser, CreateRole, GetRole, ListRoles, DeleteRole, CreatePolicy, GetPolicy, DeletePolicy, AttachRolePolicy, DetachRolePolicy, PutRolePolicy, GetRolePolicy, DeleteRolePolicy, ListRolePolicies, ListAttachedRolePolicies, CreateAccessKey, ListAccessKeys, DeleteAccessKey, UpdateAccessKey, GetAccessKeyLastUsed, CreateInstanceProfile, GetInstanceProfile, DeleteInstanceProfile, AddRoleToInstanceProfile, RemoveRoleFromInstanceProfile, ListInstanceProfiles, TagInstanceProfile, UntagInstanceProfile, ListInstanceProfileTags, CreateGroup, GetGroup, AddUserToGroup, RemoveUserFromGroup, AttachGroupPolicy, DetachGroupPolicy, ListAttachedGroupPolicies, PutGroupPolicy, GetGroupPolicy, DeleteGroupPolicy, ListGroupPolicies, CreateServiceLinkedRole, DeleteServiceLinkedRole, GetServiceLinkedRoleDeletionStatus, CreateOpenIDConnectProvider, ListOpenIDConnectProviders, CreateSAMLProvider, GetSAMLProvider, ListSAMLProviders, UpdateSAMLProvider, DeleteSAMLProvider, CreateLoginProfile, GetLoginProfile, UpdateLoginProfile, DeleteLoginProfile, CreateVirtualMFADevice, EnableMFADevice, DeactivateMFADevice, ResyncMFADevice, ListMFADevices, ListVirtualMFADevices, DeleteVirtualMFADevice, GetAccountAuthorizationDetails, GenerateServiceLastAccessedDetails, GetServiceLastAccessedDetails, TagRole, UntagRole, TagUser, UntagUser, TagPolicy, UntagPolicy, GenerateCredentialReport, GetCredentialReport, GetAccountSummary, GetAccountPasswordPolicy, UpdateAccountPasswordPolicy, DeleteAccountPasswordPolicy, ListAccountAliases, CreateAccountAlias, DeleteAccountAlias
STSGetCallerIdentity, AssumeRole, GetSessionToken, AssumeRoleWithWebIdentity
IMDS (EC2 Instance Metadata)PUT /latest/api/token, GET /latest/meta-data/instance-id, GET /latest/meta-data/iam/security-credentials/, GET /latest/meta-data/iam/security-credentials/<role>, GET /latest/meta-data/iam/info, GET /latest/meta-data/placement/{region,availability-zone,...}, GET /latest/dynamic/instance-identity/documentIMDSv1 + IMDSv2; default credential chain falls through to a ministack-instance-role document with ASIA* session creds. Point SDKs at ministack via AWS_EC2_METADATA_SERVICE_ENDPOINT=http://localhost:4566 (or ec2_metadata_service_endpoint in ~/.aws/config); set MINISTACK_IMDS_V2_REQUIRED=1 to require the token PUT
ECS Task Metadata V4GET /v4/<token>, GET /v4/<token>/task, GET /v4/<token>/stats, GET /v4/<token>/task/statsPer-container token injected as ECS_CONTAINER_METADATA_URI_V4 on every container started by RunTask. /task returns sibling containers in the same task. Containers reach the gateway via host.docker.internal (mapped through extra_hosts: host-gateway, so it works on user-defined Docker networks); networkMode: host containers use loopback. Volatile by design (stripped on persistence, cleared by /_ministack/reset)
ECS Container CredentialsGET /v2/credentials/<uuid>The path real ECS exposes via AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/<uuid> (resolved by SDKs against 169.254.170.2). MiniStack serves the same path on the gateway and returns the AWS-strict 5-field credentials document (AccessKeyId, SecretAccessKey, Token, Expiration, RoleArn) — distinct from the IMDS shape served at /latest/meta-data/iam/security-credentials/<role>. RunTask injects AWS_CONTAINER_CREDENTIALS_FULL_URI, AWS_CONTAINER_AUTHORIZATION_TOKEN (satisfies botocore's allow-list for non-loopback gateway hosts), and AWS_ENDPOINT_URL so unmodified SDKs inside the task fetch credentials and route service calls through MiniStack with no client config
SecretsManagerCreateSecret, GetSecretValue, ListSecrets, DeleteSecret, UpdateSecret, DescribeSecret, PutSecretValue, UpdateSecretVersionStage, RestoreSecret, RotateSecret, GetRandomPassword, ListSecretVersionIds, ReplicateSecretToRegions, TagResource, UntagResource, PutResourcePolicy, GetResourcePolicy, DeleteResourcePolicy, ValidateResourcePolicy
CloudWatch LogsCreateLogGroup, DeleteLogGroup, DescribeLogGroups, CreateLogStream, DeleteLogStream, DescribeLogStreams, PutLogEvents, GetLogEvents, FilterLogEvents, PutRetentionPolicy, DeleteRetentionPolicy, PutSubscriptionFilter, DeleteSubscriptionFilter, DescribeSubscriptionFilters, PutMetricFilter, DeleteMetricFilter, DescribeMetricFilters, TagLogGroup, UntagLogGroup, ListTagsLogGroup, TagResource, UntagResource, ListTagsForResource, StartQuery, GetQueryResults, StopQuery, PutDestination, DeleteDestination, DescribeDestinations, PutDestinationPolicyFilterLogEvents supports */? globs, multi-term AND, -term exclusion

Extended Services

ServiceOperationsNotes
SSM Parameter StorePutParameter, GetParameter, GetParameters, GetParametersByPath, DeleteParameter, DeleteParameters, DescribeParameters, GetParameterHistory, LabelParameterVersion, AddTagsToResource, RemoveTagsFromResource, ListTagsForResourceSupports String, SecureString, StringList
EventBridgeCreateEventBus, UpdateEventBus, DeleteEventBus, ListEventBuses, DescribeEventBus, PutRule, DeleteRule, ListRules, DescribeRule, EnableRule, DisableRule, PutTargets, RemoveTargets, ListTargetsByRule, ListRuleNamesByTarget, PutEvents, TestEventPattern, TagResource, UntagResource, ListTagsForResource, CreateArchive, DeleteArchive, DescribeArchive, UpdateArchive, ListArchives, PutPermission, RemovePermission, CreateConnection, DescribeConnection, DeleteConnection, UpdateConnection, DeauthorizeConnection, ListConnections, CreateApiDestination, DescribeApiDestination, DeleteApiDestination, UpdateApiDestination, ListApiDestinations, StartReplay, DescribeReplay, ListReplays, CancelReplay, CreateEndpoint, DeleteEndpoint, DescribeEndpoint, ListEndpoints, UpdateEndpoint, ActivateEventSource, DeactivateEventSource, DescribeEventSource, CreatePartnerEventSource, DeletePartnerEventSource, DescribePartnerEventSource, ListPartnerEventSources, ListPartnerEventSourceAccounts, ListEventSources, PutPartnerEventsLambda target dispatch on PutEvents; S3 EventBridge notifications; archives capture matching events and StartReplay re-dispatches them to the destination bus in a background thread; SaaS/partner APIs are control-plane stubs
KinesisCreateStream, DeleteStream, DescribeStream, DescribeStreamSummary, ListStreams, ListShards, PutRecord, PutRecords, GetShardIterator, GetRecords, IncreaseStreamRetentionPeriod, DecreaseStreamRetentionPeriod, MergeShards, SplitShard, UpdateShardCount, StartStreamEncryption, StopStreamEncryption, EnableEnhancedMonitoring, DisableEnhancedMonitoring, RegisterStreamConsumer, DeregisterStreamConsumer, ListStreamConsumers, DescribeStreamConsumer, AddTagsToStream, RemoveTagsFromStream, ListTagsForStreamPartition key → shard routing; AWS limits enforced (1 MB/record, 500 records/batch, 5 MB payload, 256-char partition key)
CloudWatch MetricsPutMetricData, GetMetricStatistics, GetMetricData, ListMetrics, PutMetricAlarm, PutCompositeAlarm, DescribeAlarms, DescribeAlarmsForMetric, DescribeAlarmHistory, DeleteAlarms, SetAlarmState, EnableAlarmActions, DisableAlarmActions, TagResource, UntagResource, ListTagsForResource, PutDashboard, GetDashboard, DeleteDashboards, ListDashboardsCBOR and JSON protocol
SESSendEmail, SendRawEmail, SendTemplatedEmail, SendBulkTemplatedEmail, VerifyEmailIdentity, VerifyEmailAddress, VerifyDomainIdentity, VerifyDomainDkim, ListIdentities, ListVerifiedEmailAddresses, GetIdentityVerificationAttributes, GetIdentityDkimAttributes, DeleteIdentity, GetSendQuota, GetSendStatistics, SetIdentityNotificationTopic, SetIdentityFeedbackForwardingEnabled, CreateConfigurationSet, DeleteConfigurationSet, DescribeConfigurationSet, ListConfigurationSets, CreateTemplate, GetTemplate, UpdateTemplate, DeleteTemplate, ListTemplatesEmails stored in-memory, not sent
SES v2SendEmail, CreateEmailIdentity, GetEmailIdentity, DeleteEmailIdentity, ListEmailIdentities, CreateConfigurationSet, GetConfigurationSet, DeleteConfigurationSet, ListConfigurationSets, GetAccount, PutAccountSuppressionAttributes, ListSuppressedDestinationsREST API (/v2/email/); identities auto-verified; emails stored in-memory, not sent
ACMRequestCertificate, DescribeCertificate, ListCertificates, DeleteCertificate, GetCertificate, ImportCertificate, AddTagsToCertificate, RemoveTagsFromCertificate, ListTagsForCertificate, UpdateCertificateOptions, RenewCertificate, ResendValidationEmailCertificates auto-issued; DNS validation records generated; supports SANs
BackupCreateBackupVault, DescribeBackupVault, DeleteBackupVault, ListBackupVaults, CreateBackupPlan, GetBackupPlan, UpdateBackupPlan, DeleteBackupPlan, ListBackupPlans, ListBackupPlanVersions, CreateBackupSelection, GetBackupSelection, DeleteBackupSelection, ListBackupSelections, StartBackupJob, StopBackupJob, DescribeBackupJob, ListBackupJobs, TagResource, UntagResource, ListTagsIn-memory; jobs complete immediately; vaults and plans participate in Resource Groups Tagging API
Bedrock66 operations — foundation-model catalog (real model IDs), inference profiles (system + application-managed), guardrails with versioning, custom models, imported models, provisioned model throughput, model customization / import / copy / batch-invocation job families, taggingAll 66 operations verified against botocore bedrock-2023-04-20; camelCase wire format per locationName; account- and region-scoped state
Bedrock RuntimeConverse, ConverseStream, InvokeModel, InvokeModelWithResponseStream, ApplyGuardrail, StartAsyncInvoke, GetAsyncInvoke, ListAsyncInvokesReal eventstream wire format on streaming operations; deterministic family-aware mock responses selected by model ID prefix (anthropic.*, amazon.titan*, amazon.nova*, meta.llama*, mistral.*, cohere.*, ai21.*); verified against botocore bedrock-runtime-2023-09-30
Bedrock Agent72 operations — agents (versions, aliases, action groups, collaborators, agent knowledge bases, PrepareAgent), knowledge bases (data sources, ingestion jobs, documents), flows (aliases, versions, ValidateFlowDefinition, PrepareFlow), prompts with versions, taggingAll 72 operations verified against botocore bedrock-agent-2023-06-05
Bedrock Agent RuntimeInvokeAgent, InvokeInlineAgent, GetAgentMemory, DeleteAgentMemory, Retrieve, RetrieveAndGenerate, RetrieveAndGenerateStream, Rerank, CreateSession, GetSession, UpdateSession, DeleteSession, EndSession, ListSessions, CreateInvocation, ListInvocations, PutInvocationStep, GetInvocationStep, ListInvocationSteps, InvokeFlow, StartFlowExecution, StopFlowExecution, GetFlowExecution, ListFlowExecutions, ListFlowExecutionEvents, GetExecutionFlowSnapshot, OptimizePromptAll 31 operations verified against botocore bedrock-agent-runtime-2023-07-26; eventstream responses on streaming operations
MSKCreateCluster, ListClusters, DescribeCluster, DeleteCluster, GetBootstrapBrokers, ListNodes, CreateConfiguration, ListConfigurations, DescribeConfiguration, ListConfigurationRevisions, DescribeConfigurationRevision, BatchAssociateScramSecret, BatchDisassociateScramSecret, ListScramSecrets, TagResource, UntagResource, ListTagsForResourceKafka control plane; GetBootstrapBrokers honors MINISTACK_MSK_BOOTSTRAP so clients route to a real broker you bring (Redpanda, Kafka, KRaft) — the Kafka wire protocol itself is not emulated
WAF v2CreateWebACL, GetWebACL, UpdateWebACL, DeleteWebACL, ListWebACLs, AssociateWebACL, DisassociateWebACL, GetWebACLForResource, ListResourcesForWebACL, CreateIPSet, GetIPSet, UpdateIPSet, DeleteIPSet, ListIPSets, CreateRuleGroup, GetRuleGroup, UpdateRuleGroup, DeleteRuleGroup, ListRuleGroups, TagResource, UntagResource, ListTagsForResource, CheckCapacity, DescribeManagedRuleGroupLockToken enforced on Update/Delete; resource associations tracked
Step FunctionsCreateStateMachine, DeleteStateMachine, DescribeStateMachine, UpdateStateMachine, ListStateMachines, StartExecution, StartSyncExecution, StopExecution, DescribeExecution, DescribeStateMachineForExecution, ListExecutions, GetExecutionHistory, SendTaskSuccess, SendTaskFailure, SendTaskHeartbeat, CreateActivity, DeleteActivity, DescribeActivity, ListActivities, GetActivityTask, TestState, TagResource, UntagResource, ListTagsForResourceFull ASL interpreter; Retry/Catch; waitForTaskToken; Activities (worker pattern); Pass/Task/Choice/Wait/Succeed/Fail/Map/Parallel; TestState API with mock and inspectionLevel support; SFN_MOCK_CONFIG for AWS SFN Local compatible mock testing; intrinsic functions (States.StringToJson, States.JsonToString, States.JsonMerge, States.Format); nested startExecution.sync
API Gateway v2CreateApi, GetApi, GetApis, UpdateApi, DeleteApi, CreateRoute, GetRoute, GetRoutes, UpdateRoute, DeleteRoute, CreateIntegration, GetIntegration, GetIntegrations, UpdateIntegration, DeleteIntegration, CreateRouteResponse, GetRouteResponse, GetRouteResponses, UpdateRouteResponse, DeleteRouteResponse, CreateIntegrationResponse, GetIntegrationResponse, GetIntegrationResponses, UpdateIntegrationResponse, DeleteIntegrationResponse, CreateStage, GetStage, GetStages, UpdateStage, DeleteStage, CreateDeployment, GetDeployment, GetDeployments, DeleteDeployment, CreateAuthorizer, GetAuthorizer, GetAuthorizers, UpdateAuthorizer, DeleteAuthorizer, TagResource, UntagResource, GetTags, PostToConnection, GetConnection, DeleteConnectionHTTP API and WebSocket API (protocolType=WEBSOCKET); Lambda proxy (AWS_PROXY), HTTP proxy (HTTP_PROXY), and MOCK integrations; HTTP data plane via {apiId}.execute-api.localhost Host header or path-based /_aws/execute-api/{apiId}/{stage}/{path} (no DNS/Host override needed — works from browsers on macOS and strict clients); $default stage served from the URL root (no stage segment in the path); per-API corsConfiguration applied to preflights + dispatched responses; request parameter mapping for HTTP_PROXY (append/overwrite/remove for headers/querystring plus overwrite:path) with context variables including $context.authorizer.jwt.claims; JWT data-plane authorization for HTTP routes (issuer/audience/time/scope checks) and claim propagation to integrations; qualified-alias integration URIs (arn:...:function:<name>:<alias>) resolve to the alias's target version; WebSocket data plane on the same two URL forms, with $connect / $disconnect / $default / custom-action routing, $request.body.* RouteSelectionExpression, @connections management API (PostToConnection / GetConnection / DeleteConnection), per-connection outbox for server-side push; {param} / {proxy+} matching; JWT/Lambda authorizer CRUD; pin apiId across runs with the ms-custom-id tag
API Gateway v1CreateRestApi, GetRestApi, GetRestApis, UpdateRestApi, DeleteRestApi, CreateResource, GetResource, GetResources, UpdateResource, DeleteResource, PutMethod, GetMethod, DeleteMethod, UpdateMethod, PutMethodResponse, GetMethodResponse, DeleteMethodResponse, PutIntegration, GetIntegration, DeleteIntegration, UpdateIntegration, PutIntegrationResponse, GetIntegrationResponse, DeleteIntegrationResponse, CreateDeployment, GetDeployment, GetDeployments, UpdateDeployment, DeleteDeployment, CreateStage, GetStage, GetStages, UpdateStage, DeleteStage, CreateAuthorizer, GetAuthorizer, GetAuthorizers, UpdateAuthorizer, DeleteAuthorizer, CreateModel, GetModel, GetModels, DeleteModel, CreateApiKey, GetApiKey, GetApiKeys, UpdateApiKey, DeleteApiKey, CreateUsagePlan, GetUsagePlan, GetUsagePlans, UpdateUsagePlan, DeleteUsagePlan, CreateUsagePlanKey, GetUsagePlanKeys, DeleteUsagePlanKey, CreateDomainName, GetDomainName, GetDomainNames, DeleteDomainName, CreateBasePathMapping, GetBasePathMapping, GetBasePathMappings, DeleteBasePathMapping, TagResource, UntagResource, GetTagsREST API (v1) protocol; Lambda proxy format 1.0 (AWS_PROXY), HTTP proxy (HTTP_PROXY), MOCK integration; data plane via {apiId}.execute-api.localhost Host header, path-based /_aws/execute-api/{apiId}/{stage}/{path}, or legacy /restapis/{apiId}/{stage}/_user_request_/{path}; qualified-alias integration URIs (arn:...:function:<name>:<alias>) resolve to the alias's target version; resource tree with {param} and {proxy+} path matching; JSON Patch for all PATCH operations; state persistence; pin id across runs with the ms-custom-id tag
ELBv2 / ALBCreateLoadBalancer, DescribeLoadBalancers, DeleteLoadBalancer, DescribeLoadBalancerAttributes, ModifyLoadBalancerAttributes, CreateTargetGroup, DescribeTargetGroups, ModifyTargetGroup, DeleteTargetGroup, DescribeTargetGroupAttributes, ModifyTargetGroupAttributes, CreateListener, DescribeListeners, ModifyListener, DeleteListener, CreateRule, DescribeRules, ModifyRule, DeleteRule, SetRulePriorities, SetSubnets, SetIpAddressType, SetSecurityGroups, RegisterTargets, DeregisterTargets, DescribeTargetHealth, AddTags, RemoveTags, DescribeTagsControl plane + data plane; ALB→Lambda live traffic routing; path-pattern, host-header, http-method, query-string, http-header rule conditions; forward, redirect, fixed-response actions; data plane via {lb-name}.alb.localhost Host header or /_alb/{lb-name}/ path prefix
KMSCreateKey, ListKeys, DescribeKey, GetPublicKey, Sign, Verify, Encrypt, Decrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, CreateAlias, DeleteAlias, ListAliases, UpdateAlias, EnableKeyRotation, DisableKeyRotation, GetKeyRotationStatus, GetKeyPolicy, PutKeyPolicy, ListKeyPolicies, EnableKey, DisableKey, ScheduleKeyDeletion, CancelKeyDeletion, TagResource, UntagResource, ListResourceTags27 actions; RSA (2048/4096), ECC (SECG_P256K1, NIST P-256/384/521), Edwards25519 (ECC_NIST_EDWARDS25519 — pure Ed25519 via ED25519_SHA_512 with MessageType=RAW; ED25519_PH_SHA_512 advertised in SigningAlgorithms but returns UnsupportedOperationException until Ed25519ph lands), and symmetric keys; PKCS1v15, PSS, and ECDSA signing; envelope encryption; alias resolution; key rotation; key policies; tags; enable/disable/schedule deletion; full Terraform aws_kms_key compatible; cryptography package included in Docker image
CloudFrontCreateDistribution, GetDistribution, GetDistributionConfig, ListDistributions, UpdateDistribution, DeleteDistribution, CreateInvalidation, ListInvalidations, GetInvalidation, CreateOriginAccessControl, GetOriginAccessControl, GetOriginAccessControlConfig, ListOriginAccessControls, UpdateOriginAccessControl, DeleteOriginAccessControl, CreateFunction, DeleteFunction, DescribeFunction, GetFunction, ListFunctions, PublishFunction, UpdateFunction, KeyValueStore (mgmt): CreateKeyValueStore, DescribeKeyValueStore, ListKeyValueStores, UpdateKeyValueStore, DeleteKeyValueStore, TagResource, UntagResource, ListTagsForResourceREST/XML API; ETag-based optimistic concurrency; Origin config round-trip; Origin Access Control (OAC) with SigV4 signing for S3, MediaStore, Lambda, MediaPackageV2 origins; CloudFront Functions are API stubs (in-memory code + DEVELOPMENT/LIVE ETags for Terraform aws_cloudfront_function) with KeyValueStoreAssociations round-tripped — no TestFunction, no viewer-request JS execution at the edge; UpdateFunction clears the emulated LIVE stage until PublishFunction runs again
CloudFront KeyValueStore (data plane)DescribeKeyValueStore, ListKeys, GetKey, PutKey, DeleteKey, UpdateKeysSeparate cloudfront-keyvaluestore SDK service (REST/JSON, signing name cloudfront-keyvaluestore); ETag-based optimistic concurrency on every mutating op; UpdateKeys is atomic (validates whole batch, rejects on first invalid entry); ListKeys paginates with opaque NextToken capped at 50 results per AWS spec; bridges to the management plane via the shared KVS ARN
CloudTrailLookupEvents, CreateTrail, DeleteTrail, GetTrail, DescribeTrails, ListTrails, UpdateTrail, GetTrailStatus, StartLogging, StopLogging, PutEventSelectors, GetEventSelectors, AddTags, ListTags, RemoveTagsIn-memory audit log; recording opt-in via CLOUDTRAIL_RECORDING=1 (or runtime config endpoint); per-account ring buffer (CLOUDTRAIL_MAX_EVENTS=10000); LookupEvents supports all 8 AWS LookupAttributes; IsLogging flips on Start/StopLogging; CreateTrail/UpdateTrail persist KmsKeyId (normalized to a key ARN; omitted when unset) so aws_cloudtrail converges without drift
Resource GroupsCreateGroup, GetGroup, DeleteGroup, UpdateGroup, ListGroups, GetGroupQuery, UpdateGroupQuery, GetGroupConfiguration, PutGroupConfiguration, GroupResources, UngroupResources, ListGroupResources, ListGroupingStatuses, SearchResources, Tag, Untag, GetTags, GetAccountSettings, UpdateAccountSettings19 of 23 spec ops; tag-sync ops omitted (not exposed by AWS CLI / Terraform); Group accepts bare name or full ARN
Cost & Usage ReportsDeleteReportDefinition, DescribeReportDefinitions, ListTagsForResource, ModifyReportDefinition, PutReportDefinition, TagResource, UntagResource7 of 7 spec ops
Inspector2Enable, Disable, ListFindings, BatchGetFindingDetails, ListCoverage, ListCoverageStatistics, ListFindingAggregations, SearchVulnerabilities, TagResource, UntagResource, ListTagsForResource, CreateFilter, ListFilters, DeleteFilter14 operations; deterministic stub vulnerability findings for ECR images, Lambda functions, and EC2 instances; filtering, sorting, pagination
AmazonMQCreateBroker, ListBrokers, DescribeBrokers, DeleteBrokers, UpdateBroker, RebootBroker, DescribeBrokerEngineTypes, DescribeBrokerInstanceOptions, CreateTags, ListTags, DeleteTags, CreateUser, DeleteUser, ListUsers, UpdateUser, DescribeUser16 of 24 spec ops; No real container support

CloudFormation

FeatureDetails
Stack OperationsCreateStack, UpdateStack, DeleteStack, DescribeStacks, ListStacks, DescribeStackEvents, DescribeStackResource, DescribeStackResources, GetTemplate, ValidateTemplate, GetTemplateSummary
Change SetsCreateChangeSet, DescribeChangeSet, ExecuteChangeSet, DeleteChangeSet, ListChangeSets
ExportsListExports — cross-stack references via Fn::ImportValue
Template FormatsJSON and YAML (including !Ref, !Sub, !GetAtt shorthand tags)
Intrinsic FunctionsRef, Fn::GetAtt, Fn::Join, Fn::Sub (both forms), Fn::Select, Fn::Split, Fn::If, Fn::Equals, Fn::And, Fn::Or, Fn::Not, Fn::Base64, Fn::FindInMap, Fn::ImportValue, Fn::GetAZs, Fn::Cidr
Pseudo-ParametersAWS::StackName, AWS::StackId, AWS::Region, AWS::AccountId, AWS::URLSuffix, AWS::Partition, AWS::NoValue
ParametersDefault values, AllowedValues validation, NoEcho masking, String/Number/CommaDelimitedList types
ConditionsFn::Equals, Fn::And, Fn::Or, Fn::Not — conditional resource creation
RollbackConfigurable via DisableRollback — on failure, previously created resources are cleaned up in reverse dependency order
Async StatusStacks deploy asynchronously (CREATE_IN_PROGRESSCREATE_COMPLETE) — poll with DescribeStacks

Supported Resource Types:

Resource TypeRef ReturnsGetAtt
AWS::S3::BucketBucket nameArn, DomainName, RegionalDomainName, WebsiteURL
AWS::SQS::QueueQueue URLArn, QueueName, QueueUrl
AWS::SNS::TopicTopic ARNTopicArn, TopicName
AWS::SNS::SubscriptionSubscription ARN
AWS::DynamoDB::TableTable nameArn, StreamArn
AWS::Lambda::FunctionFunction nameArn
AWS::IAM::RoleRole nameArn, RoleId
AWS::IAM::PolicyPolicy ARN
AWS::IAM::InstanceProfileProfile nameArn
AWS::SSM::ParameterParameter nameType, Value
AWS::Logs::LogGroupLog group nameArn
AWS::Events::EventBusEventBus nameArn, Name
AWS::Events::RuleRule nameArn
AWS::Kinesis::StreamStream nameArn, StreamId
AWS::Lambda::PermissionStatement ID
AWS::Lambda::VersionVersion ARNVersion
AWS::Lambda::AliasAlias ARN
AWS::Lambda::EventSourceMappingUUID
AWS::S3::BucketPolicyBucket name
AWS::SQS::QueuePolicyPolicy ID
AWS::SNS::TopicPolicyPolicy ID
AWS::ApiGateway::RestApiAPI IDRootResourceId
AWS::ApiGateway::ResourceResource ID
AWS::ApiGateway::MethodMethod ID
AWS::ApiGateway::DeploymentDeployment ID
AWS::ApiGateway::StageStage name
AWS::AppConfig::ApplicationApplication IDApplicationId
AWS::AppSync::GraphQLApiAPI IDArn, GraphQLUrl, ApiId
AWS::AppSync::DataSourceDataSource nameDataSourceArn
AWS::AppSync::ResolverResolver ARNResolverArn
AWS::AppSync::GraphQLSchemaSchema ID
AWS::AppSync::ApiKeyAPI key IDApiKey, Arn
AWS::SecretsManager::SecretSecret ARN
AWS::Cognito::UserPoolPool IDArn, ProviderName
AWS::Cognito::UserPoolClientClient ID
AWS::Cognito::IdentityPoolPool ID
AWS::Cognito::UserPoolDomainDomain
AWS::ECR::RepositoryRepo nameArn, RepositoryUri
AWS::IAM::ManagedPolicyPolicy ARN
AWS::KMS::KeyKey IDArn, KeyId
AWS::KMS::AliasAlias name
AWS::EC2::VPCVPC IDVpcId, DefaultSecurityGroup, DefaultNetworkAcl
AWS::EC2::SubnetSubnet IDSubnetId, AvailabilityZone
AWS::EC2::SecurityGroupSG IDGroupId, VpcId
AWS::EC2::InternetGatewayIGW IDInternetGatewayId
AWS::EC2::VPCGatewayAttachmentAttachment ID
AWS::EC2::RouteTableRTB IDRouteTableId
AWS::EC2::RouteRoute ID
AWS::EC2::SubnetRouteTableAssociationAssociation ID
AWS::EC2::LaunchTemplateLT IDLaunchTemplateId, LaunchTemplateName, DefaultVersionNumber, LatestVersionNumber
AWS::ECS::ClusterCluster nameArn, ClusterName
AWS::ECS::TaskDefinitionTask def ARNTaskDefinitionArn
AWS::ECS::ServiceService ARNServiceArn, Name
AWS::ElasticLoadBalancingV2::LoadBalancerLB ARNArn, DNSName, LoadBalancerFullName, CanonicalHostedZoneID, SecurityGroups
AWS::ElasticLoadBalancingV2::ListenerListener ARNListenerArn, Arn
AWS::Lambda::LayerVersionLayer version ARNLayerVersionArn, Arn
AWS::StepFunctions::StateMachineState machine ARNArn, Name
AWS::Route53::HostedZoneZone IDId, NameServers
AWS::Route53::RecordSetRecord FQDN (trailing dot)Name
AWS::ApiGatewayV2::ApiAPI IDApiId, ApiEndpoint
AWS::ApiGatewayV2::StageStage IDStageName
AWS::ApiGatewayV2::IntegrationIntegration IDIntegrationId
AWS::ApiGatewayV2::RouteRoute IDRouteId
AWS::SES::EmailIdentityIdentityEmailIdentity
AWS::WAFv2::WebACLWebACL IDArn, Id
AWS::CloudFront::DistributionDistribution IDArn, DomainName, Id
AWS::CloudWatch::AlarmAlarm nameArn
AWS::RDS::DBClusterCluster IDArn, Endpoint.Address, Endpoint.Port, ReadEndpoint.Address

view the full README on GitHub.

// compatibility

Platformscli, api, web, mobile
Operating systems
AI compatibilityclaude
LicenseMIT
Pricingopen-source
LanguagePython

// faq

What is ministack?

Ministack: Free, open-source local AWS emulator - 55+ services, Terraform compatible, real databases. Free forever. MIT licensed.. It is open-source on GitHub.

Is ministack free to use?

ministack is open-source under the MIT license, so it is free to use.

What category does ministack belong to?

ministack is listed under uncategorized in the Claudeers registry of Claude-compatible tools.

0 views
3,484 stars
unclaimed
updated about 3 hours ago

// embed badge

ministack on Claudeers
[![Claudeers](https://claudeers.com/api/badge/ministack.svg)](https://claudeers.com/ministack)

// retro hit counter

ministack hit counter
[![Hits](https://claudeers.com/api/counter/ministack.svg)](https://claudeers.com/ministack)

// reviews

// guestbook

0/500

// related in Uncategorized / Others

🔓

Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.

// uncategorizedn8n-io/TypeScript195,721NOASSERTION[ claude ]
🔓

FULL Augment Code, Claude Code, Cluely, CodeBuddy, Comet, Cursor, Devin AI, Junie, Kiro, Leap.new, Lovable, Manus, NotionAI, Orchids.app, Perplexity, Poke, Q…

// uncategorizedx1xhlol/141,492GPL-3.0[ claude ]
🔓

The agent engineering platform.

// uncategorizedlangchain-ai/Python140,862MIT[ claude ]
🔓

100+ AI Agent & RAG apps you can actually run — clone, customize, ship.

// uncategorizedShubhamsaboo/Python116,798Apache-2.0[ claude ]

// built by

→ see how ministack connects across the ecosystem