🔓 unclaimed — this page was auto-generated from GitHub. Are you the creator?
Claim this page →
ministack
Ministack: Free, open-source local AWS emulator - 55+ services, Terraform compatible, real databases. Free forever. MIT licensed.
git clone https://github.com/ministackorg/ministack
MiniStack
Free, open-source local AWS emulator. Free forever.
60+ AWS services on a single port · Multi-account & multi-region · Terraform compatible · Real databases · MIT licensed
Ministack.org · Docker Hub · LinkedIn
Why MiniStack?
LocalStack recently moved its core services behind a paid plan. If you relied on LocalStack Community for local development and CI/CD pipelines, MiniStack is your free alternative.
- 60+ AWS services emulated on a single port (4566)
- Drop-in compatible — works with
boto3, AWS CLI, Terraform, CDK, Pulumi, any SDK - Multi-account & multi-region — a 12-digit access key becomes the account, the SigV4 region scopes the state; isolated tenants and regions on one endpoint, like real AWS
- Amazon Bedrock locally — Converse / InvokeModel with AWS-exact wire shapes; point
MINISTACK_BEDROCK_PROXY_URLat Ollama, llama.cpp, or vLLM and get real completions through the Bedrock API - Real infrastructure — RDS spins up actual Postgres/MySQL containers, ElastiCache spins up real Redis, Athena runs real SQL via DuckDB (full image only), ECS runs real Docker containers
- Tiny footprint — ~270MB image, ~30MB RAM at idle vs LocalStack's ~1GB image and ~500MB RAM
- Fast startup — under 2 seconds, HTTP/2 (h2c) supported
- MIT licensed — use it, fork it, contribute to it
Quick Start
# Option 1: PyPI (simplest)
pip install ministack
ministack
# Runs on http://localhost:4566 — use GATEWAY_PORT=XXXX to change
# Option 2: Docker Hub
docker run -p 4566:4566 ministackorg/ministack
# Option 2b: Docker Hub with real infrastructure (RDS, ECS, Lambda containers)
docker run -p 4566:4566 -v /var/run/docker.sock:/var/run/docker.sock ministackorg/ministack
# Option 2c: Full image — Debian/glibc base with DuckDB (Athena), psycopg2, pymysql.
# Larger (~360 MB vs ~110 MB) but enables Athena and native PostgreSQL/MySQL drivers
# that don't ship musllinux wheels. Reports `edition: full` on /_ministack/health.
docker run -p 4566:4566 ministackorg/ministack:full
# Option 3: Clone and build
git clone https://github.com/ministackorg/ministack
cd ministack
docker compose up -d
# Verify (any option)
curl http://localhost:4566/_ministack/health
That's it. No account, no API key, no sign-up.
Internal API
MiniStack exposes internal endpoints for test automation:
# Health check — returns service status
curl http://localhost:4566/_ministack/health
# Reset all state — wipe every service back to empty (useful between test runs)
curl -X POST http://localhost:4566/_ministack/reset
# Reset and re-run init scripts (boot.d + ready.d)
curl -X POST http://localhost:4566/_ministack/reset?init=1
# Runtime config — change service-level settings without restart
curl -X POST http://localhost:4566/_ministack/config \
-H "Content-Type: application/json" \
-d '{"lambda_svc.LAMBDA_EXECUTOR": "docker"}'
# Inspect emails sent via SES — returns every message grouped by account
curl http://localhost:4566/_ministack/ses/messages
# Filter by account (12-digit access-key ID used as the account ID)
curl "http://localhost:4566/_ministack/ses/messages?account=000000000000"
# Inspect SQS messages — returns every queue's messages grouped by account
# (includes Body, MessageId, ReceiveCount, VisibleAt, IsVisible, MessageAttributes, FIFO group/dedup)
curl http://localhost:4566/_ministack/sqs/messages
# Filter by account and/or a specific queue
curl "http://localhost:4566/_ministack/sqs/messages?account=000000000000&QueueUrl=http://localhost:4566/000000000000/my-queue"
The reset endpoint is especially useful in CI pipelines and test suites — call it in setUp/beforeEach to get a clean environment for every test without restarting the container. Add ?init=1 to re-run your init scripts after the reset, restoring any resources they create (VPCs, queues, seed data, etc.).
The config endpoint supports these keys:
| Key | Description |
|---|---|
lambda_svc.LAMBDA_EXECUTOR | Lambda execution mode (local or docker) |
athena.ATHENA_ENGINE | Athena query engine (duckdb or mock) |
athena.ATHENA_DATA_DIR | Directory for Athena DuckDB data files |
stepfunctions._sfn_mock_config | SFN mock config (AWS SFN Local compatible) |
stepfunctions._SFN_WAIT_SCALE | Scale factor for Wait state durations and retry sleeps (0 = skip all waits) |
To set region or account ID, use environment variables at startup:
docker run -p 4566:4566 \
-e MINISTACK_REGION=eu-west-1 \
-e MINISTACK_ACCOUNT_ID=123456789012 \
ministackorg/ministack
Or use the multi-tenancy feature — a 12-digit access key automatically becomes the account ID (see Multi-Tenancy below).
Also compatible with LocalStack's health endpoint:
curl http://localhost:4566/_localstack/health
curl http://localhost:4566/health
Multi-Tenancy
MiniStack supports lightweight multi-tenancy without any configuration. If the AWS_ACCESS_KEY_ID is a 12-digit number, it is used as the Account ID for all ARN generation. Non-numeric keys (like test) fall back to the MINISTACK_ACCOUNT_ID env var or 000000000000.
# Team A — gets account 111111111111
export AWS_ACCESS_KEY_ID=111111111111
export AWS_SECRET_ACCESS_KEY=anything
aws --endpoint-url=http://localhost:4566 sts get-caller-identity
# → { "Account": "111111111111", ... }
# Team B — gets account 222222222222
export AWS_ACCESS_KEY_ID=222222222222
export AWS_SECRET_ACCESS_KEY=anything
aws --endpoint-url=http://localhost:4566 sts get-caller-identity
# → { "Account": "222222222222", ... }
All ARNs and resource state (SQS queues, Lambda functions, IAM roles, S3 buckets, DynamoDB tables, etc.) are fully isolated per account. Resources with the same name in different accounts never collide. This allows multiple developers or CI pipelines to share a single MiniStack endpoint with complete tenant isolation — no extra setup needed.
Since 1.4.0 state is additionally isolated per region — see Multi-Region below.
| Access Key | Account ID Used |
|---|---|
111111111111 | 111111111111 |
048408301323 | 048408301323 |
test | 000000000000 (default) |
AKIAIOSFODNN7EXAMPLE | 000000000000 (default) |
Terraform — set access_key in your provider block:
provider "aws" {
access_key = "048408301323"
secret_key = "test"
region = "us-east-1"
endpoints { ... }
}
boto3 — pass aws_access_key_id:
boto3.client("s3",
endpoint_url="http://localhost:4566",
aws_access_key_id="048408301323",
aws_secret_access_key="test",
)
Multi-Region
Since 1.4.0, state is isolated per region as well as per account — no configuration needed. The region comes from the SigV4 credential scope (the region_name your SDK or --region your CLI is configured with), so two clients pointed at different regions see fully independent resources, exactly like real AWS:
# Same queue name, two regions — two independent queues
aws --endpoint-url=http://localhost:4566 --region us-east-1 sqs create-queue --queue-name jobs
aws --endpoint-url=http://localhost:4566 --region eu-west-1 sqs create-queue --queue-name jobs
aws --endpoint-url=http://localhost:4566 --region us-east-1 sqs list-queues
# → .../000000000000/jobs (the us-east-1 queue)
aws --endpoint-url=http://localhost:4566 --region eu-west-1 sqs list-queues
# → .../000000000000/jobs (a different queue — eu-west-1's)
use1 = boto3.client("dynamodb", endpoint_url="http://localhost:4566",
aws_access_key_id="test", aws_secret_access_key="test",
region_name="us-east-1")
euw1 = boto3.client("dynamodb", endpoint_url="http://localhost:4566",
aws_access_key_id="test", aws_secret_access_key="test",
region_name="eu-west-1")
use1.create_table(TableName="users",
KeySchema=[{"AttributeName": "id", "KeyType": "HASH"}],
AttributeDefinitions=[{"AttributeName": "id", "AttributeType": "S"}],
BillingMode="PAY_PER_REQUEST")
use1.list_tables()["TableNames"] # → ["users"]
euw1.list_tables()["TableNames"] # → [] — eu-west-1 is independent
Region-isolated services (1.4.0): AppConfig, Bedrock (all four services), CloudWatch, CloudWatch Logs, DynamoDB (tables, metadata, Streams), Lambda (functions, event source mappings, durable executions), MSK, RDS, S3 Tables, Secrets Manager, SQS, SSM Parameter Store, and Step Functions.
Cross-resource references resolve in the referenced ARN's own account and region (SNS→SQS fanout, EventBridge targets, event source mappings), and cross-region references that real AWS rejects return the same errors AWS returns — e.g. invoking a eu-west-1 Lambda from a us-east-1 Step Functions task fails with Functions from 'eu-west-1' are not reachable in this region, exactly as on AWS.
Not yet region-isolated: S3, SNS, IAM/STS, EC2, Kinesis, EventBridge, ECS, ECR, EKS, EFS, KMS, Glue, Athena, API Gateway v1/v2, Cognito, CloudFormation, CloudFront, Route 53, ElastiCache, EMR, Firehose, SES, CodeBuild, AutoScaling, WAF, ACM, Backup, Organizations, EventBridge Scheduler, Transfer Family, AppSync, CloudTrail, and the remaining control-plane services — these share state across regions within an account (as all services did before 1.4.0); use unique resource names there if your tests exercise two regions. Region isolation for them lands in subsequent releases.
Upgrading with PERSIST_STATE=1: existing state files load and migrate automatically (on-disk format v2 with a version stamp — a newer-format file is refused instead of mis-parsed on downgrade). Each record's region is recovered from its stored ARNs; legacy records that carry no ARN migrate to the default region (MINISTACK_REGION).
Using with AWS CLI
# Option A — environment variables (no profile needed)
export AWS_ACCESS_KEY_ID=test
export AWS_SECRET_ACCESS_KEY=test
export AWS_DEFAULT_REGION=us-east-1
aws --endpoint-url=http://localhost:4566 s3 mb s3://my-bucket
aws --endpoint-url=http://localhost:4566 sqs create-queue --queue-name my-queue
aws --endpoint-url=http://localhost:4566 dynamodb list-tables
aws --endpoint-url=http://localhost:4566 sts get-caller-identity
# Option B — named profile (must pass --profile on every command)
aws configure --profile local
# AWS Access Key ID: test
# AWS Secret Access Key: test
# Default region: us-east-1
# Default output format: json
aws --profile local --endpoint-url=http://localhost:4566 s3 mb s3://my-bucket
aws --profile local --endpoint-url=http://localhost:4566 s3 cp ./file.txt s3://my-bucket/
aws --profile local --endpoint-url=http://localhost:4566 sqs create-queue --queue-name my-queue
aws --profile local --endpoint-url=http://localhost:4566 dynamodb list-tables
aws --profile local --endpoint-url=http://localhost:4566 sts get-caller-identity
awslocal wrapper
chmod +x bin/awslocal
./bin/awslocal s3 ls
./bin/awslocal dynamodb list-tables
Using with boto3
import boto3
# All clients use the same endpoint
def client(service):
return boto3.client(
service,
endpoint_url="http://localhost:4566",
aws_access_key_id="test",
aws_secret_access_key="test",
region_name="us-east-1",
)
# S3
s3 = client("s3")
s3.create_bucket(Bucket="my-bucket")
s3.put_object(Bucket="my-bucket", Key="hello.txt", Body=b"Hello, MiniStack!")
obj = s3.get_object(Bucket="my-bucket", Key="hello.txt")
print(obj["Body"].read()) # b'Hello, MiniStack!'
# SQS
sqs = client("sqs")
q = sqs.create_queue(QueueName="my-queue")
sqs.send_message(QueueUrl=q["QueueUrl"], MessageBody="hello")
msgs = sqs.receive_message(QueueUrl=q["QueueUrl"])
print(msgs["Messages"][0]["Body"]) # hello
# DynamoDB
ddb = client("dynamodb")
ddb.create_table(
TableName="Users",
KeySchema=[{"AttributeName": "userId", "KeyType": "HASH"}],
AttributeDefinitions=[{"AttributeName": "userId", "AttributeType": "S"}],
BillingMode="PAY_PER_REQUEST",
)
ddb.put_item(TableName="Users", Item={"userId": {"S": "u1"}, "name": {"S": "Alice"}})
# SSM Parameter Store
ssm = client("ssm")
ssm.put_parameter(Name="/app/db/host", Value="localhost", Type="String")
param = ssm.get_parameter(Name="/app/db/host")
print(param["Parameter"]["Value"]) # localhost
# Secrets Manager
sm = client("secretsmanager")
sm.create_secret(Name="db-password", SecretString='{"password":"s3cr3t"}')
# Kinesis
kin = client("kinesis")
kin.create_stream(StreamName="events", ShardCount=1)
kin.put_record(StreamName="events", Data=b'{"event":"click"}', PartitionKey="user1")
# EventBridge
eb = client("events")
eb.put_events(Entries=[{
"Source": "myapp",
"DetailType": "UserSignup",
"Detail": '{"userId": "123"}',
"EventBusName": "default",
}])
# Step Functions
sfn = client("stepfunctions")
sfn.create_state_machine(
name="my-workflow",
definition='{"StartAt":"Hello","States":{"Hello":{"Type":"Pass","End":true}}}',
roleArn="arn:aws:iam::000000000000:role/role",
)
# Step Functions — TestState API (test a single state in isolation)
# Note: inject_host_prefix=False prevents boto3 from prepending "sync-" to the hostname
from botocore.config import Config as BotoConfig
sfn_test = client("stepfunctions", config=BotoConfig(inject_host_prefix=False))
result = sfn_test.test_state(
definition='{"Type":"Pass","Result":{"greeting":"hello"},"End":true}',
input='{"name":"world"}',
)
print(result["status"]) # SUCCEEDED
print(result["output"]) # {"greeting": "hello"}
# TestState with mock — test error handling without calling real services
result = sfn_test.test_state(
definition=json.dumps({
"Type": "Task",
"Resource": "arn:aws:lambda:us-east-1:000000000000:function:my-fn",
"Catch": [{"ErrorEquals": ["States.ALL"], "Next": "Fallback"}],
"End": True
}),
input='{}',
inspectionLevel="DEBUG",
mock={"errorOutput": {"error": "ServiceError", "cause": "Timeout"}},
)
print(result["status"]) # CAUGHT_ERROR
print(result["nextState"]) # Fallback
# EC2
ec2 = client("ec2")
reservation = ec2.run_instances(
ImageId="ami-00000001",
MinCount=1,
MaxCount=1,
InstanceType="t3.micro",
)
instance_id = reservation["Instances"][0]["InstanceId"]
print(instance_id) # i-xxxxxxxxxxxxxxxxx
# Security Groups
sg = ec2.create_security_group(GroupName="my-sg", Description="My SG")
ec2.authorize_security_group_ingress(
GroupId=sg["GroupId"],
IpPermissions=[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80,
"IpRanges": [{"CidrIp": "0.0.0.0/0"}]}],
)
# VPC / Subnet
vpc = ec2.create_vpc(CidrBlock="10.0.0.0/16")
subnet = ec2.create_subnet(
VpcId=vpc["Vpc"]["VpcId"],
CidrBlock="10.0.1.0/24",
AvailabilityZone="us-east-1a",
)
Supported Services
Core Services
| Service | Operations | Notes |
|---|---|---|
| S3 | CreateBucket, DeleteBucket, ListBuckets, HeadBucket, PutObject, GetObject, DeleteObject, HeadObject, CopyObject, ListObjects v1/v2, DeleteObjects, GetBucketVersioning, PutBucketVersioning, GetBucketEncryption, PutBucketEncryption, DeleteBucketEncryption, GetBucketLifecycleConfiguration, PutBucketLifecycleConfiguration, DeleteBucketLifecycle, GetBucketCors, PutBucketCors, DeleteBucketCors, GetBucketAcl, PutBucketAcl, GetBucketTagging, PutBucketTagging, DeleteBucketTagging, GetBucketPolicy, PutBucketPolicy, DeleteBucketPolicy, GetBucketNotificationConfiguration, PutBucketNotificationConfiguration, GetBucketLogging, PutBucketLogging, ListObjectVersions, CreateMultipartUpload, UploadPart, CompleteMultipartUpload, AbortMultipartUpload, PutObjectLockConfiguration, GetObjectLockConfiguration, PutObjectRetention, GetObjectRetention, PutObjectLegalHold, GetObjectLegalHold, PutBucketReplication, GetBucketReplication, DeleteBucketReplication, GetObjectTagging, PutObjectTagging, DeleteObjectTagging | Optional disk persistence via S3_PERSIST=1; Object Lock with retention & legal hold enforcement on delete; object tags are versioned (?tagging&versionId=… reads, writes, and deletes the per-version tag set) |
| SQS | CreateQueue, DeleteQueue, ListQueues, GetQueueUrl, GetQueueAttributes, SetQueueAttributes, PurgeQueue, SendMessage, ReceiveMessage, DeleteMessage, ChangeMessageVisibility, ChangeMessageVisibilityBatch, SendMessageBatch, DeleteMessageBatch, TagQueue, UntagQueue, ListQueueTags | Both Query API and JSON protocol; FIFO queues with deduplication; DLQ support |
| SNS | CreateTopic, DeleteTopic, ListTopics, GetTopicAttributes, SetTopicAttributes, Subscribe, Unsubscribe, ListSubscriptions, ListSubscriptionsByTopic, GetSubscriptionAttributes, SetSubscriptionAttributes, ConfirmSubscription, Publish, PublishBatch, TagResource, UntagResource, ListTagsForResource, CreatePlatformApplication, CreatePlatformEndpoint, GetEndpointAttributes, SetEndpointAttributes, DeleteEndpoint, DeletePlatformApplication | SNS→SQS fanout delivery; SNS→Lambda fanout (asynchronous delivery); FIFO topics with 5-minute deduplication, sequence numbers, content-based deduplication, and subscription validation; mobile-push endpoint lifecycle with device-token dedup and Publish to platform-endpoint TargetArn |
| DynamoDB | CreateTable, UpdateTable, DeleteTable, DescribeTable, ListTables, PutItem, GetItem, DeleteItem, UpdateItem, Query, Scan, BatchWriteItem, BatchGetItem, TransactWriteItems, TransactGetItems, DescribeTimeToLive, UpdateTimeToLive, DescribeContinuousBackups, UpdateContinuousBackups, DescribeEndpoints, TagResource, UntagResource, ListTagsOfResource, EnableKinesisStreamingDestination, DisableKinesisStreamingDestination, DescribeKinesisStreamingDestination, UpdateKinesisStreamingDestination | TTL enforced via thread-safe background reaper (60s cadence); DynamoDB Streams — StreamSpecification emits INSERT/MODIFY/REMOVE records on all write operations, respects StreamViewType; Kinesis streaming destinations (aws_dynamodb_kinesis_streaming_destination) fan item mutations out into any Kinesis stream by ARN while the destination is ACTIVE |
| DynamoDB Streams | ListStreams, DescribeStream, GetShardIterator, GetRecords | Reads records emitted by the main DynamoDB service via boto3.client("dynamodbstreams") — single synthetic shard per stream; TRIM_HORIZON/LATEST/AT_SEQUENCE_NUMBER/AFTER_SEQUENCE_NUMBER iterator types; NEW_AND_OLD_IMAGES, NEW_IMAGE, OLD_IMAGE, KEYS_ONLY view types; opaque base64 iterator tokens |
| Lambda | CreateFunction, DeleteFunction, GetFunction, GetFunctionConfiguration, ListFunctions, Invoke, UpdateFunctionCode, UpdateFunctionConfiguration, AddPermission, RemovePermission, GetPolicy, ListVersionsByFunction, PublishVersion, CreateAlias, GetAlias, UpdateAlias, DeleteAlias, ListAliases, TagResource, UntagResource, ListTags, CreateEventSourceMapping, DeleteEventSourceMapping, GetEventSourceMapping, ListEventSourceMappings, UpdateEventSourceMapping, CreateFunctionUrlConfig, GetFunctionUrlConfig, UpdateFunctionUrlConfig, DeleteFunctionUrlConfig, ListFunctionUrlConfigs, PutFunctionConcurrency, GetFunctionConcurrency, DeleteFunctionConcurrency, PutFunctionEventInvokeConfig, GetFunctionEventInvokeConfig, DeleteFunctionEventInvokeConfig, PublishLayerVersion, GetLayerVersion, GetLayerVersionByArn, ListLayerVersions, DeleteLayerVersion, ListLayers, AddLayerVersionPermission, RemoveLayerVersionPermission, GetLayerVersionPolicy, CheckpointDurableExecution, GetDurableExecution, GetDurableExecutionState, GetDurableExecutionHistory, ListDurableExecutionsByFunction, StopDurableExecution, SendDurableExecutionCallbackSuccess, SendDurableExecutionCallbackFailure, SendDurableExecutionCallbackHeartbeat | Python and Node.js runtimes execute with warm worker pool; provided.al2023/provided.al2 runtimes execute via Docker RIE (Go, Rust, C++ support); Publish=True creates immutable numbered versions; Code via ZipFile, S3Bucket/S3Key (with optional S3ObjectVersion), or ImageUri (Docker image); PackageType: Image pulls and invokes user-provided Docker images via Lambda RIE; SQS, Kinesis, and DynamoDB Streams event source mappings; Function URL CRUD; Lambda Layers CRUD; Aliases; Concurrency; EventInvokeConfig; Durable Functions — CreateFunction accepts DurableConfig; checkpoint/state/history/list/stop ops at the preview API (2025-12-01); external SendCallback{Success,Failure,Heartbeat} resume the SDK across invocations; resume scheduler fires WAIT expiries, callback timeouts, and step-retry backoffs; verified against the official aws-durable-execution-sdk-python and aws-durable-execution-sdk-java; X-Ray active tracing — TracingConfig.Mode=Active injects _X_AMZN_TRACE_ID (Root=1-<hex>-<hex>;Parent=<hex>;Sampled=1) into the runtime per invocation so the AWS X-Ray SDK runs without Missing AWS Lambda trace data; supported on the warm Python / Node executor, provided runtimes, and the local subprocess fallback (docker RIE upstream does not implement X-Ray and is logged but unsupported) |
| IAM | CreateUser, GetUser, ListUsers, DeleteUser, CreateRole, GetRole, ListRoles, DeleteRole, CreatePolicy, GetPolicy, DeletePolicy, AttachRolePolicy, DetachRolePolicy, PutRolePolicy, GetRolePolicy, DeleteRolePolicy, ListRolePolicies, ListAttachedRolePolicies, CreateAccessKey, ListAccessKeys, DeleteAccessKey, UpdateAccessKey, GetAccessKeyLastUsed, CreateInstanceProfile, GetInstanceProfile, DeleteInstanceProfile, AddRoleToInstanceProfile, RemoveRoleFromInstanceProfile, ListInstanceProfiles, TagInstanceProfile, UntagInstanceProfile, ListInstanceProfileTags, CreateGroup, GetGroup, AddUserToGroup, RemoveUserFromGroup, AttachGroupPolicy, DetachGroupPolicy, ListAttachedGroupPolicies, PutGroupPolicy, GetGroupPolicy, DeleteGroupPolicy, ListGroupPolicies, CreateServiceLinkedRole, DeleteServiceLinkedRole, GetServiceLinkedRoleDeletionStatus, CreateOpenIDConnectProvider, ListOpenIDConnectProviders, CreateSAMLProvider, GetSAMLProvider, ListSAMLProviders, UpdateSAMLProvider, DeleteSAMLProvider, CreateLoginProfile, GetLoginProfile, UpdateLoginProfile, DeleteLoginProfile, CreateVirtualMFADevice, EnableMFADevice, DeactivateMFADevice, ResyncMFADevice, ListMFADevices, ListVirtualMFADevices, DeleteVirtualMFADevice, GetAccountAuthorizationDetails, GenerateServiceLastAccessedDetails, GetServiceLastAccessedDetails, TagRole, UntagRole, TagUser, UntagUser, TagPolicy, UntagPolicy, GenerateCredentialReport, GetCredentialReport, GetAccountSummary, GetAccountPasswordPolicy, UpdateAccountPasswordPolicy, DeleteAccountPasswordPolicy, ListAccountAliases, CreateAccountAlias, DeleteAccountAlias | |
| STS | GetCallerIdentity, AssumeRole, GetSessionToken, AssumeRoleWithWebIdentity | |
| IMDS (EC2 Instance Metadata) | PUT /latest/api/token, GET /latest/meta-data/instance-id, GET /latest/meta-data/iam/security-credentials/, GET /latest/meta-data/iam/security-credentials/<role>, GET /latest/meta-data/iam/info, GET /latest/meta-data/placement/{region,availability-zone,...}, GET /latest/dynamic/instance-identity/document | IMDSv1 + IMDSv2; default credential chain falls through to a ministack-instance-role document with ASIA* session creds. Point SDKs at ministack via AWS_EC2_METADATA_SERVICE_ENDPOINT=http://localhost:4566 (or ec2_metadata_service_endpoint in ~/.aws/config); set MINISTACK_IMDS_V2_REQUIRED=1 to require the token PUT |
| ECS Task Metadata V4 | GET /v4/<token>, GET /v4/<token>/task, GET /v4/<token>/stats, GET /v4/<token>/task/stats | Per-container token injected as ECS_CONTAINER_METADATA_URI_V4 on every container started by RunTask. /task returns sibling containers in the same task. Containers reach the gateway via host.docker.internal (mapped through extra_hosts: host-gateway, so it works on user-defined Docker networks); networkMode: host containers use loopback. Volatile by design (stripped on persistence, cleared by /_ministack/reset) |
| ECS Container Credentials | GET /v2/credentials/<uuid> | The path real ECS exposes via AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/<uuid> (resolved by SDKs against 169.254.170.2). MiniStack serves the same path on the gateway and returns the AWS-strict 5-field credentials document (AccessKeyId, SecretAccessKey, Token, Expiration, RoleArn) — distinct from the IMDS shape served at /latest/meta-data/iam/security-credentials/<role>. RunTask injects AWS_CONTAINER_CREDENTIALS_FULL_URI, AWS_CONTAINER_AUTHORIZATION_TOKEN (satisfies botocore's allow-list for non-loopback gateway hosts), and AWS_ENDPOINT_URL so unmodified SDKs inside the task fetch credentials and route service calls through MiniStack with no client config |
| SecretsManager | CreateSecret, GetSecretValue, ListSecrets, DeleteSecret, UpdateSecret, DescribeSecret, PutSecretValue, UpdateSecretVersionStage, RestoreSecret, RotateSecret, GetRandomPassword, ListSecretVersionIds, ReplicateSecretToRegions, TagResource, UntagResource, PutResourcePolicy, GetResourcePolicy, DeleteResourcePolicy, ValidateResourcePolicy | |
| CloudWatch Logs | CreateLogGroup, DeleteLogGroup, DescribeLogGroups, CreateLogStream, DeleteLogStream, DescribeLogStreams, PutLogEvents, GetLogEvents, FilterLogEvents, PutRetentionPolicy, DeleteRetentionPolicy, PutSubscriptionFilter, DeleteSubscriptionFilter, DescribeSubscriptionFilters, PutMetricFilter, DeleteMetricFilter, DescribeMetricFilters, TagLogGroup, UntagLogGroup, ListTagsLogGroup, TagResource, UntagResource, ListTagsForResource, StartQuery, GetQueryResults, StopQuery, PutDestination, DeleteDestination, DescribeDestinations, PutDestinationPolicy | FilterLogEvents supports */? globs, multi-term AND, -term exclusion |
Extended Services
| Service | Operations | Notes |
|---|---|---|
| SSM Parameter Store | PutParameter, GetParameter, GetParameters, GetParametersByPath, DeleteParameter, DeleteParameters, DescribeParameters, GetParameterHistory, LabelParameterVersion, AddTagsToResource, RemoveTagsFromResource, ListTagsForResource | Supports String, SecureString, StringList |
| EventBridge | CreateEventBus, UpdateEventBus, DeleteEventBus, ListEventBuses, DescribeEventBus, PutRule, DeleteRule, ListRules, DescribeRule, EnableRule, DisableRule, PutTargets, RemoveTargets, ListTargetsByRule, ListRuleNamesByTarget, PutEvents, TestEventPattern, TagResource, UntagResource, ListTagsForResource, CreateArchive, DeleteArchive, DescribeArchive, UpdateArchive, ListArchives, PutPermission, RemovePermission, CreateConnection, DescribeConnection, DeleteConnection, UpdateConnection, DeauthorizeConnection, ListConnections, CreateApiDestination, DescribeApiDestination, DeleteApiDestination, UpdateApiDestination, ListApiDestinations, StartReplay, DescribeReplay, ListReplays, CancelReplay, CreateEndpoint, DeleteEndpoint, DescribeEndpoint, ListEndpoints, UpdateEndpoint, ActivateEventSource, DeactivateEventSource, DescribeEventSource, CreatePartnerEventSource, DeletePartnerEventSource, DescribePartnerEventSource, ListPartnerEventSources, ListPartnerEventSourceAccounts, ListEventSources, PutPartnerEvents | Lambda target dispatch on PutEvents; S3 EventBridge notifications; archives capture matching events and StartReplay re-dispatches them to the destination bus in a background thread; SaaS/partner APIs are control-plane stubs |
| Kinesis | CreateStream, DeleteStream, DescribeStream, DescribeStreamSummary, ListStreams, ListShards, PutRecord, PutRecords, GetShardIterator, GetRecords, IncreaseStreamRetentionPeriod, DecreaseStreamRetentionPeriod, MergeShards, SplitShard, UpdateShardCount, StartStreamEncryption, StopStreamEncryption, EnableEnhancedMonitoring, DisableEnhancedMonitoring, RegisterStreamConsumer, DeregisterStreamConsumer, ListStreamConsumers, DescribeStreamConsumer, AddTagsToStream, RemoveTagsFromStream, ListTagsForStream | Partition key → shard routing; AWS limits enforced (1 MB/record, 500 records/batch, 5 MB payload, 256-char partition key) |
| CloudWatch Metrics | PutMetricData, GetMetricStatistics, GetMetricData, ListMetrics, PutMetricAlarm, PutCompositeAlarm, DescribeAlarms, DescribeAlarmsForMetric, DescribeAlarmHistory, DeleteAlarms, SetAlarmState, EnableAlarmActions, DisableAlarmActions, TagResource, UntagResource, ListTagsForResource, PutDashboard, GetDashboard, DeleteDashboards, ListDashboards | CBOR and JSON protocol |
| SES | SendEmail, SendRawEmail, SendTemplatedEmail, SendBulkTemplatedEmail, VerifyEmailIdentity, VerifyEmailAddress, VerifyDomainIdentity, VerifyDomainDkim, ListIdentities, ListVerifiedEmailAddresses, GetIdentityVerificationAttributes, GetIdentityDkimAttributes, DeleteIdentity, GetSendQuota, GetSendStatistics, SetIdentityNotificationTopic, SetIdentityFeedbackForwardingEnabled, CreateConfigurationSet, DeleteConfigurationSet, DescribeConfigurationSet, ListConfigurationSets, CreateTemplate, GetTemplate, UpdateTemplate, DeleteTemplate, ListTemplates | Emails stored in-memory, not sent |
| SES v2 | SendEmail, CreateEmailIdentity, GetEmailIdentity, DeleteEmailIdentity, ListEmailIdentities, CreateConfigurationSet, GetConfigurationSet, DeleteConfigurationSet, ListConfigurationSets, GetAccount, PutAccountSuppressionAttributes, ListSuppressedDestinations | REST API (/v2/email/); identities auto-verified; emails stored in-memory, not sent |
| ACM | RequestCertificate, DescribeCertificate, ListCertificates, DeleteCertificate, GetCertificate, ImportCertificate, AddTagsToCertificate, RemoveTagsFromCertificate, ListTagsForCertificate, UpdateCertificateOptions, RenewCertificate, ResendValidationEmail | Certificates auto-issued; DNS validation records generated; supports SANs |
| Backup | CreateBackupVault, DescribeBackupVault, DeleteBackupVault, ListBackupVaults, CreateBackupPlan, GetBackupPlan, UpdateBackupPlan, DeleteBackupPlan, ListBackupPlans, ListBackupPlanVersions, CreateBackupSelection, GetBackupSelection, DeleteBackupSelection, ListBackupSelections, StartBackupJob, StopBackupJob, DescribeBackupJob, ListBackupJobs, TagResource, UntagResource, ListTags | In-memory; jobs complete immediately; vaults and plans participate in Resource Groups Tagging API |
| Bedrock | 66 operations — foundation-model catalog (real model IDs), inference profiles (system + application-managed), guardrails with versioning, custom models, imported models, provisioned model throughput, model customization / import / copy / batch-invocation job families, tagging | All 66 operations verified against botocore bedrock-2023-04-20; camelCase wire format per locationName; account- and region-scoped state |
| Bedrock Runtime | Converse, ConverseStream, InvokeModel, InvokeModelWithResponseStream, ApplyGuardrail, StartAsyncInvoke, GetAsyncInvoke, ListAsyncInvokes | Real eventstream wire format on streaming operations; deterministic family-aware mock responses selected by model ID prefix (anthropic.*, amazon.titan*, amazon.nova*, meta.llama*, mistral.*, cohere.*, ai21.*); verified against botocore bedrock-runtime-2023-09-30 |
| Bedrock Agent | 72 operations — agents (versions, aliases, action groups, collaborators, agent knowledge bases, PrepareAgent), knowledge bases (data sources, ingestion jobs, documents), flows (aliases, versions, ValidateFlowDefinition, PrepareFlow), prompts with versions, tagging | All 72 operations verified against botocore bedrock-agent-2023-06-05 |
| Bedrock Agent Runtime | InvokeAgent, InvokeInlineAgent, GetAgentMemory, DeleteAgentMemory, Retrieve, RetrieveAndGenerate, RetrieveAndGenerateStream, Rerank, CreateSession, GetSession, UpdateSession, DeleteSession, EndSession, ListSessions, CreateInvocation, ListInvocations, PutInvocationStep, GetInvocationStep, ListInvocationSteps, InvokeFlow, StartFlowExecution, StopFlowExecution, GetFlowExecution, ListFlowExecutions, ListFlowExecutionEvents, GetExecutionFlowSnapshot, OptimizePrompt | All 31 operations verified against botocore bedrock-agent-runtime-2023-07-26; eventstream responses on streaming operations |
| MSK | CreateCluster, ListClusters, DescribeCluster, DeleteCluster, GetBootstrapBrokers, ListNodes, CreateConfiguration, ListConfigurations, DescribeConfiguration, ListConfigurationRevisions, DescribeConfigurationRevision, BatchAssociateScramSecret, BatchDisassociateScramSecret, ListScramSecrets, TagResource, UntagResource, ListTagsForResource | Kafka control plane; GetBootstrapBrokers honors MINISTACK_MSK_BOOTSTRAP so clients route to a real broker you bring (Redpanda, Kafka, KRaft) — the Kafka wire protocol itself is not emulated |
| WAF v2 | CreateWebACL, GetWebACL, UpdateWebACL, DeleteWebACL, ListWebACLs, AssociateWebACL, DisassociateWebACL, GetWebACLForResource, ListResourcesForWebACL, CreateIPSet, GetIPSet, UpdateIPSet, DeleteIPSet, ListIPSets, CreateRuleGroup, GetRuleGroup, UpdateRuleGroup, DeleteRuleGroup, ListRuleGroups, TagResource, UntagResource, ListTagsForResource, CheckCapacity, DescribeManagedRuleGroup | LockToken enforced on Update/Delete; resource associations tracked |
| Step Functions | CreateStateMachine, DeleteStateMachine, DescribeStateMachine, UpdateStateMachine, ListStateMachines, StartExecution, StartSyncExecution, StopExecution, DescribeExecution, DescribeStateMachineForExecution, ListExecutions, GetExecutionHistory, SendTaskSuccess, SendTaskFailure, SendTaskHeartbeat, CreateActivity, DeleteActivity, DescribeActivity, ListActivities, GetActivityTask, TestState, TagResource, UntagResource, ListTagsForResource | Full ASL interpreter; Retry/Catch; waitForTaskToken; Activities (worker pattern); Pass/Task/Choice/Wait/Succeed/Fail/Map/Parallel; TestState API with mock and inspectionLevel support; SFN_MOCK_CONFIG for AWS SFN Local compatible mock testing; intrinsic functions (States.StringToJson, States.JsonToString, States.JsonMerge, States.Format); nested startExecution.sync |
| API Gateway v2 | CreateApi, GetApi, GetApis, UpdateApi, DeleteApi, CreateRoute, GetRoute, GetRoutes, UpdateRoute, DeleteRoute, CreateIntegration, GetIntegration, GetIntegrations, UpdateIntegration, DeleteIntegration, CreateRouteResponse, GetRouteResponse, GetRouteResponses, UpdateRouteResponse, DeleteRouteResponse, CreateIntegrationResponse, GetIntegrationResponse, GetIntegrationResponses, UpdateIntegrationResponse, DeleteIntegrationResponse, CreateStage, GetStage, GetStages, UpdateStage, DeleteStage, CreateDeployment, GetDeployment, GetDeployments, DeleteDeployment, CreateAuthorizer, GetAuthorizer, GetAuthorizers, UpdateAuthorizer, DeleteAuthorizer, TagResource, UntagResource, GetTags, PostToConnection, GetConnection, DeleteConnection | HTTP API and WebSocket API (protocolType=WEBSOCKET); Lambda proxy (AWS_PROXY), HTTP proxy (HTTP_PROXY), and MOCK integrations; HTTP data plane via {apiId}.execute-api.localhost Host header or path-based /_aws/execute-api/{apiId}/{stage}/{path} (no DNS/Host override needed — works from browsers on macOS and strict clients); $default stage served from the URL root (no stage segment in the path); per-API corsConfiguration applied to preflights + dispatched responses; request parameter mapping for HTTP_PROXY (append/overwrite/remove for headers/querystring plus overwrite:path) with context variables including $context.authorizer.jwt.claims; JWT data-plane authorization for HTTP routes (issuer/audience/time/scope checks) and claim propagation to integrations; qualified-alias integration URIs (arn:...:function:<name>:<alias>) resolve to the alias's target version; WebSocket data plane on the same two URL forms, with $connect / $disconnect / $default / custom-action routing, $request.body.* RouteSelectionExpression, @connections management API (PostToConnection / GetConnection / DeleteConnection), per-connection outbox for server-side push; {param} / {proxy+} matching; JWT/Lambda authorizer CRUD; pin apiId across runs with the ms-custom-id tag |
| API Gateway v1 | CreateRestApi, GetRestApi, GetRestApis, UpdateRestApi, DeleteRestApi, CreateResource, GetResource, GetResources, UpdateResource, DeleteResource, PutMethod, GetMethod, DeleteMethod, UpdateMethod, PutMethodResponse, GetMethodResponse, DeleteMethodResponse, PutIntegration, GetIntegration, DeleteIntegration, UpdateIntegration, PutIntegrationResponse, GetIntegrationResponse, DeleteIntegrationResponse, CreateDeployment, GetDeployment, GetDeployments, UpdateDeployment, DeleteDeployment, CreateStage, GetStage, GetStages, UpdateStage, DeleteStage, CreateAuthorizer, GetAuthorizer, GetAuthorizers, UpdateAuthorizer, DeleteAuthorizer, CreateModel, GetModel, GetModels, DeleteModel, CreateApiKey, GetApiKey, GetApiKeys, UpdateApiKey, DeleteApiKey, CreateUsagePlan, GetUsagePlan, GetUsagePlans, UpdateUsagePlan, DeleteUsagePlan, CreateUsagePlanKey, GetUsagePlanKeys, DeleteUsagePlanKey, CreateDomainName, GetDomainName, GetDomainNames, DeleteDomainName, CreateBasePathMapping, GetBasePathMapping, GetBasePathMappings, DeleteBasePathMapping, TagResource, UntagResource, GetTags | REST API (v1) protocol; Lambda proxy format 1.0 (AWS_PROXY), HTTP proxy (HTTP_PROXY), MOCK integration; data plane via {apiId}.execute-api.localhost Host header, path-based /_aws/execute-api/{apiId}/{stage}/{path}, or legacy /restapis/{apiId}/{stage}/_user_request_/{path}; qualified-alias integration URIs (arn:...:function:<name>:<alias>) resolve to the alias's target version; resource tree with {param} and {proxy+} path matching; JSON Patch for all PATCH operations; state persistence; pin id across runs with the ms-custom-id tag |
| ELBv2 / ALB | CreateLoadBalancer, DescribeLoadBalancers, DeleteLoadBalancer, DescribeLoadBalancerAttributes, ModifyLoadBalancerAttributes, CreateTargetGroup, DescribeTargetGroups, ModifyTargetGroup, DeleteTargetGroup, DescribeTargetGroupAttributes, ModifyTargetGroupAttributes, CreateListener, DescribeListeners, ModifyListener, DeleteListener, CreateRule, DescribeRules, ModifyRule, DeleteRule, SetRulePriorities, SetSubnets, SetIpAddressType, SetSecurityGroups, RegisterTargets, DeregisterTargets, DescribeTargetHealth, AddTags, RemoveTags, DescribeTags | Control plane + data plane; ALB→Lambda live traffic routing; path-pattern, host-header, http-method, query-string, http-header rule conditions; forward, redirect, fixed-response actions; data plane via {lb-name}.alb.localhost Host header or /_alb/{lb-name}/ path prefix |
| KMS | CreateKey, ListKeys, DescribeKey, GetPublicKey, Sign, Verify, Encrypt, Decrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, CreateAlias, DeleteAlias, ListAliases, UpdateAlias, EnableKeyRotation, DisableKeyRotation, GetKeyRotationStatus, GetKeyPolicy, PutKeyPolicy, ListKeyPolicies, EnableKey, DisableKey, ScheduleKeyDeletion, CancelKeyDeletion, TagResource, UntagResource, ListResourceTags | 27 actions; RSA (2048/4096), ECC (SECG_P256K1, NIST P-256/384/521), Edwards25519 (ECC_NIST_EDWARDS25519 — pure Ed25519 via ED25519_SHA_512 with MessageType=RAW; ED25519_PH_SHA_512 advertised in SigningAlgorithms but returns UnsupportedOperationException until Ed25519ph lands), and symmetric keys; PKCS1v15, PSS, and ECDSA signing; envelope encryption; alias resolution; key rotation; key policies; tags; enable/disable/schedule deletion; full Terraform aws_kms_key compatible; cryptography package included in Docker image |
| CloudFront | CreateDistribution, GetDistribution, GetDistributionConfig, ListDistributions, UpdateDistribution, DeleteDistribution, CreateInvalidation, ListInvalidations, GetInvalidation, CreateOriginAccessControl, GetOriginAccessControl, GetOriginAccessControlConfig, ListOriginAccessControls, UpdateOriginAccessControl, DeleteOriginAccessControl, CreateFunction, DeleteFunction, DescribeFunction, GetFunction, ListFunctions, PublishFunction, UpdateFunction, KeyValueStore (mgmt): CreateKeyValueStore, DescribeKeyValueStore, ListKeyValueStores, UpdateKeyValueStore, DeleteKeyValueStore, TagResource, UntagResource, ListTagsForResource | REST/XML API; ETag-based optimistic concurrency; Origin config round-trip; Origin Access Control (OAC) with SigV4 signing for S3, MediaStore, Lambda, MediaPackageV2 origins; CloudFront Functions are API stubs (in-memory code + DEVELOPMENT/LIVE ETags for Terraform aws_cloudfront_function) with KeyValueStoreAssociations round-tripped — no TestFunction, no viewer-request JS execution at the edge; UpdateFunction clears the emulated LIVE stage until PublishFunction runs again |
| CloudFront KeyValueStore (data plane) | DescribeKeyValueStore, ListKeys, GetKey, PutKey, DeleteKey, UpdateKeys | Separate cloudfront-keyvaluestore SDK service (REST/JSON, signing name cloudfront-keyvaluestore); ETag-based optimistic concurrency on every mutating op; UpdateKeys is atomic (validates whole batch, rejects on first invalid entry); ListKeys paginates with opaque NextToken capped at 50 results per AWS spec; bridges to the management plane via the shared KVS ARN |
| CloudTrail | LookupEvents, CreateTrail, DeleteTrail, GetTrail, DescribeTrails, ListTrails, UpdateTrail, GetTrailStatus, StartLogging, StopLogging, PutEventSelectors, GetEventSelectors, AddTags, ListTags, RemoveTags | In-memory audit log; recording opt-in via CLOUDTRAIL_RECORDING=1 (or runtime config endpoint); per-account ring buffer (CLOUDTRAIL_MAX_EVENTS=10000); LookupEvents supports all 8 AWS LookupAttributes; IsLogging flips on Start/StopLogging; CreateTrail/UpdateTrail persist KmsKeyId (normalized to a key ARN; omitted when unset) so aws_cloudtrail converges without drift |
| Resource Groups | CreateGroup, GetGroup, DeleteGroup, UpdateGroup, ListGroups, GetGroupQuery, UpdateGroupQuery, GetGroupConfiguration, PutGroupConfiguration, GroupResources, UngroupResources, ListGroupResources, ListGroupingStatuses, SearchResources, Tag, Untag, GetTags, GetAccountSettings, UpdateAccountSettings | 19 of 23 spec ops; tag-sync ops omitted (not exposed by AWS CLI / Terraform); Group accepts bare name or full ARN |
| Cost & Usage Reports | DeleteReportDefinition, DescribeReportDefinitions, ListTagsForResource, ModifyReportDefinition, PutReportDefinition, TagResource, UntagResource | 7 of 7 spec ops |
| Inspector2 | Enable, Disable, ListFindings, BatchGetFindingDetails, ListCoverage, ListCoverageStatistics, ListFindingAggregations, SearchVulnerabilities, TagResource, UntagResource, ListTagsForResource, CreateFilter, ListFilters, DeleteFilter | 14 operations; deterministic stub vulnerability findings for ECR images, Lambda functions, and EC2 instances; filtering, sorting, pagination |
| AmazonMQ | CreateBroker, ListBrokers, DescribeBrokers, DeleteBrokers, UpdateBroker, RebootBroker, DescribeBrokerEngineTypes, DescribeBrokerInstanceOptions, CreateTags, ListTags, DeleteTags, CreateUser, DeleteUser, ListUsers, UpdateUser, DescribeUser | 16 of 24 spec ops; No real container support |
CloudFormation
| Feature | Details |
|---|---|
| Stack Operations | CreateStack, UpdateStack, DeleteStack, DescribeStacks, ListStacks, DescribeStackEvents, DescribeStackResource, DescribeStackResources, GetTemplate, ValidateTemplate, GetTemplateSummary |
| Change Sets | CreateChangeSet, DescribeChangeSet, ExecuteChangeSet, DeleteChangeSet, ListChangeSets |
| Exports | ListExports — cross-stack references via Fn::ImportValue |
| Template Formats | JSON and YAML (including !Ref, !Sub, !GetAtt shorthand tags) |
| Intrinsic Functions | Ref, Fn::GetAtt, Fn::Join, Fn::Sub (both forms), Fn::Select, Fn::Split, Fn::If, Fn::Equals, Fn::And, Fn::Or, Fn::Not, Fn::Base64, Fn::FindInMap, Fn::ImportValue, Fn::GetAZs, Fn::Cidr |
| Pseudo-Parameters | AWS::StackName, AWS::StackId, AWS::Region, AWS::AccountId, AWS::URLSuffix, AWS::Partition, AWS::NoValue |
| Parameters | Default values, AllowedValues validation, NoEcho masking, String/Number/CommaDelimitedList types |
| Conditions | Fn::Equals, Fn::And, Fn::Or, Fn::Not — conditional resource creation |
| Rollback | Configurable via DisableRollback — on failure, previously created resources are cleaned up in reverse dependency order |
| Async Status | Stacks deploy asynchronously (CREATE_IN_PROGRESS → CREATE_COMPLETE) — poll with DescribeStacks |
Supported Resource Types:
| Resource Type | Ref Returns | GetAtt |
|---|---|---|
AWS::S3::Bucket | Bucket name | Arn, DomainName, RegionalDomainName, WebsiteURL |
AWS::SQS::Queue | Queue URL | Arn, QueueName, QueueUrl |
AWS::SNS::Topic | Topic ARN | TopicArn, TopicName |
AWS::SNS::Subscription | Subscription ARN | — |
AWS::DynamoDB::Table | Table name | Arn, StreamArn |
AWS::Lambda::Function | Function name | Arn |
AWS::IAM::Role | Role name | Arn, RoleId |
AWS::IAM::Policy | Policy ARN | — |
AWS::IAM::InstanceProfile | Profile name | Arn |
AWS::SSM::Parameter | Parameter name | Type, Value |
AWS::Logs::LogGroup | Log group name | Arn |
AWS::Events::EventBus | EventBus name | Arn, Name |
AWS::Events::Rule | Rule name | Arn |
AWS::Kinesis::Stream | Stream name | Arn, StreamId |
AWS::Lambda::Permission | Statement ID | — |
AWS::Lambda::Version | Version ARN | Version |
AWS::Lambda::Alias | Alias ARN | — |
AWS::Lambda::EventSourceMapping | UUID | — |
AWS::S3::BucketPolicy | Bucket name | — |
AWS::SQS::QueuePolicy | Policy ID | — |
AWS::SNS::TopicPolicy | Policy ID | — |
AWS::ApiGateway::RestApi | API ID | RootResourceId |
AWS::ApiGateway::Resource | Resource ID | — |
AWS::ApiGateway::Method | Method ID | — |
AWS::ApiGateway::Deployment | Deployment ID | — |
AWS::ApiGateway::Stage | Stage name | — |
AWS::AppConfig::Application | Application ID | ApplicationId |
AWS::AppSync::GraphQLApi | API ID | Arn, GraphQLUrl, ApiId |
AWS::AppSync::DataSource | DataSource name | DataSourceArn |
AWS::AppSync::Resolver | Resolver ARN | ResolverArn |
AWS::AppSync::GraphQLSchema | Schema ID | — |
AWS::AppSync::ApiKey | API key ID | ApiKey, Arn |
AWS::SecretsManager::Secret | Secret ARN | — |
AWS::Cognito::UserPool | Pool ID | Arn, ProviderName |
AWS::Cognito::UserPoolClient | Client ID | — |
AWS::Cognito::IdentityPool | Pool ID | — |
AWS::Cognito::UserPoolDomain | Domain | — |
AWS::ECR::Repository | Repo name | Arn, RepositoryUri |
AWS::IAM::ManagedPolicy | Policy ARN | — |
AWS::KMS::Key | Key ID | Arn, KeyId |
AWS::KMS::Alias | Alias name | — |
AWS::EC2::VPC | VPC ID | VpcId, DefaultSecurityGroup, DefaultNetworkAcl |
AWS::EC2::Subnet | Subnet ID | SubnetId, AvailabilityZone |
AWS::EC2::SecurityGroup | SG ID | GroupId, VpcId |
AWS::EC2::InternetGateway | IGW ID | InternetGatewayId |
AWS::EC2::VPCGatewayAttachment | Attachment ID | — |
AWS::EC2::RouteTable | RTB ID | RouteTableId |
AWS::EC2::Route | Route ID | — |
AWS::EC2::SubnetRouteTableAssociation | Association ID | — |
AWS::EC2::LaunchTemplate | LT ID | LaunchTemplateId, LaunchTemplateName, DefaultVersionNumber, LatestVersionNumber |
AWS::ECS::Cluster | Cluster name | Arn, ClusterName |
AWS::ECS::TaskDefinition | Task def ARN | TaskDefinitionArn |
AWS::ECS::Service | Service ARN | ServiceArn, Name |
AWS::ElasticLoadBalancingV2::LoadBalancer | LB ARN | Arn, DNSName, LoadBalancerFullName, CanonicalHostedZoneID, SecurityGroups |
AWS::ElasticLoadBalancingV2::Listener | Listener ARN | ListenerArn, Arn |
AWS::Lambda::LayerVersion | Layer version ARN | LayerVersionArn, Arn |
AWS::StepFunctions::StateMachine | State machine ARN | Arn, Name |
AWS::Route53::HostedZone | Zone ID | Id, NameServers |
AWS::Route53::RecordSet | Record FQDN (trailing dot) | Name |
AWS::ApiGatewayV2::Api | API ID | ApiId, ApiEndpoint |
AWS::ApiGatewayV2::Stage | Stage ID | StageName |
AWS::ApiGatewayV2::Integration | Integration ID | IntegrationId |
AWS::ApiGatewayV2::Route | Route ID | RouteId |
AWS::SES::EmailIdentity | Identity | EmailIdentity |
AWS::WAFv2::WebACL | WebACL ID | Arn, Id |
AWS::CloudFront::Distribution | Distribution ID | Arn, DomainName, Id |
AWS::CloudWatch::Alarm | Alarm name | Arn |
AWS::RDS::DBCluster | Cluster ID | Arn, Endpoint.Address, Endpoint.Port, ReadEndpoint.Address |
// compatibility
| Platforms | cli, api, web, mobile |
|---|---|
| Operating systems | — |
| AI compatibility | claude |
| License | MIT |
| Pricing | open-source |
| Language | Python |
// faq
What is ministack?
Ministack: Free, open-source local AWS emulator - 55+ services, Terraform compatible, real databases. Free forever. MIT licensed.. It is open-source on GitHub.
Is ministack free to use?
ministack is open-source under the MIT license, so it is free to use.
What category does ministack belong to?
ministack is listed under uncategorized in the Claudeers registry of Claude-compatible tools.
// embed badge
[](https://claudeers.com/ministack)
// retro hit counter
[](https://claudeers.com/ministack)
// reviews
// guestbook
// related in Uncategorized / Others
Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.
FULL Augment Code, Claude Code, Cluely, CodeBuddy, Comet, Cursor, Devin AI, Junie, Kiro, Leap.new, Lovable, Manus, NotionAI, Orchids.app, Perplexity, Poke, Q…
The agent engineering platform.
100+ AI Agent & RAG apps you can actually run — clone, customize, ship.