Services

Every AWS service fakecloud implements, with operation counts and notable features.

fakecloud implements 105 AWS services with 3,966 total operations. 248,319/248,319 generated Smithy conformance variants pass on every commit — true 100% across the board. Per-service feature matrices and gotchas live on individual service pages — use the sidebar to navigate.

ServiceOpsNotes
S3107Versioning, lifecycle, notifications, multipart, replication, website, real SSE-KMS encrypt/decrypt
SQS23FIFO, DLQs, long polling, batch, real KMS encrypt/decrypt on KmsMasterKeyId queues
SNS42Fan-out to SQS/Lambda/HTTP, filter policies, KMS audit-trail on KmsMasterKeyId topics
EventBridge57Pattern matching, schedules, archives, replay, API destinations
EventBridge Scheduler12at/rate/cron, SQS targets, DLQ routing, one-shot self-delete
EventBridge Pipes10Source -> filter -> Lambda enrichment -> target, InputTemplate transform, real background runner
Lambda70Real Docker, 23 runtimes, ESM with FilterCriteria + partial-batch failure
DynamoDB57Transactions, PartiQL, backups, global tables, streams, KMS audit-trail on SSE-KMS tables
IAM176Users, roles, policies, groups, OIDC/SAML, PassRole trust enforcement
STS11AssumeRole, session tokens, federation
SSM146Parameters, documents, commands, maintenance, patch baselines, SecureString -> real KMS encrypt/decrypt
Secrets Manager23Versioning, rotation via Lambda, replication, real KMS encrypt/decrypt
CloudWatch Logs113Groups, streams, subscription filters, query language
KMS53Encryption, aliases, grants, real ECDH, key import, cross-service hook
CloudFormation90Template parsing, resource provisioning, custom resources
Cloud Control API8Uniform CRUD-L over CloudFormation resource types, JSON Patch updates, request tracking
SES (v2 + v1 inbound)111Sending, templates, DKIM, real receipt rule execution
Cognito User Pools122Pools, clients, MFA, identity providers, full auth flows; verification email -> SES, SMS -> SNS, all 12 Lambda triggers
Kinesis39Streams, records, shard iterators, retention
RDS163Real Postgres, MySQL, MariaDB, Oracle, SQL Server, Db2 via Docker; lifecycle ops emit aws.rds EventBridge events
RDS Data API6Real SQL on the backing Postgres/MySQL container; typed params/results incl. bytea/BLOB, transactions, batch
DocumentDB55RDS-shaped Query API (control plane only); clusters/instances/snapshots/restore, parameter + subnet + global groups, event subscriptions, tags. No MongoDB-compatible engine image, so endpoints accept no connections
Neptune70RDS-shaped Query API (control plane only); clusters/instances/cluster endpoints/snapshots/restore, IAM roles, cluster + DB parameter groups, subnet + global groups, event subscriptions, tags. No Gremlin/SPARQL graph engine image, so endpoints accept no connections
Redshift141Full control plane: clusters (progress to available, synthetic endpoint), snapshots (real SnapshotArn), parameter groups (Source=user filter), subnet/security groups, snapshot schedules + copy grants, endpoint access (synthesized VPC endpoint), per-cluster logging, cross-region snapshot-copy config, tagging. No SQL data plane (separate redshift-data API)
Aurora DSQL16Serverless distributed Postgres control plane; clusters, resource policies, change streams to Kinesis, multi-region properties, deletion protection, clientToken idempotency, tagging; async CREATING->ACTIVE lifecycle. Data plane (reachable container + IAM-token auth) is a follow-up
Transfer Family71Full control plane: SFTP/FTPS/FTP/AS2 servers (start/stop settle State), users + SSH keys, host keys, accesses, workflows + executions, agreements, connectors (TestConnection, file transfer, directory listing, remote delete/move), profiles, certificates, security policies, web apps, TestIdentityProvider, tagging; persisted. No SFTP daemon or AS2 transport engine
CloudTrail60Full control plane: trails (logging status toggles IsLogging), event + insight selectors, CloudTrail Lake event data stores (restore, ingestion, federation), channels, imports, Lake queries, dashboards, resource policies, org delegated admins, event configuration, tagging; persisted. LookupEvents/ListPublicKeys return empty — no event-recording engine
Resource Groups23Groups by tag/CloudFormation-stack query, explicit membership, group configuration, tagging, account settings, grouping statuses, tag-sync tasks; arn:...:group/<name>/<id> ARNs, persisted
ElastiCache75Real Redis, Valkey, Memcached via Docker
MemoryDB45Full control plane: clusters, shards, ACLs, users, parameter/subnet groups, snapshots, multi-region clusters; persisted. Redis/Valkey data-plane container backing is a follow-up
Amazon Managed Service for Apache Flink33Full kinesisanalyticsv2 control plane: SQL + Flink streaming applications with full configuration persisted and echoed, lifecycle (STARTING->RUNNING, STOPPING->READY, rollback), version history + optimistic concurrency, snapshots, operation records, DiscoverInputSchema, presigned dashboard URLs, maintenance windows, tagging; persisted. Real Flink-job data plane is a follow-up (all 33 ops)
EKS65Complete control plane: clusters (incl. connected register/deregister), node groups, Fargate profiles, add-ons, access entries + policies, OIDC identity-provider configs, pod-identity associations, upgrade insights, capabilities, encryption config, EKS Anywhere subscriptions (create/describe/list/delete, config + version updates with tracking, cluster-version/add-on/access-policy catalogues, tagging); persisted, CREATING -> ACTIVE on describe. No real Kubernetes control-plane endpoint (all 65 ops)
AWS FIS26Complete AWS Fault Injection Simulator control plane: experiment templates (EXT ids, arn:aws:fis:...:experiment-template/<id> ARNs, targets/actions/stopConditions echoed verbatim), the experiment lifecycle (StartExperiment initiating -> running -> completed on read, StopExperiment -> stopping -> stopped, EXP ids), the AWS-provided static actions catalog (aws:ec2:stop-instances, aws:ecs:stop-task, ...) and target-resource-type catalog, per-template/per-experiment multi-account target-account configurations, resolved-target listing, account-level safety levers, and ARN-keyed tagging; model-derived validation, persisted (in-flight experiment transitions reconcile on restart). Real fault injection into other services is a later batch (all 26 ops)
Amazon MQ25Complete Amazon MQ control plane: brokers (async CREATION_IN_PROGRESS -> RUNNING on describe, REBOOT_IN_PROGRESS applies staged pending changes, DELETION_IN_PROGRESS teardown, creatorRequestId idempotency, per-engine ActiveMQ/RabbitMQ wire endpoints + console URLs, deployment-mode-aware brokerInstances), configurations (c- ids, base64 Data revisions with history), per-broker users (CREATE/UPDATE/DELETE pending changes applied on reboot), ARN-keyed tags, and engine-type / instance-option catalogues; persisted (in-flight broker transitions reconcile on restart). No real broker served (all 25 ops)
Amazon MSK59Complete Amazon MSK (Managed Streaming for Apache Kafka) control plane, signing as kafka: provisioned + serverless clusters (async CREATING -> ACTIVE on describe, monotonic .../cluster/<name>/<uuid>-<n> ARNs, name/type filters + pagination, region-scoped, DescribeClusterV2 union), the eleven Update*/RebootBroker ops recording settling ClusterOperations, broker-node synthesis (ListNodes + GetBootstrapBrokers), configurations with base64 ServerProperties revisions, SCRAM secrets, cluster policies, client VPC connections, replicators, topics as real control-plane state, the Kafka version catalogs, and ARN-keyed tags; persisted (in-flight lifecycle transitions reconcile on restart). Real Kafka broker data plane + CloudFormation are later batches (all 59 ops)
Amazon S3 Glacier33Complete Glacier surface with real data plane: vaults, archive upload/delete storing the real bytes + a computed SHA-256 tree hash, multipart uploads assembled into a stored archive, retrieval + inventory jobs that settle to Succeeded on read so GetJobOutput returns the exact uploaded bytes (or a JSON inventory), vault notifications, access policy, the vault-lock state machine, tags, data-retrieval policy, provisioned capacity; persisted (archives survive restart). All 33 ops
AWS Backup109Complete AWS Backup control plane: backup plans (+ versions) + selections, vaults (standard / logically-air-gapped / restore-access) with notifications / policies / lock, recovery points, backup / copy / restore / scan jobs (progressed to a terminal state; StartBackupJob records a synthetic recovery point DescribeRecoveryPoint resolves), frameworks, report plans + jobs, legal holds, restore testing, tiering, protected resources, tags, global / region settings; persisted. No real backup engine (all 109 ops)
OpenSearch Service93Complete Amazon OpenSearch Service control plane sharing one domain store with Elasticsearch Service (both sign as es): domains (create/describe/delete/config persist; Processing=false/Created=true settle on describe with a synthetic search endpoint), packages, VPC endpoints, cross-cluster connections, applications + capabilities, per-domain data sources + indices, direct-query data sources, reserved instances, tags, instance-type/version/upgrade catalogues; persisted. No real cluster spawned (all 93 ops)
Elasticsearch Service51Complete legacy Amazon Elasticsearch Service (es, 2015-01-01) over the SAME shared domain store as OpenSearch Service — a domain created through either API is one entity, surfaced here via ElasticsearchDomainStatus. Domains, packages, VPC endpoints, cross-cluster search connections, reserved instances, tags, instance-type/version/upgrade catalogues; persisted (all 51 ops)
AWS AppConfig58Complete AppConfig across appconfig (56 ops) + appconfigdata (2 ops): applications, environments, configuration profiles, hosted configuration versions (raw bytes + content type stored/returned verbatim, auto-incrementing version), custom + AWS-predefined deployment strategies, deployments (settle to COMPLETE), extensions + associations, experiments, account settings, ValidateConfiguration, tags; persisted. Real data plane: StartConfigurationSession -> GetLatestConfiguration serves the deployed hosted-config bytes
Cloud Map30Complete AWS Cloud Map (servicediscovery) control plane + discovery: namespaces, services, instances (register/deregister/health), DiscoverInstances/DiscoverInstancesRevision, tagging; async operation model — mutations return an OperationId that settles SUCCESS on GetOperation; persisted (all 30 ops)
Account Management15Complete AWS Account control plane: alternate contacts (BILLING/OPERATIONS/SECURITY), primary contact information, account information + name, GovCloud pairing, primary-email OTP flow, Region opt-in (ListRegions/GetRegionOptStatus/Enable/DisableRegion with ENABLING -> ENABLED settle-on-read); honors optional AccountId for org management; persisted (all 15 ops)
Identity Store19Complete IAM Identity Center Identity Store directory: users, groups, memberships (create/describe/update/delete/list), GetUserId/GetGroupId/GetGroupMembershipId attribute lookups, IsMemberInGroups; SCIM attribute bags round-trip; persisted (all 19 ops)
SSO Admin79Complete IAM Identity Center SSO Admin control plane: instances, permission sets + policies, account assignments + provisioning (async settle), applications + assignments/scopes/methods/grants, provider catalogue, trusted token issuers, regions, attribute config, tagging; persisted (all 79 ops)
Verified Permissions34Complete Cedar authorization control plane: policy stores, schemas, static + template-linked policies, policy templates, identity sources, aliases, tagging; IsAuthorized/*WithToken/Batch* compute real Cedar decisions via the cedar-policy engine; persisted (all 34 ops)
Step Functions37Full ASL interpreter, Lambda/SQS/SNS/EventBridge/DynamoDB tasks
Amazon SWF39Full 39-op control plane + decider/worker state machine. Domains (Register/Deprecate/Undeprecate/Describe/ListDomains, REGISTERED/DEPRECATED, /domain/ ARNs), versioned activity + workflow types (Register/Deprecate/Undeprecate/Delete/Describe/List, default* config echoed back, delete-requires-deprecate), and workflow executions with a real state machine: StartWorkflowExecution mints a runId and seeds WorkflowExecutionStarted + DecisionTaskScheduled; PollForDecisionTask returns the decision task with full history; RespondDecisionTaskCompleted applies ScheduleActivityTask / CompleteWorkflowExecution / fail / cancel / timer / marker / signal / child / lambda decisions into history events; PollForActivityTask + RespondActivityTask{Completed,Failed,Canceled} + RecordActivityTaskHeartbeat drive the worker side; Describe/GetHistory/List+Count open/closed executions and pending tasks; Signal/RequestCancel/Terminate; ARN-keyed tagging. Model-driven validation with SWF's declared faults (UnknownResourceFault/DomainAlreadyExistsFault/TypeAlreadyExistsFault/DefaultUndefinedFault/WorkflowExecutionAlreadyStartedFault). JSON 1.0 protocol. Account-partitioned and persisted. Honest gap: no autonomous clock fires timer/task/execution timeouts — those transitions are decider/worker-driven
AWS Support16Full 16-op control plane. Support-case API (CreateCase mints an AWS-shaped case-{account}-{year}-{hex} id + numeric displayId, opens opened, seeds the communication thread; DescribeCases filters by case-id list / displayId / time window / includeResolvedCases / includeCommunications / language with a round-tripping nextToken; AddCommunicationToCase -> result: true; DescribeCommunications pages the thread; ResolveCase -> initialCaseStatus + finalCaseStatus), attachment sets (AddAttachmentsToSet mints/extends an attachmentSetId + expiryTime; DescribeAttachment), severity levels + service/category catalogues (DescribeSeverityLevels / DescribeServices / DescribeCreateCaseOptions / DescribeSupportedLanguages), and the Trusted Advisor API (DescribeTrustedAdvisorChecks returns the vendored check catalogue; DescribeTrustedAdvisorCheckResult / DescribeTrustedAdvisorCheckSummaries return all-clear results; RefreshTrustedAdvisorCheck + DescribeTrustedAdvisorCheckRefreshStatuses drive a real none -> enqueued -> processing -> success refresh state machine). Model-driven validation with Support's declared exceptions (CaseIdNotFound/AttachmentIdNotFound/AttachmentSetIdNotFound). JSON 1.1 protocol. Account-partitioned and persisted. Honest gap: no Trusted Advisor analysis engine and no live support agent, so results report zero flagged resources and cases receive no automated agent reply
AWS Serverless Application Repository14Complete AWS Serverless Application Repository control plane: applications (CreateApplication mints the arn:aws:serverlessrepo:...:applications/<name> ARN that is the applicationId, stores author/description/labels/license/readme/spdxLicenseId/sourceCodeUrl, seeds an initial version from a supplied semanticVersion + template; GetApplication returns the app plus a Version block with parameterDefinitions parsed from the SAM/CloudFormation template, requiredCapabilities, and resourcesSupported; ListApplications paginates; UpdateApplication; DeleteApplication), versions (CreateApplicationVersion PUTs a semantic version, parsing the template; ListApplicationVersions), sharing policy (Put/GetApplicationPolicy over principals/actions/principalOrgIDs; UnshareApplication), CloudFormation templates (CreateCloudFormationTemplate mints a templateId + templateUrl, status PREPARING -> ACTIVE on read; GetCloudFormationTemplate), and ListApplicationDependencies (nested AWS::Serverless::Application dependencies). Model-derived required/label validation (BadRequestException/NotFoundException/ConflictException), account-partitioned, persisted. Honest gaps: CreateCloudFormationChangeSet mints well-formed changeSetId/stackId identifiers without materialising a real CloudFormation stack, and the templateUrl is well-formed but fakecloud does not serve raw template bytes at it (all 14 ops)
API Gateway v1124REST APIs, resources, methods, integrations (MOCK/HTTP/HTTP_PROXY/AWS_PROXY Lambda), deployments, stages, API keys, usage plans, authorizers, models, request validators, VPC links, domain names, base path mappings, client certs, gateway responses, docs, tags
API Gateway v2103HTTP APIs, routes, integrations, stages, deployments, authorizers, domains, models, VPC links, routing rules, developer portals, CORS, tags
Bedrock101Foundation models, guardrails, custom models, invocation/eval jobs
Bedrock Runtime10InvokeModel, Converse, streaming, configurable responses, fault inject
ECR58Full API — OCI v2 push/pull, lifecycle eval, scanning, pull-through cache, registry templates, real cosign signature verification
ECS77Full API — clusters, real Fargate-style task execution via Docker, services + rolling deployments, task sets, container instances, ECS Exec, awslogs -> Logs, secrets injection, task role credentials
Elastic Load Balancing v251Full control plane — ALB/NLB/GWLB CRUD, target groups + targets + real health probes, listeners + rules + certificates, attributes, capacity reservations, mTLS trust stores + revocations, resource policies, SSL policies, tags. In-process HTTP data plane for ALBs — per-LB TCP bind, rule matching, forward / fixed-response / redirect, sticky sessions
CloudFront147Distributions, invalidations, tagging, by-X listings, web ACL/alias association. OAC + Cache/OriginRequest/ResponseHeaders/ContinuousDeployment policies. CloudFront Functions, Public Keys, Key Groups, Key Value Stores, Origin Access Identities (legacy), Monitoring Subscriptions. Streaming Distributions (legacy RTMP). Field-Level Encryption configs + profiles + Realtime Log Configs. VPC Origins, Anycast IP Lists, Trust Stores, Resource Policies. Connection Groups + Domain Association/DNS Verification + Managed Certificate Details + Promote-Staging Distribution — full CRUD with ETag/If-Match concurrency. Full DistributionConfig round-trip incl. origins, cache behaviors, custom error responses, viewer certificates, geo restrictions
Application Auto Scaling14Full control plane. Scalable targets (Register/Deregister/Describe) for ECS, Lambda, DynamoDB, RDS, ElastiCache, SageMaker, EMR, AppStream, Cassandra, Kafka, Neptune, EC2 Spot Fleet, Comprehend. Step + target-tracking + predictive scaling policies (Put/Describe/Delete). Scheduled actions with cron / one-shot start/end times + Timezone. DescribeScalingActivities honors IncludeNotScaledActivities, deterministic GetPredictiveScalingForecast with hourly Load + Capacity buckets capped at one week. RoleARN defaults to the per-namespace service-linked role ARN. Deregister cascades to policies + scheduled actions for the same target. TagResource/UntagResource/ListTagsForResource keyed by ARN, reject unknown ARNs with ObjectNotFoundException. JSON 1.1 protocol
WAF v255Full control plane. WebACLs / RuleGroups / IPSets / RegexPatternSets — Create/Get/List/Update/Delete with LockToken optimistic concurrency that rotates on every successful mutation; stale tokens get WAFOptimisticLockException. Both REGIONAL and CLOUDFRONT scopes; ARN segment reflects scope (regional/... vs global/...). Web ACL <-> resource associations (AssociateWebACL/DisassociateWebACL/GetWebACLForResource/ListResourcesForWebACL); WAFAssociatedItemException blocks delete-while-associated for WebACLs and delete-while-referenced for RuleGroups. CheckCapacity computes WCU as the recursive count of statement leaves through AndStatement/OrStatement/NotStatement. API keys via CreateAPIKey/DeleteAPIKey/GetDecryptedAPIKey/ListAPIKeys; the encrypted blob is a deterministic base64 payload that round-trips its TokenDomains. Logging configurations (Put/Get/Delete/List) keyed by Web ACL ARN. Permission policies for cross-account RuleGroup share (Put/Get/Delete). Tags with WAFNonexistentItemException on unknown ARNs. Managed rule catalog: AWS-vendor AWSManagedRulesCommonRuleSet, AWSManagedRulesKnownBadInputsRuleSet, AWSManagedRulesSQLiRuleSet discoverable via ListAvailableManagedRuleGroups/Versions, DescribeManagedRuleGroup, DescribeAllManagedProducts, DescribeManagedProductsByVendor, GetManagedRuleSet. Vendor-publishing ops (PutManagedRuleSetVersions, UpdateManagedRuleSetVersionExpiryDate, ListManagedRuleSets) are stub-routed (no real publishing pipeline). Mobile SDK lookups + presigned URL synthesis. GetSampledRequests, GetTopPathStatisticsByTraffic, GetRateBasedStatementManagedKeys return shape-correct empty observability windows. JSON 1.1 protocol. fakecloud does not actually inspect any HTTP request — Web ACLs are control-plane only; no rule evaluation happens against ALB/CloudFront/APIGW traffic
ACM (Certificate Manager)17Full control plane. Public-cert lifecycle: RequestCertificate (DNS / EMAIL validation, deterministic synthesized DNS validation records), DescribeCertificate, GetCertificate, ListCertificates, SearchCertificates, DeleteCertificate, RenewCertificate, RevokeCertificate (AMAZON_ISSUED only). Imported certs: ImportCertificate round-trips PEM and supports re-import to the same ARN, ExportCertificate returns cert + chain + key with passphrase. Tags via Add/Remove/ListTagsForCertificate. Account-wide expiry events via Get/PutAccountConfiguration. UpdateCertificateOptions for transparency-logging + export prefs. ResendValidationEmail only for EMAIL-validated certs. Idempotency via IdempotencyToken matches AWS' 1-hour window. JSON 1.1 protocol. fakecloud does not run the real X.509 validation pipeline — certs land at PENDING_VALIDATION and stay there until renewed; Import flips straight to ISSUED
ACM PCA23Full control plane + real certificate data plane. Private CA hierarchy: CreateCertificateAuthority mints a genuine CA key pair (RSA 2048/3072/4096, EC P-256/P-384); a ROOT CA self-signs while a SUBORDINATE CA starts PENDING_CERTIFICATE and serves a real PEM CSR from GetCertificateAuthorityCsr until its signed chain is installed via ImportCertificateAuthorityCertificate. IssueCertificate parses the caller's CSR and signs a real end-entity certificate that verifies against the CA (rcgen); GetCertificate returns the signed PEM + chain. Revocation (RevokeCertificate), audit reports (Create/DescribeCertificateAuthorityAuditReport, JSON/CSV), resource-share permissions (Create/List/DeletePermission), resource policies (Put/Get/DeletePolicy), enable/disable + delete/restore lifecycle, and ARN-keyed tags. CA private keys are persisted so issued certs still verify after a restart. JSON 1.1 protocol (all 23 ops)
Athena70Full control plane. Workgroups (default primary seeded), Data Catalogs (default AwsDataCatalog seeded), Named Queries, Prepared Statements (keyed by (workgroup, statement_name)), Query Executions, Notebooks, Sessions + Calculations, Capacity Reservations + Capacity Assignment Configuration. StartQueryExecution runs through a minimal SQL evaluator: SHOW DATABASES / SHOW TABLES / DESCRIBE and trivial SELECT col FROM db.table WHERE col = 'lit' LIMIT N resolve against the Glue Data Catalog (databases + tables created via glue:CreateTable are visible immediately under AwsDataCatalog). ExecutionParameters performs positional ? substitution against prepared statements. Anything outside the supported subset (joins, aggregates, window functions, Parquet scans) falls back to a synthesized single-row [["1"]] result so callers can still fetch via GetQueryResults without polling. DeleteWorkGroup rejects primary and refuses non-empty workgroups unless RecursiveDeleteOption=true. DeleteDataCatalog rejects AwsDataCatalog. Statement classification (DML / DDL / UTILITY) inferred from the leading SQL keyword. Tags keyed by ARN across workgroup / datacatalog / capacity-reservation resources. ListEngineVersions / ListApplicationDPUSizes / ListExecutors / GetResourceDashboard return read-only catalog data. JSON 1.1 protocol. fakecloud is not a full SQL engine — complex queries fall back to the synthesized [["1"]] result
Glue265Full control plane. Data Catalog (databases / tables / partitions with GetPartitions Expression pruning= / != / <> / comparisons / IN / BETWEEN / LIKE / IS [NOT] NULL with AND / OR / NOT, type-aware over string / int / bigint / date / timestamp), catalogs + encryption settings + resource policies, jobs + job runs + bookmarks, crawlers + classifiers + schedules (real READYRUNNING, CrawlerRunningException / CrawlerNotRunningException), connections, triggers, workflows + runs, blueprints + runs, dev endpoints, schema registry (registries / schemas / versions / metadata), interactive sessions + statements, ML transforms + task runs, data quality (rulesets / evaluation + recommendation runs / results), user-defined functions, usage profiles, column statistics + stats tasks, table optimizers, custom entity types, security configurations, tagging. Smithy @length / @range / enum constraints enforced server-side. Same Data Catalog store backs Athena's ListDatabases / GetTableMetadata. JSON 1.1 protocol. Job / crawler / ML / data-quality execution is synthesized — runs reach their terminal state immediately; fakecloud is not a Spark engine
Firehose12Delivery stream control plane. CreateDeliveryStream / DescribeDeliveryStream / ListDeliveryStreams / DeleteDeliveryStream / UpdateDestination with full round-trip on ExtendedS3 / Redshift / Elasticsearch / Amazonopensearchservice / Splunk / HttpEndpoint / Snowflake / Iceberg destination configs. Both DirectPut and KinesisStreamAsSource source types; CREATING -> ACTIVE and DELETING -> deleted lifecycle. BufferingHints range-checked: SizeInMBs 1-128, IntervalInSeconds 0 or 60-900 — out-of-range -> InvalidArgumentException. PutRecord / PutRecordBatch assign per-record RecordIds; batches > 500 records / 4 MB return ServiceUnavailableException. Server-side encryption (Start/StopDeliveryStreamEncryption) persists and surfaces in DescribeDeliveryStream. Tag CRUD per stream ARN. JSON 1.1 protocol. Data plane stops at acknowledgement — records are not delivered to destinations
Amazon Timestream30Full 30-op surface (Write + Query). One crate serves both SDK clients on the shared Timestream_20181101.<Op> JSON 1.0 target prefix and one account-partitioned store. Databases (Create/Describe/List/Update/Delete, database/<name> ARNs, KmsKeyId, TableCount; non-empty delete rejected), tables (RetentionProperties/MagneticStoreWriteProperties/Schema echoed, status ACTIVE, ListTables filtered by database), WriteRecords (validates + merges CommonAttributes, buffers ingested points, RecordsIngested, RejectedRecordsException), Query/PrepareQuery/CancelQuery, scheduled queries (Create/Describe/List/Update/Delete/ExecuteScheduledQuery), batch-load tasks (Create/Describe/List/Resume), account settings (MaxQueryTCU/QueryPricingModel), DescribeEndpoints (echoes the fakecloud host so endpoint discovery resolves back to fakecloud), and ARN-keyed tagging. Model-driven validation with the declared exceptions (ValidationException/ResourceNotFoundException/ConflictException/RejectedRecordsException/ThrottlingException/InvalidEndpointException). Account-partitioned and persisted. Honest gap: the Query SQL engine is a bounded interpreter (SELECT * / COUNT(*) over "db"."table", WHERE time <op> ago(...), ORDER BY time, LIMIT) returning ingested points as AWS-shaped rows; unsupported shapes return a ValidationException rather than a wrong result, and there is no real time-series engine underneath
AWS IoT Core272Full 272-op AWS IoT Core control plane (signed as iot, routed by HTTP method + @http URI path; route table, HTTP bindings, input constraints, and output shapes all generated from AWS's Smithy model). Every resource family mints proper ARNs + ids, persists attributes, and round-trips on read/list with paginating nextTokens: things, thing types, thing groups (static + dynamic), billing groups (with membership), policies (+ versions + v2/legacy attachments), certificates (CreateKeysAndCertificate/CreateCertificateFromCsr mint a 64-hex id + ARN + shaped PEM + RSA key pair; register/describe/transfer; thing-principal attachment), jobs + job templates, topic rules + destinations (SQL + actions stored verbatim), Device Defender (security profiles, scheduled audits, audit configuration, mitigation actions, custom metrics, dimensions), provisioning templates (+ versions), domain configurations, fleet metrics, role aliases, authorizers (+ default authorizer), streams, OTA updates, packages (+ versions), certificate providers, commands, DescribeEndpoint (deterministic per-account host), and ARN-keyed tagging. Model-derived required/length/range/enum validation with declared exceptions; account-partitioned and persisted. Honest gaps: no MQTT broker or device connectivity (the control plane is real but no message is routed, no rule action executes, no device attaches -- the data plane is the separate iotdata service); SearchIndex/aggregations use a bounded query subset (*, thingName:<name>, bare name) and return InvalidQueryException otherwise; certificates are structurally-valid PEM placeholders, not real X.509 chains
AWS IoT Data Plane11Full 11-op AWS IoT Data Plane device-shadow + retained-message data plane (signed as iotdata, routed by HTTP method + @http URI path). Device shadows (classic + named): UpdateThingShadow accepts a shadow document as the raw @httpPayload body and deep-merges state.desired/state.reported (a null leaf deletes the key), bumps version, stamps per-leaf metadata timestamps, and recomputes state.delta; GetThingShadow returns the merged document; DeleteThingShadow returns the deletion payload; ListNamedShadowsForThing paginates named-shadow names. A mismatched shadow version is ConflictException; a missing shadow is ResourceNotFoundException. Publish stores retained messages (empty payload clears the topic) and no-ops non-retained publishes; GetRetainedMessage/ListRetainedMessages read them back. Model-derived validation, account-partitioned, persisted. Honest gap: no MQTT broker, so publishes are never fanned out to live subscribers and the connection-introspection ops (GetConnection/DeleteConnection/ListSubscriptions/SendDirectMessage) return ResourceNotFoundException for every client id (no client is ever connected)
Amazon Pinpoint122Complete Amazon Pinpoint control plane (signs as mobiletargeting, routed by HTTP method + @http URI path under /v1): apps (CreateApp mints a 32-hex id + arn:aws:mobiletargeting:...:apps/<id> ARN; GetApp/GetApps/DeleteApp; Get/UpdateApplicationSettings), versioned campaigns + segments (each Update bumps Version, listed by GetCampaignVersions/GetSegmentVersions; CreateSegment derives SegmentType), endpoints + users (UpdateEndpoint/UpdateEndpointsBatch, Get/DeleteUserEndpoints, RemoveAttributes), all platform channels (ADM, APNS + sandbox/VoIP/VoIP-sandbox, Baidu, Email, GCM, SMS, Voice — Get/Update/Delete + GetChannels), journeys (DRAFT -> ACTIVE via UpdateJourneyState, GetJourneyRuns), email/push/sms/voice/inapp templates (versioned, UpdateTemplateActiveVersion, ListTemplates/ListTemplateVersions), import/export jobs (mint a JobId, settle to COMPLETED), event streams (Put/Get/DeleteEventStream), recommender configurations, and ARN-keyed tags. Model-derived validation with Pinpoint's declared exceptions (BadRequestException/NotFoundException/ConflictException/...), account-partitioned, persisted. Honest gaps: no real delivery (SendMessages/SendUsersMessages/SendOTPMessage/PutEvents/VerifyOTPMessage validate + return a structurally-correct MessageResponse but transmit nothing), the KPI / execution-metric reads return empty/zeroed metric sets (no analytics engine), and import/export jobs do not touch S3 (all 122 ops)
Organizations63Full control plane. Org tree (roots / OUs / accounts), CreateAccount real async IN_PROGRESS -> SUCCEEDED lifecycle, LeaveOrganization, policies (SCP / TAG / BACKUP / AISERVICES_OPT_OUT) with real SCP enforcement as a permission ceiling under FAKECLOUD_IAM=strict, handshakes (invite / accept / decline / cancel state machine), delegated administrators, AWS service access, effective-policy validation, billing responsibility transfers, resource policy, and tagging. JSON 1.1 protocol. Mutating calls are management-account only
EC2767Full 767-op control plane. VPCs / subnets / security groups / route tables / gateways, ENIs, instances (real containers — Docker or k8s Pods, user-data at boot, console output), EBS + snapshots + AMIs, network ACLs, VPC peering / endpoints / flow logs, launch templates, spot / fleet, capacity / reserved / dedicated hosts, full transit gateway (multicast / peering / Connect / metering), Site-to-Site + Client VPN, IPAM (pools / discovery / BYOASN / policies / prefix-list resolvers), Verified Access, Network Insights, Outpost / local gateway / CoIP, Instance Connect. ec2Query protocol. Security-group / NACL rules stored faithfully but not enforced against traffic
EMR (Elastic MapReduce)65Full 65-op control plane. Clusters via RunJobFlow (j- ids, arn:aws:elasticmapreduce:...:cluster/<id> ARNs, instance groups/fleets + EC2 instances derived from the request, settling to WAITING), steps (s- ids, StepStates/StepIds filters, CancelSteps), instance groups (ig-) + auto-scaling policies, instance fleets (if-), instances + bootstrap actions, managed-scaling + auto-termination policies, security configurations (duplicate-name rejection), EMR Studio (es-) + session mappings, notebook executions, persistent app UIs, interactive sessions, block-public-access, release labels + supported instance types, and cluster/Studio tagging. Model-driven input validation (required/length/range/enum); a call against a non-existent cluster returns InvalidRequestException. JSON 1.1 protocol. Persisted. Spark/Hadoop execution is synthesized — steps reach COMPLETED immediately; fakecloud is not a Spark engine
CloudWatch (Metrics & Alarms)46Full control plane. Metrics (PutMetricData / GetMetricData / GetMetricStatistics / ListMetrics / GetMetricWidgetImage), metric + composite alarms with SNS / AppAS / EC2 actions on threshold transitions, dashboards, anomaly detectors, insight rules + managed rules + reports, metric streams (runningstopped), alarm mute rules, contributor insights, OTel enrichment, and tagging — all persisted in-memory. awsQuery protocol (SigV4 service monitoring, distinct from CloudWatch Logs). Metrics do not persist across restarts; alarms evaluate against published data, not a background sampler
Route 5371Full control plane. Hosted zones + RRsets + health checks + traffic policies + instances + DNSSEC + KSK + query logging + CIDR collections + VPC associations + reusable delegation sets + geo locations + account limits + tags — CRUD with default SOA/NS records seeded on create, deterministic INSYNC change tracking, comment + features updates, hosted zone limits, list-by-name, TestDNSAnswer synthesis. Health checks: full lifecycle with HealthCheckVersion optimistic concurrency, ResetElements, HealthCheckInUse rejection on delete, status + last-failure observations, checker IP ranges. Traffic policies + instances: versioned policies (CreateTrafficPolicyVersion increments), TrafficPolicyAlreadyExists/InUse, TrafficPolicyInstanceAlreadyExists, list-by-hosted-zone + list-by-policy + count. DNSSEC + KSK: EnableHostedZoneDNSSEC/Disable, GetDNSSEC with synthesized ECDSAP256SHA256 KSK metadata, CreateKeySigningKey requires KMS-ARN, Activate/Deactivate, InvalidKeySigningKeyStatus blocks Delete while ACTIVE. Query logging: one config per zone, public-zone-only enforcement, CloudWatchLogsLogGroupArn validation, QueryLoggingConfigAlreadyExists. CIDR collections: PUT/DELETE_IF_EXISTS change actions applied atomically, CollectionVersion optimistic concurrency (CidrCollectionVersionMismatchException), CidrCollectionInUseException on delete-with-locations. VPC associations: Associate/Disassociate enforce private-zone-only and reject removing the last VPC, CreateVPCAssociationAuthorization + Delete + List model the cross-account authorization handshake, ListHostedZonesByVPC filters by VPC ID + region. Reusable delegation sets: CreateReusableDelegationSet synthesizes 4 NS records, DelegationSetInUse blocks delete while any zone references the set, GetReusableDelegationSetLimit returns MAX_ZONES_BY_REUSABLE_DELEGATION_SET. Geo locations + account limits + tags: ListGeoLocations/GetGeoLocation over a representative dataset (continents + sample countries + US subdivisions) with IsTruncated/NextContinentCode/NextCountryCode/NextSubdivisionCode pagination, GetAccountLimit for all 5 owner-scoped types (zones/health-checks/delegation-sets/traffic-policies/instances) reporting live usage Count, full tag CRUD on health checks + hosted zones via ChangeTagsForResource/ListTagsForResource/ListTagsForResources with NoSuchHealthCheck/NoSuchHostedZone on missing target. REST-XML protocol with HTTP method + URI routing under /2013-04-01/
AWS X-Ray38Complete AWS X-Ray surface with a real in-memory trace data plane: PutTraceSegments ingests X-Ray segment documents (parsing trace_id/id/name/start_time/http/error/fault/throttle + nested namespace:"remote" subsegments), BatchGetTraces reassembles stored traces, GetTraceSummaries filters by time range, and GetServiceGraph/GetTraceGraph/GetTimeSeriesServiceStatistics derive the service graph (nodes + edges with Ok/Error/Fault statistics + response time) from the ingested segments; control plane covers sampling rules (built-in undeletable Default seeded per account), groups, encryption config, resource policies, the indexing rule, the trace-segment destination, and ARN-keyed tags; model-derived validation, persisted. Filter-expression subset + insights-empty are documented limitations (all 38 ops)
AWS AppSync74Complete AWS AppSync surface: GraphQL APIs (CreateGraphqlApi mints apiId + ARN + GRAPHQL/REALTIME uris + echoed auth config for all five AuthenticationTypes) round-tripping via Get/List/Update/Delete; API keys with expiry; data sources for every DataSourceType with config echoed; resolvers (UNIT/PIPELINE, VTL or APPSYNC_JS) attached to type.field; functions; schema types; API caches; domain names + API associations; the Event-API surface (CreateApi + channel namespaces); and merged/source-API associations. StartSchemaCreation ingests an SDL blob and GetSchemaCreationStatus settles to SUCCESS; GetIntrospectionSchema derives SDL/JSON from the stored schema. Model-driven validation (required/length/range/enum), account-partitioned, persisted; sub-resource ops return NotFoundException when the parent API is absent. GraphQL query execution against data sources is not implemented (this is the faithful control plane); EvaluateCode/EvaluateMappingTemplate run a documented evaluation subset, not a full VTL/JS interpreter
AWS Amplify37Complete AWS Amplify hosting control plane: apps (d-prefixed ids, arn:aws:amplify:...:apps/<id> ARNs, <id>.amplifyapp.com default domains, every config member echoed), branches (per-branch job counters), domain associations (verification settles CREATING -> AVAILABLE on read, marking subdomains verified), webhooks (generated trigger URLs), backend environments, the deterministic build/job lifecycle (StartJob settles PENDING -> PROVISIONING -> RUNNING -> SUCCEED on reads with a BUILD step, StopJob -> CANCELLED), manual deployments (CreateDeployment presigned upload URLs, StartDeployment), build artifacts (ListArtifacts/GetArtifactUrl), GenerateAccessLogs, and ARN-keyed tags on apps + branches; model-derived validation, persisted (in-flight domain/job transitions reconcile on restart). Hosting control plane with no separately-emulable data plane (all 37 ops)
Amazon Textract25Complete Textract surface: synchronous analysis (DetectDocumentText/AnalyzeDocument/AnalyzeExpense/AnalyzeID) validates the Document (Bytes or S3Object) and returns a structural response (DocumentMetadata pages derived from input, empty Blocks); asynchronous jobs (Start*/Get* for text detection / document / expense / lending analysis) mint real 64-char JobIds and settle IN_PROGRESS -> SUCCEEDED on read; custom adapters + adapter versions full CRUD with ClientRequestToken idempotency; ARN-keyed tagging. Model-derived validation (InvalidParameterException / ResourceNotFoundException / InvalidJobIdException); persisted. No OCR/ML model runs, so text is not fabricated. JSON 1.1 protocol. All 25 ops
Transcribe43Full 43-op control plane. Transcription / medical-transcription / call-analytics / medical-scribe jobs (QUEUED -> COMPLETED settling on read, well-formed Transcript at the requested output location), custom + medical vocabularies and vocabulary filters (PENDING -> READY), custom language models (IN_PROGRESS -> COMPLETED), call-analytics categories, and ARN-keyed tagging. Model-driven required/length/range/enum/pattern validation with Transcribe's declared exceptions (BadRequestException/ConflictException/NotFoundException/LimitExceededException). JSON 1.1 protocol. Account-partitioned and persisted. Honest gap: speech recognition is not run — a completed job's TranscriptFileUri points at the output location but no transcript JSON is produced there
AWS Elemental MediaConvert34Complete AWS Elemental MediaConvert control plane: queues (ON_DEMAND/RESERVED pricing plans with a materialised reservation plan, ACTIVE/PAUSED status, the seeded undeletable Default SYSTEM queue per account), presets and job templates (full CRUD storing settings verbatim), jobs (CreateJob mints arn:aws:mediaconvert:...:jobs/<id> and settles SUBMITTED -> COMPLETE on the next read with well-formed outputGroupDetails/timing; CancelJob -> CANCELED; SearchJobs filters by queue/status/input file), the account input-restriction policy (Put/Get/DeletePolicy, defaulting each input class to ALLOWED), DescribeEndpoints (echoes a deterministic account-specific endpoint URL), certificate association, resource sharing, jobs queries, engine versions, and ARN-keyed tags. Model-derived required/enum/range validation (BadRequestException/NotFoundException/ConflictException), account-partitioned, persisted. Honest gap: no real video transcoder runs, so a job settles COMPLETE with correctly-shaped but empty outputGroupDetails and Probe returns an empty probeResults list rather than fabricating media (all 34 ops)
Amazon Managed Blockchain27Full 27-op control plane. Networks (CreateNetwork mints an n-... id + global ARN, stores framework HYPERLEDGER_FABRIC/ETHEREUM + voting policy, and for Fabric atomically creates the first member (m-...), returning NetworkId + MemberId; GetNetwork/ListNetworks filtered + paginated), members (full CRUD of m-... with Fabric CaEndpoint/AdminUsername attributes, CREATING -> AVAILABLE on read, DeleteMember -> DELETED), nodes (full CRUD of nd-... with InstanceType/StateDB and derived Fabric peer / Ethereum HTTP+WebSocket endpoints), proposals + voting (CreateProposal -> p-... IN_PROGRESS; VoteOnProposal records YES/NO and, when the ApprovalThresholdPolicy threshold is met, transitions to APPROVED — materialising invitations into real Invitation records — or REJECTED; ListProposalVotes/GetProposal/ListProposals), invitations (ListInvitations, RejectInvitation), accessors (CreateAccessor -> UUID id + BillingToken; Get/List/DeleteAccessor), and ARN-keyed tags. Model-derived validation (InvalidRequestException/ResourceNotFoundException/IllegalActionException). REST-JSON protocol. Account-partitioned and persisted. Honest gap: no real Hyperledger Fabric or Ethereum network runs — the CA/peer/RPC endpoints are well-formed deterministic URLs pointing at no live chain
AWS Shield36Full 36-op control plane. Protections over supported resources (CreateProtection -> 36-char ProtectionId + arn:aws:shield::<account>:protection/<id> ARN; Describe/List/Delete by id or resource ARN; one protection per resource, else ResourceAlreadyExistsException; a non-ARN resource -> InvalidResourceException), protection groups (Aggregation SUM/MEAN/MAX, Pattern ALL/ARBITRARY/BY_RESOURCE_TYPE, members + ListResourcesInProtectionGroup), the annual auto-renewing Shield Advanced subscription (CreateSubscription, GetSubscriptionState ACTIVE/INACTIVE, DescribeSubscription with full SubscriptionLimits, DeleteSubscription -> LockedSubscriptionException), emergency contacts, DRT access (role + up to 10 log buckets, NoAssociatedRoleException), proactive engagement, application-layer automatic response, Route 53 health-check association, and ARN-keyed tagging. Model-driven input validation (required/length/range/enum). JSON 1.1 protocol (global service, empty-region ARNs). Persisted. Attack surfacing is honest — ListAttacks is empty and DescribeAttackStatistics is zeroed; no synthetic attacks
Comprehend85Full 85-op NLP surface. Synchronous single-document detection (DetectEntities/DetectSentiment/DetectSyntax/DetectKeyPhrases/DetectDominantLanguage/DetectPiiEntities/DetectTargetedSentiment/ContainsPiiEntities/DetectToxicContent/ClassifyDocument) and their BatchDetect* list variants; nine async analysis-job families (dominant-language / entities / key-phrases / sentiment / targeted-sentiment / PII / events / topics / document-classification) minting JobIds + ARNs and settling SUBMITTED -> COMPLETED on read (Stop* -> STOPPED); custom document classifiers and entity recognizers with versioning (SUBMITTED -> TRAINED); real-time endpoints (CREATING -> IN_SERVICE); flywheels + iterations; datasets; resource policies; ImportModel; and ARN-keyed tagging. Model-driven validation with Comprehend's declared exceptions (InvalidRequestException/ResourceNotFoundException/JobNotFoundException/ResourceInUseException). JSON 1.1 protocol. Account-partitioned and persisted. Honest gap: no NLP inference runs, so detection lists come back empty and DetectSentiment returns the neutral default
Amazon Translate19Full 19-op control plane. Synchronous TranslateText / TranslateDocument (structurally correct passthrough echoing the input as the translation with the requested target language applied and existing terminologies listed), asynchronous batch translation jobs (StartTextTranslationJob mints a 32-char JobId at SUBMITTED; Describe/List settle to COMPLETED; Stop -> STOP_REQUESTED -> STOPPED), parallel data (CREATING -> ACTIVE, updates via LatestUpdateAttemptStatus), custom terminologies (ImportTerminology parses the uploaded CSV/TSV for its languages and term count; OVERWRITE merge), the supported-language catalogue (ListLanguages), and ARN-keyed tagging. Model-driven validation surfaced as each op's declared exception (InvalidParameterValueException / InvalidRequestException / ResourceNotFoundException / ConflictException). JSON 1.1 protocol. Account-partitioned and persisted. Honest gap: no neural MT model runs — the translate ops echo the input verbatim rather than fabricating a translation

Detailed per-service pages are coming. If you need specifics on a service today, the AWS operations index lists every operation grouped by service, the AWS Smithy models in aws-models/ are the authoritative source of truth, the conformance baseline at conformance-baseline.json tracks per-service test counts, and the parity matrix maps control-plane vs data-plane coverage per service.

Pages

  • S3 — Objects, multipart, versioning, lifecycle, notifications, replication, website hosting.
  • SQS — FIFO queues, dead-letter queues, long polling, batch operations.
  • SNS — Topics, subscriptions, fan-out delivery, filter policies, platform applications.
  • EventBridge — Event buses, pattern matching, scheduled rules, archives, replay, API destinations.
  • Lambda — Real code execution in Docker containers across 23 runtimes. Event source mappings, warm container reuse.
  • EventBridge Scheduler — Standalone scheduler service — at, rate, cron expressions, SQS targets, DLQ routing, one-shot self-delete.
  • DynamoDB — Tables, items, transactions, PartiQL, backups, global tables, streams, TTL.
  • IAM — Users, roles, policies, groups, instance profiles, OIDC/SAML providers.
  • STS — AssumeRole, session tokens, federation, caller identity.
  • SSM — Parameters, documents, commands, maintenance windows, associations, patch baselines.
  • Secrets Manager — Secrets, versioning, rotation via Lambda, replication.
  • CloudWatch Logs — Log groups, streams, filtering, subscriptions, queries, anomaly detection.
  • KMS — Encryption, key management, aliases, grants, real ECDH, key import.
  • CloudFormation — Template parsing, resource provisioning, conditions + intrinsics, nested stacks, SAM transform, drift detection, change sets, stack sets, custom resources.
  • SES — Sending, templates, DKIM, suppression, and real inbound receipt rule execution.
  • Cognito User Pools — User pools, app clients, MFA, identity providers, full authentication flows.
  • Kinesis — Data Streams, records, shard iterators, retention, tagging.
  • DocumentDB — Amazon DocumentDB control plane: clusters, instances, snapshots, restore, parameter/subnet/global groups, event subscriptions, and tagging. RDS-shaped Query API.
  • Neptune — Amazon Neptune control plane: clusters, instances, cluster endpoints, snapshots, restore, parameter/subnet/global groups, IAM role associations, event subscriptions, and tagging. RDS-shaped Query API.
  • RDS — Real PostgreSQL, MySQL, MariaDB, Oracle, SQL Server, and Db2 instances via Docker. Snapshots, read replicas, parameter groups.
  • Aurora DSQL — Aurora DSQL (dsql) serverless distributed PostgreSQL control plane on fakecloud: clusters, resource policies, change streams to Kinesis, multi-region properties, and tagging with real account-partitioned, persisted state.
  • ElastiCache — Real Redis, Valkey, and Memcached clusters via Docker. Replication groups, snapshots, ACL user management, configuration endpoints.
  • RDS Data API — Run real SQL over HTTP with the RDS Data API (ExecuteStatement) against fakecloud's real PostgreSQL and MySQL containers — typed parameters and results, including binary round-trips.
  • API Gateway v1 — REST APIs, resources/methods/integrations, deployments, stages, API keys, usage plans, authorizers.
  • Redshift — A local Amazon Redshift control plane — clusters, snapshots, parameter/subnet groups, snapshot schedules, endpoint access, and logging, all as real persisted state with AWS-faithful responses.
  • Step Functions — Full ASL interpreter, cross-service task integrations, execution history.
  • API Gateway v2 — HTTP APIs, Lambda proxy integration, JWT and Lambda authorizers, CORS.
  • Bedrock — Foundation models, guardrails, custom models, invocation jobs, evaluation jobs, marketplace endpoints.
  • ECR — Elastic Container Registry — full 58-operation API plus real OCI v2 Distribution so docker push and docker pull work against fakecloud.
  • Bedrock Agent — Agents, knowledge bases, action groups, flows, prompts, collaborators — full Bedrock Agent control plane.
  • ECS — Elastic Container Service — full API: clusters, task definitions, real Fargate-style task execution via Docker, services with rolling deployments, task sets, container instances, ECS Exec.
  • Bedrock Agent Runtime — InvokeAgent, Retrieve, RetrieveAndGenerate, flow execution, sessions, memory — Bedrock Agent data plane with real eventstream framing.
  • Elastic Load Balancing v2 — ELBv2 control plane — Application/Network/Gateway Load Balancer: load balancers, target groups + targets, listeners + rules + certificates, mTLS trust stores, attributes, capacity reservations, resource policies.
  • CloudFront — CloudFront control plane — distributions, invalidations, web ACL/alias association, tags. Full DistributionConfig round-trip with ETag/If-Match concurrency.
  • Route 53 — Route 53 control plane — hosted zones, RRsets, health checks, traffic policies, DNSSEC + KSK, query logging, CIDR collections, VPC associations, reusable delegation sets, geo locations, account limits, tags.
  • ACM — AWS Certificate Manager — request / import / export / revoke certificates, tags, account configuration. JSON 1.1 protocol.
  • Application Auto Scaling — AWS Application Auto Scaling — scalable targets, step / target-tracking / predictive policies, scheduled actions, scaling activities, predictive forecasts, tags. JSON 1.1 protocol.
  • EC2 Auto Scaling — Amazon EC2 Auto Scaling — Auto Scaling Groups, Launch Configurations, desired-capacity reconciliation, and scaling activities. Query protocol.
  • WAF v2 — AWS WAF v2 — Web ACLs, rule groups, IP sets, regex pattern sets, API keys, logging configs, managed rule catalog, mobile SDK. JSON 1.1 protocol.
  • Batch — AWS Batch — compute environments, job queues, job definitions, scheduling policies, and the job control plane. restJson1 protocol.
  • Athena — AWS Athena — workgroups, data catalogs, named queries, prepared statements, query executions, notebooks, sessions, capacity reservations. JSON 1.1 protocol with a minimal SQL evaluator that reads Glue tables.
  • Glue — AWS Glue full control plane — Data Catalog, jobs, crawlers, connections, triggers, workflows, schema registry, sessions, ML transforms, data quality. JSON 1.1 protocol.
  • Organizations — AWS Organizations control plane — accounts, OUs, SCPs, tag policies, handshakes, delegated administrators. Real SCP enforcement across services.
  • EventBridge Pipes — Amazon EventBridge Pipes — point-to-point source → enrichment → target integrations. restJson1 protocol.
  • Firehose — Amazon Data Firehose delivery streams (control plane), JSON 1.1 protocol.
  • CloudWatch (Metrics & Alarms) — Amazon CloudWatch metrics, alarms, dashboards, anomaly detectors, insight rules, and metric streams. awsQuery and awsJson1_0 protocols.
  • Amazon Managed Service for Apache Flink — Amazon Managed Service for Apache Flink (kinesisanalyticsv2, formerly Kinesis Data Analytics v2) on fakecloud: full 33-operation control plane for SQL and Flink streaming applications, versions, snapshots, operations, VPC and CloudWatch logging configuration, with persistence.
  • EC2 — Amazon EC2 — the full 769-operation control plane. VPCs, subnets, security groups, instances, EBS, AMIs, transit gateways, VPN, IPAM, Verified Access, and the entire networking long tail at 100% Smithy conformance.
  • Cloud Control API — AWS Cloud Control API (cloudcontrolapi) on fakecloud: a uniform CRUD-L interface over CloudFormation resource types, driving the same real provisioners as CloudFormation, with JSON Patch updates and request tracking.
  • Resource Groups — AWS Resource Groups (resource-groups) on fakecloud: groups, tag/CloudFormation-stack resource queries, explicit membership, group configuration, tagging, account settings, and tag-sync tasks, with real account-partitioned, persisted state.
  • Resource Groups Tagging API — AWS Resource Groups Tagging API (tagging) on fakecloud: cross-service tag reads (GetResources / GetTagKeys / GetTagValues), tag writes (TagResources / UntagResources), compliance summary, and tag reports, backed by a real cross-service tag index.
  • MemoryDB — Amazon MemoryDB (memorydb) on fakecloud: full 45-operation control plane for Redis/Valkey clusters, shards, ACLs, users, parameter and subnet groups, snapshots, and multi-region clusters, with persistence.
  • EKS — Amazon EKS (eks) on fakecloud: complete 65-op Elastic Kubernetes Service control plane — clusters, node groups, Fargate profiles, add-ons, access entries, identity-provider configs, pod identity, insights, capabilities, and EKS Anywhere. restJson1.
  • Amazon S3 Glacier — Amazon S3 Glacier (glacier) on fakecloud: a complete 33-operation implementation (100% conformance) with a real data plane — vaults, archive upload/delete with SHA-256 tree hashes, multipart uploads, retrieval and inventory jobs, vault lock, notifications, access policy, tags, data-retrieval policy, and provisioned capacity. restJson1.
  • OpenSearch Service — Amazon OpenSearch Service + Amazon Elasticsearch Service (es) on fakecloud: one shared control plane for both APIs (147 operations, 100% conformance) — domains, packages, VPC endpoints, cross-cluster connections, applications, data sources. restJson1.
  • Cloud Map — AWS Cloud Map (servicediscovery) on fakecloud: namespace control plane over HTTP, public-DNS, and private-DNS namespaces, driven by the async operation model. awsJson1.1.
  • Account Management — AWS Account Management (account) on fakecloud: alternate contacts, primary contact information, account information, primary-email OTP flow, and Region opt-in control. restJson1.
  • AWS Backup — AWS Backup (backup) on fakecloud: a complete 109-operation control plane (100% conformance) — backup plans, vaults, recovery points, backup/copy/restore/scan jobs, frameworks, report plans, legal holds, restore testing, tiering. restJson1.
  • IAM Identity Center Identity Store — AWS IAM Identity Center Identity Store (identitystore) on fakecloud: users, groups, group memberships, attribute lookups, and IsMemberInGroups. awsJson1.1.
  • IAM Identity Center SSO Admin — AWS IAM Identity Center SSO Admin (sso-admin) on fakecloud: instances, permission sets, account assignments, applications, trusted token issuers, regions, and tagging. awsJson1.1.
  • Verified Permissions — AWS Verified Permissions (verifiedpermissions) on fakecloud: policy stores, Cedar schemas, static and template-linked policies, policy templates, identity sources, aliases, tagging, and real Cedar authorization. awsJson1.0.
  • Database Migration Service — AWS Database Migration Service (dms) control plane on fakecloud: replication instances, endpoints, replication tasks, subnet groups, event subscriptions, certificates, serverless replication configs, data providers, instance profiles, migration projects, schema conversion, and Fleet Advisor — real account-partitioned, persisted state.
  • Transfer Family — AWS Transfer Family (transfer) control plane on fakecloud: SFTP/FTPS/FTP/AS2 servers, users, SSH and host keys, accesses, workflows, agreements, connectors, profiles, certificates, security policies, and web apps — real account-partitioned, persisted state.
  • AWS AppConfig — AWS AppConfig (appconfig + appconfigdata) on fakecloud: applications, environments, configuration profiles, hosted configuration versions storing real bytes, deployment strategies, deployments, extensions, experiments, and a real data plane that serves deployed configuration — account-partitioned, persisted state.
  • CloudTrail — AWS CloudTrail (cloudtrail) control plane on fakecloud: trails, logging status, event and insight selectors, CloudTrail Lake event data stores, channels, imports, queries, dashboards, resource policies, organization delegated admins, and tagging — real account-partitioned, persisted state.
  • AWS Resource Access Manager — AWS Resource Access Manager (ram) on fakecloud: a complete 35-operation implementation (100% conformance) — resource shares, principal/resource associations, cross-account share invitations, managed + customer permissions with versions, resource-type catalogue, and tagging. restJson1.
  • AWS Cost Explorer — AWS Cost Explorer (ce) on fakecloud: a complete 47-operation implementation (100% conformance) — anomaly monitors + subscriptions, cost category definitions, cost-allocation tags, and structurally-valid zero-usage cost/reservation/savings analytics. awsJson1.1.
  • Amazon S3 Tables — Amazon S3 Tables (s3tables) on fakecloud: a complete 49-operation implementation (100% conformance) — table buckets, namespaces, Iceberg tables, metadata-location pointers with version-token concurrency, and every encryption/policy/maintenance/replication sub-resource. restJson1.
  • AWS Lake Formation — AWS Lake Formation (lakeformation) on fakecloud: a complete 61-operation implementation (100% conformance) — LF-tags, fine-grained permission grants, registered resources, data lake settings, governance transactions, and data-cell filters. restJson1.
  • AWS CodeBuild — AWS CodeBuild (codebuild) on fakecloud: a complete 59-operation implementation (100% conformance) — build projects, builds and build batches, report groups and reports, fleets, webhooks, source credentials, resource policies, and sandboxes. awsJson1.1.
  • AWS CodeConnections — AWS CodeConnections (codeconnections) on fakecloud: a complete 27-operation implementation (100% conformance) — connections, hosts, repository links, sync configurations, and the sync-status/blocker read surface. awsJson1.0.
  • AWS CodeDeploy — AWS CodeDeploy (codedeploy) on fakecloud: a complete 47-operation implementation (100% conformance) — applications, application revisions, deployment groups, deployment configurations, deployments and their targets, on-premises instances, and tagging. awsJson1.1.
  • AWS CodePipeline — AWS CodePipeline (codepipeline) on fakecloud: a complete 44-operation implementation (100% conformance) — pipelines and their versions, pipeline/action/rule executions, custom action types, webhooks, job polling, stage transitions, approvals, and tagging. awsJson1.1.
  • AWS CodeArtifact — AWS CodeArtifact (codeartifact) on fakecloud: a complete 48-operation implementation (100% conformance) covering domains, repositories, external connections, package groups, packages and their versions/assets/dependencies, permission policies, authorization tokens, and tagging. restJson1.
  • AWS CodeCommit — AWS CodeCommit (codecommit) on fakecloud: a complete 79-operation implementation (100% conformance) covering repositories, branches, commits and files over a real content-addressed object store, pull requests with approvals and events, approval-rule templates and associations, comments and reactions, repository triggers, and tagging. awsJson1.1.
  • Elastic Beanstalk — Full Elastic Beanstalk control plane: applications, application versions, environments with a real Launching->Ready lifecycle, configuration templates and option settings, events, platforms, and CNAMEs.
  • Amazon EFS — Amazon Elastic File System (elasticfilesystem) on fakecloud: a complete 31-operation control plane (100% conformance) - file systems, mount targets, access points, lifecycle/backup/policy configuration, replication, tagging, and account preferences. restJson1.
  • ACM PCA — AWS Certificate Manager Private CA — create private CAs, issue and revoke real X.509 certificates, audit reports, permissions, and resource policies. JSON 1.1 protocol.
  • Amazon MQ — Amazon MQ (mq) on fakecloud: a complete 25-operation control plane (100% conformance) plus a real, connectable ActiveMQ/RabbitMQ broker data plane backed by real containers. restJson1.
  • Config — AWS Config — configuration recorder, real cross-service config-item recording, config rules with genuine managed-rule and custom-Lambda evaluation, compliance, conformance packs, and aggregators. JSON 1.1 protocol.
  • Route 53 Resolver — Amazon Route 53 Resolver — resolver endpoints, resolver rules and VPC associations, query logging, and DNS Firewall. Real control plane validated against EC2 VPC subnets and security groups. JSON 1.1 protocol.
  • Amazon MSK — Amazon MSK (Managed Streaming for Apache Kafka, kafka) on fakecloud: a complete 59-operation control plane (100% conformance). restJson1.
  • Amazon EMR — Amazon EMR (Elastic MapReduce) on fakecloud: the full 65-operation control plane -- clusters/job flows, steps, instance groups and fleets, EMR Studio, notebook executions, security configurations, scaling and auto-termination policies, block public access, and tags -- with account-partitioned persistence.
  • Amazon MWAA — Amazon MWAA (Managed Workflows for Apache Airflow, mwaa) on fakecloud: a complete 12-operation control plane (100% conformance). restJson1.
  • AWS FIS — AWS Fault Injection Simulator (fis) on fakecloud: a complete 26-operation control plane (100% conformance). restJson1.
  • Amazon Textract — Amazon Textract (textract) on fakecloud: a complete 25-operation surface (100% conformance). awsJson1_1.
  • Amazon Transcribe — Amazon Transcribe on fakecloud: the full 43-operation control plane -- transcription, medical-transcription, call-analytics and medical-scribe jobs, custom and medical vocabularies, vocabulary filters, custom language models, call-analytics categories, and tagging -- with account-partitioned persistence. Speech recognition itself is a documented gap.
  • Amazon Translate — Amazon Translate on fakecloud: the full 19-operation control plane -- text and document translation, asynchronous batch translation jobs, parallel data, custom terminologies, the supported-language catalogue, and tagging -- with account-partitioned persistence. Neural machine translation itself is a documented gap.
  • AWS Shield — AWS Shield / Shield Advanced on fakecloud: the full 36-operation control plane -- protections and protection groups, the annual Shield Advanced subscription, emergency contacts, DRT access, proactive engagement, application-layer automatic response, health-check association, and tags -- with account-partitioned persistence and honest (non-synthetic) attack surfacing.
  • AWS X-Ray — AWS X-Ray (xray) on fakecloud: a complete 38-operation surface (100% conformance) with a real in-memory trace data plane — segment ingestion, service-graph derivation, sampling rules, and groups. restJson1.
  • AWS Amplify — AWS Amplify (amplify) on fakecloud: a complete 37-operation hosting control plane (100% conformance). restJson1.
  • AWS AppSync — AWS AppSync (appsync) on fakecloud: the complete 74-operation surface (100% conformance) — GraphQL APIs, data sources, resolvers, functions, schema types, API caches, domain names, Event APIs, and source-API associations. restJson1.
  • AWS Elemental MediaConvert — AWS Elemental MediaConvert (mediaconvert) on fakecloud: a complete 34-operation video-transcoding control plane (100% conformance). restJson1.
  • Amazon Comprehend — Amazon Comprehend on fakecloud: the full 85-operation surface -- synchronous and batch text detection, nine async analysis-job families, custom document classifiers and entity recognizers, real-time endpoints, flywheels, datasets, resource policies, model import, and tagging -- with account-partitioned persistence. The NLP inference itself is a documented gap.
  • AWS Serverless Application Repository — AWS Serverless Application Repository (serverlessrepo) on fakecloud: a complete 14-operation control plane (100% conformance). restJson1.
  • Amazon Pinpoint — Amazon Pinpoint (pinpoint) on fakecloud: a complete 122-operation control plane (100% conformance). restJson1.
  • AWS Support — AWS Support on fakecloud: the full 16-operation surface -- support cases, communications, attachment sets, severity levels, the service/category catalogue, and the Trusted Advisor check catalogue + refresh state machine -- with account-partitioned persistence. The Trusted Advisor analysis engine and the live support agent are documented gaps.
  • Amazon SWF — Amazon Simple Workflow Service on fakecloud: the full 39-operation control plane -- domains, versioned activity/workflow types, and workflow executions driven by a real decider/worker state machine (decision tasks, activity tasks, and the event history that ties them together) -- with account-partitioned persistence.
  • AWS IoT Core — AWS IoT Core (iot) on fakecloud: the full 272-operation control plane — things, policies, certificates, jobs, topic rules, Device Defender, provisioning — at 100% conformance. restJson1.
  • Amazon Managed Blockchain — Amazon Managed Blockchain (managedblockchain) on fakecloud: a complete 27-operation control plane for networks, members, nodes, proposals, voting, invitations, and accessors (100% conformance). restJson1.
  • AWS IoT Data Plane — AWS IoT Data Plane (iotdata) on fakecloud: device shadows + retained messages, a complete 11-operation data plane (100% conformance). restJson1.
  • AWS IoT Wireless — AWS IoT Wireless (iotwireless) on fakecloud: the full 112-operation LoRaWAN + Sidewalk control plane — destinations, device/service profiles, FUOTA tasks, multicast groups, wireless devices + gateways — at 100% conformance. restJson1.
  • Amazon Timestream — Amazon Timestream on fakecloud: one crate serving BOTH the Timestream Write and Timestream Query SDK clients over a shared store -- databases, tables, WriteRecords ingestion, a bounded SQL Query engine, scheduled queries, batch-load tasks, account settings, and endpoint discovery that resolves back to fakecloud -- with account-partitioned persistence.
  • Amazon SageMaker — Amazon SageMaker (sagemaker) on fakecloud: the full 403-operation ML control plane — models, endpoints, endpoint configs, training/processing/transform/AutoML/tuning jobs, notebook instances, pipelines, feature groups, domains, model packages — at 100% conformance. awsJson1.1.