Services

Every AWS service fakecloud implements, with operation counts and notable features.

fakecloud implements 35 AWS services with 2,422 total operations, all at 100% Smithy conformance. Per-service feature matrices and gotchas live on individual service pages — use the sidebar to navigate.

ServiceOpsNotes
S3107Versioning, lifecycle, notifications, multipart, replication, website, real SSE-KMS encrypt/decrypt
SQS23FIFO, DLQs, long polling, batch, real KMS encrypt/decrypt on KmsMasterKeyId queues
SNS42Fan-out to SQS/Lambda/HTTP, filter policies, KMS audit-trail on KmsMasterKeyId topics
EventBridge57Pattern matching, schedules, archives, replay, API destinations
EventBridge Scheduler12at/rate/cron, SQS targets, DLQ routing, one-shot self-delete
Lambda85Real Docker, 23 runtimes, ESM with FilterCriteria + partial-batch failure
DynamoDB57Transactions, PartiQL, backups, global tables, streams, KMS audit-trail on SSE-KMS tables
IAM176Users, roles, policies, groups, OIDC/SAML, PassRole trust enforcement
STS11AssumeRole, session tokens, federation
SSM146Parameters, documents, commands, maintenance, patch baselines, SecureString -> real KMS encrypt/decrypt
Secrets Manager23Versioning, rotation via Lambda, replication, real KMS encrypt/decrypt
CloudWatch Logs113Groups, streams, subscription filters, query language
KMS53Encryption, aliases, grants, real ECDH, key import, cross-service hook
CloudFormation90Template parsing, resource provisioning, custom resources
SES (v2 + v1 inbound)110Sending, templates, DKIM, real receipt rule execution
Cognito User Pools122Pools, clients, MFA, identity providers, full auth flows; verification email -> SES, SMS -> SNS, all 12 Lambda triggers
Kinesis39Streams, records, shard iterators, retention
RDS163Real Postgres, MySQL, MariaDB, Oracle, SQL Server, Db2 via Docker; lifecycle ops emit aws.rds EventBridge events
ElastiCache75Real Redis, Valkey, Memcached via Docker
Step Functions37Full ASL interpreter, Lambda/SQS/SNS/EventBridge/DynamoDB tasks
API Gateway v1124REST APIs, resources, methods, integrations (MOCK/HTTP/HTTP_PROXY/AWS_PROXY Lambda), deployments, stages, API keys, usage plans, authorizers, models, request validators, VPC links, domain names, base path mappings, client certs, gateway responses, docs, tags
API Gateway v2103HTTP APIs, routes, integrations, stages, deployments, authorizers, domains, models, VPC links, routing rules, developer portals, CORS, tags
Bedrock101Foundation models, guardrails, custom models, invocation/eval jobs
Bedrock Runtime10InvokeModel, Converse, streaming, configurable responses, fault inject
ECR58Full API — OCI v2 push/pull, lifecycle eval, scanning, pull-through cache, registry templates, real cosign signature verification
ECS60Full API — clusters, real Fargate-style task execution via Docker, services + rolling deployments, task sets, container instances, ECS Exec, awslogs -> Logs, secrets injection, task role credentials
Elastic Load Balancing v251Full control plane — ALB/NLB/GWLB CRUD, target groups + targets + real health probes, listeners + rules + certificates, attributes, capacity reservations, mTLS trust stores + revocations, resource policies, SSL policies, tags. In-process HTTP data plane for ALBs — per-LB TCP bind, rule matching, forward / fixed-response / redirect, sticky sessions
CloudFront147Distributions, invalidations, tagging, by-X listings, web ACL/alias association. OAC + Cache/OriginRequest/ResponseHeaders/ContinuousDeployment policies. CloudFront Functions, Public Keys, Key Groups, Key Value Stores, Origin Access Identities (legacy), Monitoring Subscriptions. Streaming Distributions (legacy RTMP). Field-Level Encryption configs + profiles + Realtime Log Configs. VPC Origins, Anycast IP Lists, Trust Stores, Resource Policies. Connection Groups + Domain Association/DNS Verification + Managed Certificate Details + Promote-Staging Distribution — full CRUD with ETag/If-Match concurrency. Full DistributionConfig round-trip incl. origins, cache behaviors, custom error responses, viewer certificates, geo restrictions
Application Auto Scaling14Full control plane. Scalable targets (Register/Deregister/Describe) for ECS, Lambda, DynamoDB, RDS, ElastiCache, SageMaker, EMR, AppStream, Cassandra, Kafka, Neptune, EC2 Spot Fleet, Comprehend. Step + target-tracking + predictive scaling policies (Put/Describe/Delete). Scheduled actions with cron / one-shot start/end times + Timezone. DescribeScalingActivities honors IncludeNotScaledActivities, deterministic GetPredictiveScalingForecast with hourly Load + Capacity buckets capped at one week. RoleARN defaults to the per-namespace service-linked role ARN. Deregister cascades to policies + scheduled actions for the same target. TagResource/UntagResource/ListTagsForResource keyed by ARN, reject unknown ARNs with ObjectNotFoundException. JSON 1.1 protocol
WAF v255Full control plane. WebACLs / RuleGroups / IPSets / RegexPatternSets — Create/Get/List/Update/Delete with LockToken optimistic concurrency that rotates on every successful mutation; stale tokens get WAFOptimisticLockException. Both REGIONAL and CLOUDFRONT scopes; ARN segment reflects scope (regional/... vs global/...). Web ACL <-> resource associations (AssociateWebACL/DisassociateWebACL/GetWebACLForResource/ListResourcesForWebACL); WAFAssociatedItemException blocks delete-while-associated for WebACLs and delete-while-referenced for RuleGroups. CheckCapacity computes WCU as the recursive count of statement leaves through AndStatement/OrStatement/NotStatement. API keys via CreateAPIKey/DeleteAPIKey/GetDecryptedAPIKey/ListAPIKeys; the encrypted blob is a deterministic base64 payload that round-trips its TokenDomains. Logging configurations (Put/Get/Delete/List) keyed by Web ACL ARN. Permission policies for cross-account RuleGroup share (Put/Get/Delete). Tags with WAFNonexistentItemException on unknown ARNs. Managed rule catalog: AWS-vendor AWSManagedRulesCommonRuleSet, AWSManagedRulesKnownBadInputsRuleSet, AWSManagedRulesSQLiRuleSet discoverable via ListAvailableManagedRuleGroups/Versions, DescribeManagedRuleGroup, DescribeAllManagedProducts, DescribeManagedProductsByVendor, GetManagedRuleSet. Vendor-publishing ops (PutManagedRuleSetVersions, UpdateManagedRuleSetVersionExpiryDate, ListManagedRuleSets) are stub-routed (no real publishing pipeline). Mobile SDK lookups + presigned URL synthesis. GetSampledRequests, GetTopPathStatisticsByTraffic, GetRateBasedStatementManagedKeys return shape-correct empty observability windows. JSON 1.1 protocol. fakecloud does not actually inspect any HTTP request — Web ACLs are control-plane only; no rule evaluation happens against ALB/CloudFront/APIGW traffic
ACM (Certificate Manager)17Full control plane. Public-cert lifecycle: RequestCertificate (DNS / EMAIL validation, deterministic synthesized DNS validation records), DescribeCertificate, GetCertificate, ListCertificates, SearchCertificates, DeleteCertificate, RenewCertificate, RevokeCertificate (AMAZON_ISSUED only). Imported certs: ImportCertificate round-trips PEM and supports re-import to the same ARN, ExportCertificate returns cert + chain + key with passphrase. Tags via Add/Remove/ListTagsForCertificate. Account-wide expiry events via Get/PutAccountConfiguration. UpdateCertificateOptions for transparency-logging + export prefs. ResendValidationEmail only for EMAIL-validated certs. Idempotency via IdempotencyToken matches AWS' 1-hour window. JSON 1.1 protocol. fakecloud does not run the real X.509 validation pipeline — certs land at PENDING_VALIDATION and stay there until renewed; Import flips straight to ISSUED
Athena70Full control plane. Workgroups (default primary seeded), Data Catalogs (default AwsDataCatalog seeded), Named Queries, Prepared Statements (keyed by (workgroup, statement_name)), Query Executions, Notebooks, Sessions + Calculations, Capacity Reservations + Capacity Assignment Configuration. StartQueryExecution runs through a minimal SQL evaluator: SHOW DATABASES / SHOW TABLES / DESCRIBE and trivial SELECT col FROM db.table WHERE col = 'lit' LIMIT N resolve against the Glue Data Catalog (databases + tables created via glue:CreateTable are visible immediately under AwsDataCatalog). ExecutionParameters performs positional ? substitution against prepared statements. Anything outside the supported subset (joins, aggregates, window functions, Parquet scans) falls back to a synthesized single-row [["1"]] result so callers can still fetch via GetQueryResults without polling. DeleteWorkGroup rejects primary and refuses non-empty workgroups unless RecursiveDeleteOption=true. DeleteDataCatalog rejects AwsDataCatalog. Statement classification (DML / DDL / UTILITY) inferred from the leading SQL keyword. Tags keyed by ARN across workgroup / datacatalog / capacity-reservation resources. ListEngineVersions / ListApplicationDPUSizes / ListExecutors / GetResourceDashboard return read-only catalog data. JSON 1.1 protocol. fakecloud is not a full SQL engine — complex queries fall back to the synthesized [["1"]] result
Glue26Data Catalog + Jobs control plane. Databases / Tables (full StorageDescriptor + partition keys round-trip) / Partitions (CreatePartition / BatchCreatePartition / BatchGetPartition / GetPartition / UpdatePartition / DeletePartition / GetPartitions). GetPartitions Expression pruning parses the filter and prunes partitions server-side — supports = / != / <> / comparison operators / IN / BETWEEN / LIKE / IS NULL / IS NOT NULL with AND / OR / NOT and parentheses; type-aware over string / int / bigint / date / timestamp. Jobs CRUD + StartJobRun / GetJobRun / GetJobRuns with STARTING -> RUNNING -> SUCCEEDED lifecycle and Arguments overrides. Same Data Catalog store backs Athena's ListDatabases / GetTableMetadata. JSON 1.1 protocol. Glue ETL runtime (Spark / Python Shell) is not executed — JobRuns are control-plane only. Crawlers / connections / triggers / workflows / dev endpoints / ML transforms / schema registry / data quality not implemented
Firehose10Delivery stream control plane. CreateDeliveryStream / DescribeDeliveryStream / ListDeliveryStreams / DeleteDeliveryStream / UpdateDestination with full round-trip on ExtendedS3 / Redshift / Elasticsearch / Amazonopensearchservice / Splunk / HttpEndpoint / Snowflake / Iceberg destination configs. Both DirectPut and KinesisStreamAsSource source types; CREATING -> ACTIVE and DELETING -> deleted lifecycle. BufferingHints range-checked: SizeInMBs 1-128, IntervalInSeconds 0 or 60-900 — out-of-range -> InvalidArgumentException. PutRecord / PutRecordBatch assign per-record RecordIds; batches > 500 records / 4 MB return ServiceUnavailableException. Tag CRUD per stream ARN. JSON 1.1 protocol. Data plane stops at acknowledgement — records are not delivered to destinations
Route 5371Full control plane. Hosted zones + RRsets + health checks + traffic policies + instances + DNSSEC + KSK + query logging + CIDR collections + VPC associations + reusable delegation sets + geo locations + account limits + tags — CRUD with default SOA/NS records seeded on create, deterministic INSYNC change tracking, comment + features updates, hosted zone limits, list-by-name, TestDNSAnswer synthesis. Health checks: full lifecycle with HealthCheckVersion optimistic concurrency, ResetElements, HealthCheckInUse rejection on delete, status + last-failure observations, checker IP ranges. Traffic policies + instances: versioned policies (CreateTrafficPolicyVersion increments), TrafficPolicyAlreadyExists/InUse, TrafficPolicyInstanceAlreadyExists, list-by-hosted-zone + list-by-policy + count. DNSSEC + KSK: EnableHostedZoneDNSSEC/Disable, GetDNSSEC with synthesized ECDSAP256SHA256 KSK metadata, CreateKeySigningKey requires KMS-ARN, Activate/Deactivate, InvalidKeySigningKeyStatus blocks Delete while ACTIVE. Query logging: one config per zone, public-zone-only enforcement, CloudWatchLogsLogGroupArn validation, QueryLoggingConfigAlreadyExists. CIDR collections: PUT/DELETE_IF_EXISTS change actions applied atomically, CollectionVersion optimistic concurrency (CidrCollectionVersionMismatchException), CidrCollectionInUseException on delete-with-locations. VPC associations: Associate/Disassociate enforce private-zone-only and reject removing the last VPC, CreateVPCAssociationAuthorization + Delete + List model the cross-account authorization handshake, ListHostedZonesByVPC filters by VPC ID + region. Reusable delegation sets: CreateReusableDelegationSet synthesizes 4 NS records, DelegationSetInUse blocks delete while any zone references the set, GetReusableDelegationSetLimit returns MAX_ZONES_BY_REUSABLE_DELEGATION_SET. Geo locations + account limits + tags: ListGeoLocations/GetGeoLocation over a representative dataset (continents + sample countries + US subdivisions) with IsTruncated/NextContinentCode/NextCountryCode/NextSubdivisionCode pagination, GetAccountLimit for all 5 owner-scoped types (zones/health-checks/delegation-sets/traffic-policies/instances) reporting live usage Count, full tag CRUD on health checks + hosted zones via ChangeTagsForResource/ListTagsForResource/ListTagsForResources with NoSuchHealthCheck/NoSuchHostedZone on missing target. REST-XML protocol with HTTP method + URI routing under /2013-04-01/

Detailed per-service pages are coming. If you need specifics on a service today, the conformance baseline at conformance-baseline.json lists every operation fakecloud handles, the AWS Smithy models in aws-models/ are the authoritative source of truth, and the parity matrix maps control-plane vs data-plane coverage per service.

Pages

  • S3 — Objects, multipart, versioning, lifecycle, notifications, replication, website hosting.
  • SQS — FIFO queues, dead-letter queues, long polling, batch operations.
  • SNS — Topics, subscriptions, fan-out delivery, filter policies, platform applications.
  • EventBridge — Event buses, pattern matching, scheduled rules, archives, replay, API destinations.
  • Lambda — Real code execution in Docker containers across 27 runtimes. Event source mappings, warm container reuse.
  • EventBridge Scheduler — Standalone scheduler service — at, rate, cron expressions, SQS targets, DLQ routing, one-shot self-delete.
  • DynamoDB — Tables, items, transactions, PartiQL, backups, global tables, streams, TTL.
  • IAM — Users, roles, policies, groups, instance profiles, OIDC/SAML providers.
  • STS — AssumeRole, session tokens, federation, caller identity.
  • SSM — Parameters, documents, commands, maintenance windows, associations, patch baselines.
  • Secrets Manager — Secrets, versioning, rotation via Lambda, replication.
  • CloudWatch Logs — Log groups, streams, filtering, subscriptions, queries, anomaly detection.
  • KMS — Encryption, key management, aliases, grants, real ECDH, key import.
  • CloudFormation — Template parsing, resource provisioning, conditions + intrinsics, nested stacks, SAM transform, drift detection, change sets, stack sets, custom resources.
  • SES — Sending, templates, DKIM, suppression, and real inbound receipt rule execution.
  • Cognito User Pools — User pools, app clients, MFA, identity providers, full authentication flows.
  • Kinesis — Data Streams, records, shard iterators, retention, tagging.
  • RDS — Real PostgreSQL, MySQL, MariaDB, Oracle, SQL Server, and Db2 instances via Docker. Snapshots, read replicas, parameter groups.
  • ElastiCache — Real Redis, Valkey, and Memcached clusters via Docker. Replication groups, snapshots, ACL user management, configuration endpoints.
  • API Gateway v1 — REST APIs, resources/methods/integrations, deployments, stages, API keys, usage plans, authorizers.
  • Step Functions — Full ASL interpreter, cross-service task integrations, execution history.
  • API Gateway v2 — HTTP APIs, Lambda proxy integration, JWT and Lambda authorizers, CORS.
  • Bedrock — Foundation models, guardrails, custom models, invocation jobs, evaluation jobs, marketplace endpoints.
  • ECR — Elastic Container Registry — full 58-operation API plus real OCI v2 Distribution so docker push and docker pull work against fakecloud.
  • Bedrock Agent — Agents, knowledge bases, action groups, flows, prompts, collaborators — full Bedrock Agent control plane.
  • ECS — Elastic Container Service — full API: clusters, task definitions, real Fargate-style task execution via Docker, services with rolling deployments, task sets, container instances, ECS Exec.
  • Bedrock Agent Runtime — InvokeAgent, Retrieve, RetrieveAndGenerate, flow execution, sessions, memory — Bedrock Agent data plane with real eventstream framing.
  • Elastic Load Balancing v2 — ELBv2 control plane — Application/Network/Gateway Load Balancer: load balancers, target groups + targets, listeners + rules + certificates, mTLS trust stores, attributes, capacity reservations, resource policies.
  • CloudFront — CloudFront control plane — distributions, invalidations, web ACL/alias association, tags. Full DistributionConfig round-trip with ETag/If-Match concurrency.
  • Route 53 — Route 53 control plane — hosted zones, RRsets, health checks, traffic policies, DNSSEC + KSK, query logging, CIDR collections, VPC associations, reusable delegation sets, geo locations, account limits, tags.
  • ACM — AWS Certificate Manager — request / import / export / revoke certificates, tags, account configuration. JSON 1.1 protocol.
  • Application Auto Scaling — AWS Application Auto Scaling — scalable targets, step / target-tracking / predictive policies, scheduled actions, scaling activities, predictive forecasts, tags. JSON 1.1 protocol.
  • WAF v2 — AWS WAF v2 — Web ACLs, rule groups, IP sets, regex pattern sets, API keys, logging configs, managed rule catalog, mobile SDK. JSON 1.1 protocol.
  • Athena — AWS Athena — workgroups, data catalogs, named queries, prepared statements, query executions, notebooks, sessions, capacity reservations. JSON 1.1 protocol with a minimal SQL evaluator that reads Glue tables.
  • Glue — AWS Glue Data Catalog (databases, tables, partitions) + Jobs/JobRuns control plane. JSON 1.1 protocol.
  • Organizations — AWS Organizations control plane — accounts, OUs, SCPs, tag policies, handshakes, delegated administrators. Real SCP enforcement across services.
  • Firehose — Amazon Data Firehose delivery streams (control plane), JSON 1.1 protocol.