Services
Every AWS service fakecloud implements, with operation counts and notable features.
fakecloud implements 105 AWS services with 3,966 total operations. 248,319/248,319 generated Smithy conformance variants pass on every commit — true 100% across the board. Per-service feature matrices and gotchas live on individual service pages — use the sidebar to navigate.
| Service | Ops | Notes |
|---|---|---|
| S3 | 107 | Versioning, lifecycle, notifications, multipart, replication, website, real SSE-KMS encrypt/decrypt |
| SQS | 23 | FIFO, DLQs, long polling, batch, real KMS encrypt/decrypt on KmsMasterKeyId queues |
| SNS | 42 | Fan-out to SQS/Lambda/HTTP, filter policies, KMS audit-trail on KmsMasterKeyId topics |
| EventBridge | 57 | Pattern matching, schedules, archives, replay, API destinations |
| EventBridge Scheduler | 12 | at/rate/cron, SQS targets, DLQ routing, one-shot self-delete |
| EventBridge Pipes | 10 | Source -> filter -> Lambda enrichment -> target, InputTemplate transform, real background runner |
| Lambda | 70 | Real Docker, 23 runtimes, ESM with FilterCriteria + partial-batch failure |
| DynamoDB | 57 | Transactions, PartiQL, backups, global tables, streams, KMS audit-trail on SSE-KMS tables |
| IAM | 176 | Users, roles, policies, groups, OIDC/SAML, PassRole trust enforcement |
| STS | 11 | AssumeRole, session tokens, federation |
| SSM | 146 | Parameters, documents, commands, maintenance, patch baselines, SecureString -> real KMS encrypt/decrypt |
| Secrets Manager | 23 | Versioning, rotation via Lambda, replication, real KMS encrypt/decrypt |
| CloudWatch Logs | 113 | Groups, streams, subscription filters, query language |
| KMS | 53 | Encryption, aliases, grants, real ECDH, key import, cross-service hook |
| CloudFormation | 90 | Template parsing, resource provisioning, custom resources |
| Cloud Control API | 8 | Uniform CRUD-L over CloudFormation resource types, JSON Patch updates, request tracking |
| SES (v2 + v1 inbound) | 111 | Sending, templates, DKIM, real receipt rule execution |
| Cognito User Pools | 122 | Pools, clients, MFA, identity providers, full auth flows; verification email -> SES, SMS -> SNS, all 12 Lambda triggers |
| Kinesis | 39 | Streams, records, shard iterators, retention |
| RDS | 163 | Real Postgres, MySQL, MariaDB, Oracle, SQL Server, Db2 via Docker; lifecycle ops emit aws.rds EventBridge events |
| RDS Data API | 6 | Real SQL on the backing Postgres/MySQL container; typed params/results incl. bytea/BLOB, transactions, batch |
| DocumentDB | 55 | RDS-shaped Query API (control plane only); clusters/instances/snapshots/restore, parameter + subnet + global groups, event subscriptions, tags. No MongoDB-compatible engine image, so endpoints accept no connections |
| Neptune | 70 | RDS-shaped Query API (control plane only); clusters/instances/cluster endpoints/snapshots/restore, IAM roles, cluster + DB parameter groups, subnet + global groups, event subscriptions, tags. No Gremlin/SPARQL graph engine image, so endpoints accept no connections |
| Redshift | 141 | Full control plane: clusters (progress to available, synthetic endpoint), snapshots (real SnapshotArn), parameter groups (Source=user filter), subnet/security groups, snapshot schedules + copy grants, endpoint access (synthesized VPC endpoint), per-cluster logging, cross-region snapshot-copy config, tagging. No SQL data plane (separate redshift-data API) |
| Aurora DSQL | 16 | Serverless distributed Postgres control plane; clusters, resource policies, change streams to Kinesis, multi-region properties, deletion protection, clientToken idempotency, tagging; async CREATING->ACTIVE lifecycle. Data plane (reachable container + IAM-token auth) is a follow-up |
| Transfer Family | 71 | Full control plane: SFTP/FTPS/FTP/AS2 servers (start/stop settle State), users + SSH keys, host keys, accesses, workflows + executions, agreements, connectors (TestConnection, file transfer, directory listing, remote delete/move), profiles, certificates, security policies, web apps, TestIdentityProvider, tagging; persisted. No SFTP daemon or AS2 transport engine |
| CloudTrail | 60 | Full control plane: trails (logging status toggles IsLogging), event + insight selectors, CloudTrail Lake event data stores (restore, ingestion, federation), channels, imports, Lake queries, dashboards, resource policies, org delegated admins, event configuration, tagging; persisted. LookupEvents/ListPublicKeys return empty — no event-recording engine |
| Resource Groups | 23 | Groups by tag/CloudFormation-stack query, explicit membership, group configuration, tagging, account settings, grouping statuses, tag-sync tasks; arn:...:group/<name>/<id> ARNs, persisted |
| ElastiCache | 75 | Real Redis, Valkey, Memcached via Docker |
| MemoryDB | 45 | Full control plane: clusters, shards, ACLs, users, parameter/subnet groups, snapshots, multi-region clusters; persisted. Redis/Valkey data-plane container backing is a follow-up |
| Amazon Managed Service for Apache Flink | 33 | Full kinesisanalyticsv2 control plane: SQL + Flink streaming applications with full configuration persisted and echoed, lifecycle (STARTING->RUNNING, STOPPING->READY, rollback), version history + optimistic concurrency, snapshots, operation records, DiscoverInputSchema, presigned dashboard URLs, maintenance windows, tagging; persisted. Real Flink-job data plane is a follow-up (all 33 ops) |
| EKS | 65 | Complete control plane: clusters (incl. connected register/deregister), node groups, Fargate profiles, add-ons, access entries + policies, OIDC identity-provider configs, pod-identity associations, upgrade insights, capabilities, encryption config, EKS Anywhere subscriptions (create/describe/list/delete, config + version updates with tracking, cluster-version/add-on/access-policy catalogues, tagging); persisted, CREATING -> ACTIVE on describe. No real Kubernetes control-plane endpoint (all 65 ops) |
| AWS FIS | 26 | Complete AWS Fault Injection Simulator control plane: experiment templates (EXT ids, arn:aws:fis:...:experiment-template/<id> ARNs, targets/actions/stopConditions echoed verbatim), the experiment lifecycle (StartExperiment initiating -> running -> completed on read, StopExperiment -> stopping -> stopped, EXP ids), the AWS-provided static actions catalog (aws:ec2:stop-instances, aws:ecs:stop-task, ...) and target-resource-type catalog, per-template/per-experiment multi-account target-account configurations, resolved-target listing, account-level safety levers, and ARN-keyed tagging; model-derived validation, persisted (in-flight experiment transitions reconcile on restart). Real fault injection into other services is a later batch (all 26 ops) |
| Amazon MQ | 25 | Complete Amazon MQ control plane: brokers (async CREATION_IN_PROGRESS -> RUNNING on describe, REBOOT_IN_PROGRESS applies staged pending changes, DELETION_IN_PROGRESS teardown, creatorRequestId idempotency, per-engine ActiveMQ/RabbitMQ wire endpoints + console URLs, deployment-mode-aware brokerInstances), configurations (c- ids, base64 Data revisions with history), per-broker users (CREATE/UPDATE/DELETE pending changes applied on reboot), ARN-keyed tags, and engine-type / instance-option catalogues; persisted (in-flight broker transitions reconcile on restart). No real broker served (all 25 ops) |
| Amazon MSK | 59 | Complete Amazon MSK (Managed Streaming for Apache Kafka) control plane, signing as kafka: provisioned + serverless clusters (async CREATING -> ACTIVE on describe, monotonic .../cluster/<name>/<uuid>-<n> ARNs, name/type filters + pagination, region-scoped, DescribeClusterV2 union), the eleven Update*/RebootBroker ops recording settling ClusterOperations, broker-node synthesis (ListNodes + GetBootstrapBrokers), configurations with base64 ServerProperties revisions, SCRAM secrets, cluster policies, client VPC connections, replicators, topics as real control-plane state, the Kafka version catalogs, and ARN-keyed tags; persisted (in-flight lifecycle transitions reconcile on restart). Real Kafka broker data plane + CloudFormation are later batches (all 59 ops) |
| Amazon S3 Glacier | 33 | Complete Glacier surface with real data plane: vaults, archive upload/delete storing the real bytes + a computed SHA-256 tree hash, multipart uploads assembled into a stored archive, retrieval + inventory jobs that settle to Succeeded on read so GetJobOutput returns the exact uploaded bytes (or a JSON inventory), vault notifications, access policy, the vault-lock state machine, tags, data-retrieval policy, provisioned capacity; persisted (archives survive restart). All 33 ops |
| AWS Backup | 109 | Complete AWS Backup control plane: backup plans (+ versions) + selections, vaults (standard / logically-air-gapped / restore-access) with notifications / policies / lock, recovery points, backup / copy / restore / scan jobs (progressed to a terminal state; StartBackupJob records a synthetic recovery point DescribeRecoveryPoint resolves), frameworks, report plans + jobs, legal holds, restore testing, tiering, protected resources, tags, global / region settings; persisted. No real backup engine (all 109 ops) |
| OpenSearch Service | 93 | Complete Amazon OpenSearch Service control plane sharing one domain store with Elasticsearch Service (both sign as es): domains (create/describe/delete/config persist; Processing=false/Created=true settle on describe with a synthetic search endpoint), packages, VPC endpoints, cross-cluster connections, applications + capabilities, per-domain data sources + indices, direct-query data sources, reserved instances, tags, instance-type/version/upgrade catalogues; persisted. No real cluster spawned (all 93 ops) |
| Elasticsearch Service | 51 | Complete legacy Amazon Elasticsearch Service (es, 2015-01-01) over the SAME shared domain store as OpenSearch Service — a domain created through either API is one entity, surfaced here via ElasticsearchDomainStatus. Domains, packages, VPC endpoints, cross-cluster search connections, reserved instances, tags, instance-type/version/upgrade catalogues; persisted (all 51 ops) |
| AWS AppConfig | 58 | Complete AppConfig across appconfig (56 ops) + appconfigdata (2 ops): applications, environments, configuration profiles, hosted configuration versions (raw bytes + content type stored/returned verbatim, auto-incrementing version), custom + AWS-predefined deployment strategies, deployments (settle to COMPLETE), extensions + associations, experiments, account settings, ValidateConfiguration, tags; persisted. Real data plane: StartConfigurationSession -> GetLatestConfiguration serves the deployed hosted-config bytes |
| Cloud Map | 30 | Complete AWS Cloud Map (servicediscovery) control plane + discovery: namespaces, services, instances (register/deregister/health), DiscoverInstances/DiscoverInstancesRevision, tagging; async operation model — mutations return an OperationId that settles SUCCESS on GetOperation; persisted (all 30 ops) |
| Account Management | 15 | Complete AWS Account control plane: alternate contacts (BILLING/OPERATIONS/SECURITY), primary contact information, account information + name, GovCloud pairing, primary-email OTP flow, Region opt-in (ListRegions/GetRegionOptStatus/Enable/DisableRegion with ENABLING -> ENABLED settle-on-read); honors optional AccountId for org management; persisted (all 15 ops) |
| Identity Store | 19 | Complete IAM Identity Center Identity Store directory: users, groups, memberships (create/describe/update/delete/list), GetUserId/GetGroupId/GetGroupMembershipId attribute lookups, IsMemberInGroups; SCIM attribute bags round-trip; persisted (all 19 ops) |
| SSO Admin | 79 | Complete IAM Identity Center SSO Admin control plane: instances, permission sets + policies, account assignments + provisioning (async settle), applications + assignments/scopes/methods/grants, provider catalogue, trusted token issuers, regions, attribute config, tagging; persisted (all 79 ops) |
| Verified Permissions | 34 | Complete Cedar authorization control plane: policy stores, schemas, static + template-linked policies, policy templates, identity sources, aliases, tagging; IsAuthorized/*WithToken/Batch* compute real Cedar decisions via the cedar-policy engine; persisted (all 34 ops) |
| Step Functions | 37 | Full ASL interpreter, Lambda/SQS/SNS/EventBridge/DynamoDB tasks |
| Amazon SWF | 39 | Full 39-op control plane + decider/worker state machine. Domains (Register/Deprecate/Undeprecate/Describe/ListDomains, REGISTERED/DEPRECATED, /domain/ ARNs), versioned activity + workflow types (Register/Deprecate/Undeprecate/Delete/Describe/List, default* config echoed back, delete-requires-deprecate), and workflow executions with a real state machine: StartWorkflowExecution mints a runId and seeds WorkflowExecutionStarted + DecisionTaskScheduled; PollForDecisionTask returns the decision task with full history; RespondDecisionTaskCompleted applies ScheduleActivityTask / CompleteWorkflowExecution / fail / cancel / timer / marker / signal / child / lambda decisions into history events; PollForActivityTask + RespondActivityTask{Completed,Failed,Canceled} + RecordActivityTaskHeartbeat drive the worker side; Describe/GetHistory/List+Count open/closed executions and pending tasks; Signal/RequestCancel/Terminate; ARN-keyed tagging. Model-driven validation with SWF's declared faults (UnknownResourceFault/DomainAlreadyExistsFault/TypeAlreadyExistsFault/DefaultUndefinedFault/WorkflowExecutionAlreadyStartedFault). JSON 1.0 protocol. Account-partitioned and persisted. Honest gap: no autonomous clock fires timer/task/execution timeouts — those transitions are decider/worker-driven |
| AWS Support | 16 | Full 16-op control plane. Support-case API (CreateCase mints an AWS-shaped case-{account}-{year}-{hex} id + numeric displayId, opens opened, seeds the communication thread; DescribeCases filters by case-id list / displayId / time window / includeResolvedCases / includeCommunications / language with a round-tripping nextToken; AddCommunicationToCase -> result: true; DescribeCommunications pages the thread; ResolveCase -> initialCaseStatus + finalCaseStatus), attachment sets (AddAttachmentsToSet mints/extends an attachmentSetId + expiryTime; DescribeAttachment), severity levels + service/category catalogues (DescribeSeverityLevels / DescribeServices / DescribeCreateCaseOptions / DescribeSupportedLanguages), and the Trusted Advisor API (DescribeTrustedAdvisorChecks returns the vendored check catalogue; DescribeTrustedAdvisorCheckResult / DescribeTrustedAdvisorCheckSummaries return all-clear results; RefreshTrustedAdvisorCheck + DescribeTrustedAdvisorCheckRefreshStatuses drive a real none -> enqueued -> processing -> success refresh state machine). Model-driven validation with Support's declared exceptions (CaseIdNotFound/AttachmentIdNotFound/AttachmentSetIdNotFound). JSON 1.1 protocol. Account-partitioned and persisted. Honest gap: no Trusted Advisor analysis engine and no live support agent, so results report zero flagged resources and cases receive no automated agent reply |
| AWS Serverless Application Repository | 14 | Complete AWS Serverless Application Repository control plane: applications (CreateApplication mints the arn:aws:serverlessrepo:...:applications/<name> ARN that is the applicationId, stores author/description/labels/license/readme/spdxLicenseId/sourceCodeUrl, seeds an initial version from a supplied semanticVersion + template; GetApplication returns the app plus a Version block with parameterDefinitions parsed from the SAM/CloudFormation template, requiredCapabilities, and resourcesSupported; ListApplications paginates; UpdateApplication; DeleteApplication), versions (CreateApplicationVersion PUTs a semantic version, parsing the template; ListApplicationVersions), sharing policy (Put/GetApplicationPolicy over principals/actions/principalOrgIDs; UnshareApplication), CloudFormation templates (CreateCloudFormationTemplate mints a templateId + templateUrl, status PREPARING -> ACTIVE on read; GetCloudFormationTemplate), and ListApplicationDependencies (nested AWS::Serverless::Application dependencies). Model-derived required/label validation (BadRequestException/NotFoundException/ConflictException), account-partitioned, persisted. Honest gaps: CreateCloudFormationChangeSet mints well-formed changeSetId/stackId identifiers without materialising a real CloudFormation stack, and the templateUrl is well-formed but fakecloud does not serve raw template bytes at it (all 14 ops) |
| API Gateway v1 | 124 | REST APIs, resources, methods, integrations (MOCK/HTTP/HTTP_PROXY/AWS_PROXY Lambda), deployments, stages, API keys, usage plans, authorizers, models, request validators, VPC links, domain names, base path mappings, client certs, gateway responses, docs, tags |
| API Gateway v2 | 103 | HTTP APIs, routes, integrations, stages, deployments, authorizers, domains, models, VPC links, routing rules, developer portals, CORS, tags |
| Bedrock | 101 | Foundation models, guardrails, custom models, invocation/eval jobs |
| Bedrock Runtime | 10 | InvokeModel, Converse, streaming, configurable responses, fault inject |
| ECR | 58 | Full API — OCI v2 push/pull, lifecycle eval, scanning, pull-through cache, registry templates, real cosign signature verification |
| ECS | 77 | Full API — clusters, real Fargate-style task execution via Docker, services + rolling deployments, task sets, container instances, ECS Exec, awslogs -> Logs, secrets injection, task role credentials |
| Elastic Load Balancing v2 | 51 | Full control plane — ALB/NLB/GWLB CRUD, target groups + targets + real health probes, listeners + rules + certificates, attributes, capacity reservations, mTLS trust stores + revocations, resource policies, SSL policies, tags. In-process HTTP data plane for ALBs — per-LB TCP bind, rule matching, forward / fixed-response / redirect, sticky sessions |
| CloudFront | 147 | Distributions, invalidations, tagging, by-X listings, web ACL/alias association. OAC + Cache/OriginRequest/ResponseHeaders/ContinuousDeployment policies. CloudFront Functions, Public Keys, Key Groups, Key Value Stores, Origin Access Identities (legacy), Monitoring Subscriptions. Streaming Distributions (legacy RTMP). Field-Level Encryption configs + profiles + Realtime Log Configs. VPC Origins, Anycast IP Lists, Trust Stores, Resource Policies. Connection Groups + Domain Association/DNS Verification + Managed Certificate Details + Promote-Staging Distribution — full CRUD with ETag/If-Match concurrency. Full DistributionConfig round-trip incl. origins, cache behaviors, custom error responses, viewer certificates, geo restrictions |
| Application Auto Scaling | 14 | Full control plane. Scalable targets (Register/Deregister/Describe) for ECS, Lambda, DynamoDB, RDS, ElastiCache, SageMaker, EMR, AppStream, Cassandra, Kafka, Neptune, EC2 Spot Fleet, Comprehend. Step + target-tracking + predictive scaling policies (Put/Describe/Delete). Scheduled actions with cron / one-shot start/end times + Timezone. DescribeScalingActivities honors IncludeNotScaledActivities, deterministic GetPredictiveScalingForecast with hourly Load + Capacity buckets capped at one week. RoleARN defaults to the per-namespace service-linked role ARN. Deregister cascades to policies + scheduled actions for the same target. TagResource/UntagResource/ListTagsForResource keyed by ARN, reject unknown ARNs with ObjectNotFoundException. JSON 1.1 protocol |
| WAF v2 | 55 | Full control plane. WebACLs / RuleGroups / IPSets / RegexPatternSets — Create/Get/List/Update/Delete with LockToken optimistic concurrency that rotates on every successful mutation; stale tokens get WAFOptimisticLockException. Both REGIONAL and CLOUDFRONT scopes; ARN segment reflects scope (regional/... vs global/...). Web ACL <-> resource associations (AssociateWebACL/DisassociateWebACL/GetWebACLForResource/ListResourcesForWebACL); WAFAssociatedItemException blocks delete-while-associated for WebACLs and delete-while-referenced for RuleGroups. CheckCapacity computes WCU as the recursive count of statement leaves through AndStatement/OrStatement/NotStatement. API keys via CreateAPIKey/DeleteAPIKey/GetDecryptedAPIKey/ListAPIKeys; the encrypted blob is a deterministic base64 payload that round-trips its TokenDomains. Logging configurations (Put/Get/Delete/List) keyed by Web ACL ARN. Permission policies for cross-account RuleGroup share (Put/Get/Delete). Tags with WAFNonexistentItemException on unknown ARNs. Managed rule catalog: AWS-vendor AWSManagedRulesCommonRuleSet, AWSManagedRulesKnownBadInputsRuleSet, AWSManagedRulesSQLiRuleSet discoverable via ListAvailableManagedRuleGroups/Versions, DescribeManagedRuleGroup, DescribeAllManagedProducts, DescribeManagedProductsByVendor, GetManagedRuleSet. Vendor-publishing ops (PutManagedRuleSetVersions, UpdateManagedRuleSetVersionExpiryDate, ListManagedRuleSets) are stub-routed (no real publishing pipeline). Mobile SDK lookups + presigned URL synthesis. GetSampledRequests, GetTopPathStatisticsByTraffic, GetRateBasedStatementManagedKeys return shape-correct empty observability windows. JSON 1.1 protocol. fakecloud does not actually inspect any HTTP request — Web ACLs are control-plane only; no rule evaluation happens against ALB/CloudFront/APIGW traffic |
| ACM (Certificate Manager) | 17 | Full control plane. Public-cert lifecycle: RequestCertificate (DNS / EMAIL validation, deterministic synthesized DNS validation records), DescribeCertificate, GetCertificate, ListCertificates, SearchCertificates, DeleteCertificate, RenewCertificate, RevokeCertificate (AMAZON_ISSUED only). Imported certs: ImportCertificate round-trips PEM and supports re-import to the same ARN, ExportCertificate returns cert + chain + key with passphrase. Tags via Add/Remove/ListTagsForCertificate. Account-wide expiry events via Get/PutAccountConfiguration. UpdateCertificateOptions for transparency-logging + export prefs. ResendValidationEmail only for EMAIL-validated certs. Idempotency via IdempotencyToken matches AWS' 1-hour window. JSON 1.1 protocol. fakecloud does not run the real X.509 validation pipeline — certs land at PENDING_VALIDATION and stay there until renewed; Import flips straight to ISSUED |
| ACM PCA | 23 | Full control plane + real certificate data plane. Private CA hierarchy: CreateCertificateAuthority mints a genuine CA key pair (RSA 2048/3072/4096, EC P-256/P-384); a ROOT CA self-signs while a SUBORDINATE CA starts PENDING_CERTIFICATE and serves a real PEM CSR from GetCertificateAuthorityCsr until its signed chain is installed via ImportCertificateAuthorityCertificate. IssueCertificate parses the caller's CSR and signs a real end-entity certificate that verifies against the CA (rcgen); GetCertificate returns the signed PEM + chain. Revocation (RevokeCertificate), audit reports (Create/DescribeCertificateAuthorityAuditReport, JSON/CSV), resource-share permissions (Create/List/DeletePermission), resource policies (Put/Get/DeletePolicy), enable/disable + delete/restore lifecycle, and ARN-keyed tags. CA private keys are persisted so issued certs still verify after a restart. JSON 1.1 protocol (all 23 ops) |
| Athena | 70 | Full control plane. Workgroups (default primary seeded), Data Catalogs (default AwsDataCatalog seeded), Named Queries, Prepared Statements (keyed by (workgroup, statement_name)), Query Executions, Notebooks, Sessions + Calculations, Capacity Reservations + Capacity Assignment Configuration. StartQueryExecution runs through a minimal SQL evaluator: SHOW DATABASES / SHOW TABLES / DESCRIBE and trivial SELECT col FROM db.table WHERE col = 'lit' LIMIT N resolve against the Glue Data Catalog (databases + tables created via glue:CreateTable are visible immediately under AwsDataCatalog). ExecutionParameters performs positional ? substitution against prepared statements. Anything outside the supported subset (joins, aggregates, window functions, Parquet scans) falls back to a synthesized single-row [["1"]] result so callers can still fetch via GetQueryResults without polling. DeleteWorkGroup rejects primary and refuses non-empty workgroups unless RecursiveDeleteOption=true. DeleteDataCatalog rejects AwsDataCatalog. Statement classification (DML / DDL / UTILITY) inferred from the leading SQL keyword. Tags keyed by ARN across workgroup / datacatalog / capacity-reservation resources. ListEngineVersions / ListApplicationDPUSizes / ListExecutors / GetResourceDashboard return read-only catalog data. JSON 1.1 protocol. fakecloud is not a full SQL engine — complex queries fall back to the synthesized [["1"]] result |
| Glue | 265 | Full control plane. Data Catalog (databases / tables / partitions with GetPartitions Expression pruning — = / != / <> / comparisons / IN / BETWEEN / LIKE / IS [NOT] NULL with AND / OR / NOT, type-aware over string / int / bigint / date / timestamp), catalogs + encryption settings + resource policies, jobs + job runs + bookmarks, crawlers + classifiers + schedules (real READY ↔ RUNNING, CrawlerRunningException / CrawlerNotRunningException), connections, triggers, workflows + runs, blueprints + runs, dev endpoints, schema registry (registries / schemas / versions / metadata), interactive sessions + statements, ML transforms + task runs, data quality (rulesets / evaluation + recommendation runs / results), user-defined functions, usage profiles, column statistics + stats tasks, table optimizers, custom entity types, security configurations, tagging. Smithy @length / @range / enum constraints enforced server-side. Same Data Catalog store backs Athena's ListDatabases / GetTableMetadata. JSON 1.1 protocol. Job / crawler / ML / data-quality execution is synthesized — runs reach their terminal state immediately; fakecloud is not a Spark engine |
| Firehose | 12 | Delivery stream control plane. CreateDeliveryStream / DescribeDeliveryStream / ListDeliveryStreams / DeleteDeliveryStream / UpdateDestination with full round-trip on ExtendedS3 / Redshift / Elasticsearch / Amazonopensearchservice / Splunk / HttpEndpoint / Snowflake / Iceberg destination configs. Both DirectPut and KinesisStreamAsSource source types; CREATING -> ACTIVE and DELETING -> deleted lifecycle. BufferingHints range-checked: SizeInMBs 1-128, IntervalInSeconds 0 or 60-900 — out-of-range -> InvalidArgumentException. PutRecord / PutRecordBatch assign per-record RecordIds; batches > 500 records / 4 MB return ServiceUnavailableException. Server-side encryption (Start/StopDeliveryStreamEncryption) persists and surfaces in DescribeDeliveryStream. Tag CRUD per stream ARN. JSON 1.1 protocol. Data plane stops at acknowledgement — records are not delivered to destinations |
| Amazon Timestream | 30 | Full 30-op surface (Write + Query). One crate serves both SDK clients on the shared Timestream_20181101.<Op> JSON 1.0 target prefix and one account-partitioned store. Databases (Create/Describe/List/Update/Delete, database/<name> ARNs, KmsKeyId, TableCount; non-empty delete rejected), tables (RetentionProperties/MagneticStoreWriteProperties/Schema echoed, status ACTIVE, ListTables filtered by database), WriteRecords (validates + merges CommonAttributes, buffers ingested points, RecordsIngested, RejectedRecordsException), Query/PrepareQuery/CancelQuery, scheduled queries (Create/Describe/List/Update/Delete/ExecuteScheduledQuery), batch-load tasks (Create/Describe/List/Resume), account settings (MaxQueryTCU/QueryPricingModel), DescribeEndpoints (echoes the fakecloud host so endpoint discovery resolves back to fakecloud), and ARN-keyed tagging. Model-driven validation with the declared exceptions (ValidationException/ResourceNotFoundException/ConflictException/RejectedRecordsException/ThrottlingException/InvalidEndpointException). Account-partitioned and persisted. Honest gap: the Query SQL engine is a bounded interpreter (SELECT * / COUNT(*) over "db"."table", WHERE time <op> ago(...), ORDER BY time, LIMIT) returning ingested points as AWS-shaped rows; unsupported shapes return a ValidationException rather than a wrong result, and there is no real time-series engine underneath |
| AWS IoT Core | 272 | Full 272-op AWS IoT Core control plane (signed as iot, routed by HTTP method + @http URI path; route table, HTTP bindings, input constraints, and output shapes all generated from AWS's Smithy model). Every resource family mints proper ARNs + ids, persists attributes, and round-trips on read/list with paginating nextTokens: things, thing types, thing groups (static + dynamic), billing groups (with membership), policies (+ versions + v2/legacy attachments), certificates (CreateKeysAndCertificate/CreateCertificateFromCsr mint a 64-hex id + ARN + shaped PEM + RSA key pair; register/describe/transfer; thing-principal attachment), jobs + job templates, topic rules + destinations (SQL + actions stored verbatim), Device Defender (security profiles, scheduled audits, audit configuration, mitigation actions, custom metrics, dimensions), provisioning templates (+ versions), domain configurations, fleet metrics, role aliases, authorizers (+ default authorizer), streams, OTA updates, packages (+ versions), certificate providers, commands, DescribeEndpoint (deterministic per-account host), and ARN-keyed tagging. Model-derived required/length/range/enum validation with declared exceptions; account-partitioned and persisted. Honest gaps: no MQTT broker or device connectivity (the control plane is real but no message is routed, no rule action executes, no device attaches -- the data plane is the separate iotdata service); SearchIndex/aggregations use a bounded query subset (*, thingName:<name>, bare name) and return InvalidQueryException otherwise; certificates are structurally-valid PEM placeholders, not real X.509 chains |
| AWS IoT Data Plane | 11 | Full 11-op AWS IoT Data Plane device-shadow + retained-message data plane (signed as iotdata, routed by HTTP method + @http URI path). Device shadows (classic + named): UpdateThingShadow accepts a shadow document as the raw @httpPayload body and deep-merges state.desired/state.reported (a null leaf deletes the key), bumps version, stamps per-leaf metadata timestamps, and recomputes state.delta; GetThingShadow returns the merged document; DeleteThingShadow returns the deletion payload; ListNamedShadowsForThing paginates named-shadow names. A mismatched shadow version is ConflictException; a missing shadow is ResourceNotFoundException. Publish stores retained messages (empty payload clears the topic) and no-ops non-retained publishes; GetRetainedMessage/ListRetainedMessages read them back. Model-derived validation, account-partitioned, persisted. Honest gap: no MQTT broker, so publishes are never fanned out to live subscribers and the connection-introspection ops (GetConnection/DeleteConnection/ListSubscriptions/SendDirectMessage) return ResourceNotFoundException for every client id (no client is ever connected) |
| Amazon Pinpoint | 122 | Complete Amazon Pinpoint control plane (signs as mobiletargeting, routed by HTTP method + @http URI path under /v1): apps (CreateApp mints a 32-hex id + arn:aws:mobiletargeting:...:apps/<id> ARN; GetApp/GetApps/DeleteApp; Get/UpdateApplicationSettings), versioned campaigns + segments (each Update bumps Version, listed by GetCampaignVersions/GetSegmentVersions; CreateSegment derives SegmentType), endpoints + users (UpdateEndpoint/UpdateEndpointsBatch, Get/DeleteUserEndpoints, RemoveAttributes), all platform channels (ADM, APNS + sandbox/VoIP/VoIP-sandbox, Baidu, Email, GCM, SMS, Voice — Get/Update/Delete + GetChannels), journeys (DRAFT -> ACTIVE via UpdateJourneyState, GetJourneyRuns), email/push/sms/voice/inapp templates (versioned, UpdateTemplateActiveVersion, ListTemplates/ListTemplateVersions), import/export jobs (mint a JobId, settle to COMPLETED), event streams (Put/Get/DeleteEventStream), recommender configurations, and ARN-keyed tags. Model-derived validation with Pinpoint's declared exceptions (BadRequestException/NotFoundException/ConflictException/...), account-partitioned, persisted. Honest gaps: no real delivery (SendMessages/SendUsersMessages/SendOTPMessage/PutEvents/VerifyOTPMessage validate + return a structurally-correct MessageResponse but transmit nothing), the KPI / execution-metric reads return empty/zeroed metric sets (no analytics engine), and import/export jobs do not touch S3 (all 122 ops) |
| Organizations | 63 | Full control plane. Org tree (roots / OUs / accounts), CreateAccount real async IN_PROGRESS -> SUCCEEDED lifecycle, LeaveOrganization, policies (SCP / TAG / BACKUP / AISERVICES_OPT_OUT) with real SCP enforcement as a permission ceiling under FAKECLOUD_IAM=strict, handshakes (invite / accept / decline / cancel state machine), delegated administrators, AWS service access, effective-policy validation, billing responsibility transfers, resource policy, and tagging. JSON 1.1 protocol. Mutating calls are management-account only |
| EC2 | 767 | Full 767-op control plane. VPCs / subnets / security groups / route tables / gateways, ENIs, instances (real containers — Docker or k8s Pods, user-data at boot, console output), EBS + snapshots + AMIs, network ACLs, VPC peering / endpoints / flow logs, launch templates, spot / fleet, capacity / reserved / dedicated hosts, full transit gateway (multicast / peering / Connect / metering), Site-to-Site + Client VPN, IPAM (pools / discovery / BYOASN / policies / prefix-list resolvers), Verified Access, Network Insights, Outpost / local gateway / CoIP, Instance Connect. ec2Query protocol. Security-group / NACL rules stored faithfully but not enforced against traffic |
| EMR (Elastic MapReduce) | 65 | Full 65-op control plane. Clusters via RunJobFlow (j- ids, arn:aws:elasticmapreduce:...:cluster/<id> ARNs, instance groups/fleets + EC2 instances derived from the request, settling to WAITING), steps (s- ids, StepStates/StepIds filters, CancelSteps), instance groups (ig-) + auto-scaling policies, instance fleets (if-), instances + bootstrap actions, managed-scaling + auto-termination policies, security configurations (duplicate-name rejection), EMR Studio (es-) + session mappings, notebook executions, persistent app UIs, interactive sessions, block-public-access, release labels + supported instance types, and cluster/Studio tagging. Model-driven input validation (required/length/range/enum); a call against a non-existent cluster returns InvalidRequestException. JSON 1.1 protocol. Persisted. Spark/Hadoop execution is synthesized — steps reach COMPLETED immediately; fakecloud is not a Spark engine |
| CloudWatch (Metrics & Alarms) | 46 | Full control plane. Metrics (PutMetricData / GetMetricData / GetMetricStatistics / ListMetrics / GetMetricWidgetImage), metric + composite alarms with SNS / AppAS / EC2 actions on threshold transitions, dashboards, anomaly detectors, insight rules + managed rules + reports, metric streams (running ↔ stopped), alarm mute rules, contributor insights, OTel enrichment, and tagging — all persisted in-memory. awsQuery protocol (SigV4 service monitoring, distinct from CloudWatch Logs). Metrics do not persist across restarts; alarms evaluate against published data, not a background sampler |
| Route 53 | 71 | Full control plane. Hosted zones + RRsets + health checks + traffic policies + instances + DNSSEC + KSK + query logging + CIDR collections + VPC associations + reusable delegation sets + geo locations + account limits + tags — CRUD with default SOA/NS records seeded on create, deterministic INSYNC change tracking, comment + features updates, hosted zone limits, list-by-name, TestDNSAnswer synthesis. Health checks: full lifecycle with HealthCheckVersion optimistic concurrency, ResetElements, HealthCheckInUse rejection on delete, status + last-failure observations, checker IP ranges. Traffic policies + instances: versioned policies (CreateTrafficPolicyVersion increments), TrafficPolicyAlreadyExists/InUse, TrafficPolicyInstanceAlreadyExists, list-by-hosted-zone + list-by-policy + count. DNSSEC + KSK: EnableHostedZoneDNSSEC/Disable, GetDNSSEC with synthesized ECDSAP256SHA256 KSK metadata, CreateKeySigningKey requires KMS-ARN, Activate/Deactivate, InvalidKeySigningKeyStatus blocks Delete while ACTIVE. Query logging: one config per zone, public-zone-only enforcement, CloudWatchLogsLogGroupArn validation, QueryLoggingConfigAlreadyExists. CIDR collections: PUT/DELETE_IF_EXISTS change actions applied atomically, CollectionVersion optimistic concurrency (CidrCollectionVersionMismatchException), CidrCollectionInUseException on delete-with-locations. VPC associations: Associate/Disassociate enforce private-zone-only and reject removing the last VPC, CreateVPCAssociationAuthorization + Delete + List model the cross-account authorization handshake, ListHostedZonesByVPC filters by VPC ID + region. Reusable delegation sets: CreateReusableDelegationSet synthesizes 4 NS records, DelegationSetInUse blocks delete while any zone references the set, GetReusableDelegationSetLimit returns MAX_ZONES_BY_REUSABLE_DELEGATION_SET. Geo locations + account limits + tags: ListGeoLocations/GetGeoLocation over a representative dataset (continents + sample countries + US subdivisions) with IsTruncated/NextContinentCode/NextCountryCode/NextSubdivisionCode pagination, GetAccountLimit for all 5 owner-scoped types (zones/health-checks/delegation-sets/traffic-policies/instances) reporting live usage Count, full tag CRUD on health checks + hosted zones via ChangeTagsForResource/ListTagsForResource/ListTagsForResources with NoSuchHealthCheck/NoSuchHostedZone on missing target. REST-XML protocol with HTTP method + URI routing under /2013-04-01/ |
| AWS X-Ray | 38 | Complete AWS X-Ray surface with a real in-memory trace data plane: PutTraceSegments ingests X-Ray segment documents (parsing trace_id/id/name/start_time/http/error/fault/throttle + nested namespace:"remote" subsegments), BatchGetTraces reassembles stored traces, GetTraceSummaries filters by time range, and GetServiceGraph/GetTraceGraph/GetTimeSeriesServiceStatistics derive the service graph (nodes + edges with Ok/Error/Fault statistics + response time) from the ingested segments; control plane covers sampling rules (built-in undeletable Default seeded per account), groups, encryption config, resource policies, the indexing rule, the trace-segment destination, and ARN-keyed tags; model-derived validation, persisted. Filter-expression subset + insights-empty are documented limitations (all 38 ops) |
| AWS AppSync | 74 | Complete AWS AppSync surface: GraphQL APIs (CreateGraphqlApi mints apiId + ARN + GRAPHQL/REALTIME uris + echoed auth config for all five AuthenticationTypes) round-tripping via Get/List/Update/Delete; API keys with expiry; data sources for every DataSourceType with config echoed; resolvers (UNIT/PIPELINE, VTL or APPSYNC_JS) attached to type.field; functions; schema types; API caches; domain names + API associations; the Event-API surface (CreateApi + channel namespaces); and merged/source-API associations. StartSchemaCreation ingests an SDL blob and GetSchemaCreationStatus settles to SUCCESS; GetIntrospectionSchema derives SDL/JSON from the stored schema. Model-driven validation (required/length/range/enum), account-partitioned, persisted; sub-resource ops return NotFoundException when the parent API is absent. GraphQL query execution against data sources is not implemented (this is the faithful control plane); EvaluateCode/EvaluateMappingTemplate run a documented evaluation subset, not a full VTL/JS interpreter |
| AWS Amplify | 37 | Complete AWS Amplify hosting control plane: apps (d-prefixed ids, arn:aws:amplify:...:apps/<id> ARNs, <id>.amplifyapp.com default domains, every config member echoed), branches (per-branch job counters), domain associations (verification settles CREATING -> AVAILABLE on read, marking subdomains verified), webhooks (generated trigger URLs), backend environments, the deterministic build/job lifecycle (StartJob settles PENDING -> PROVISIONING -> RUNNING -> SUCCEED on reads with a BUILD step, StopJob -> CANCELLED), manual deployments (CreateDeployment presigned upload URLs, StartDeployment), build artifacts (ListArtifacts/GetArtifactUrl), GenerateAccessLogs, and ARN-keyed tags on apps + branches; model-derived validation, persisted (in-flight domain/job transitions reconcile on restart). Hosting control plane with no separately-emulable data plane (all 37 ops) |
| Amazon Textract | 25 | Complete Textract surface: synchronous analysis (DetectDocumentText/AnalyzeDocument/AnalyzeExpense/AnalyzeID) validates the Document (Bytes or S3Object) and returns a structural response (DocumentMetadata pages derived from input, empty Blocks); asynchronous jobs (Start*/Get* for text detection / document / expense / lending analysis) mint real 64-char JobIds and settle IN_PROGRESS -> SUCCEEDED on read; custom adapters + adapter versions full CRUD with ClientRequestToken idempotency; ARN-keyed tagging. Model-derived validation (InvalidParameterException / ResourceNotFoundException / InvalidJobIdException); persisted. No OCR/ML model runs, so text is not fabricated. JSON 1.1 protocol. All 25 ops |
| Transcribe | 43 | Full 43-op control plane. Transcription / medical-transcription / call-analytics / medical-scribe jobs (QUEUED -> COMPLETED settling on read, well-formed Transcript at the requested output location), custom + medical vocabularies and vocabulary filters (PENDING -> READY), custom language models (IN_PROGRESS -> COMPLETED), call-analytics categories, and ARN-keyed tagging. Model-driven required/length/range/enum/pattern validation with Transcribe's declared exceptions (BadRequestException/ConflictException/NotFoundException/LimitExceededException). JSON 1.1 protocol. Account-partitioned and persisted. Honest gap: speech recognition is not run — a completed job's TranscriptFileUri points at the output location but no transcript JSON is produced there |
| AWS Elemental MediaConvert | 34 | Complete AWS Elemental MediaConvert control plane: queues (ON_DEMAND/RESERVED pricing plans with a materialised reservation plan, ACTIVE/PAUSED status, the seeded undeletable Default SYSTEM queue per account), presets and job templates (full CRUD storing settings verbatim), jobs (CreateJob mints arn:aws:mediaconvert:...:jobs/<id> and settles SUBMITTED -> COMPLETE on the next read with well-formed outputGroupDetails/timing; CancelJob -> CANCELED; SearchJobs filters by queue/status/input file), the account input-restriction policy (Put/Get/DeletePolicy, defaulting each input class to ALLOWED), DescribeEndpoints (echoes a deterministic account-specific endpoint URL), certificate association, resource sharing, jobs queries, engine versions, and ARN-keyed tags. Model-derived required/enum/range validation (BadRequestException/NotFoundException/ConflictException), account-partitioned, persisted. Honest gap: no real video transcoder runs, so a job settles COMPLETE with correctly-shaped but empty outputGroupDetails and Probe returns an empty probeResults list rather than fabricating media (all 34 ops) |
| Amazon Managed Blockchain | 27 | Full 27-op control plane. Networks (CreateNetwork mints an n-... id + global ARN, stores framework HYPERLEDGER_FABRIC/ETHEREUM + voting policy, and for Fabric atomically creates the first member (m-...), returning NetworkId + MemberId; GetNetwork/ListNetworks filtered + paginated), members (full CRUD of m-... with Fabric CaEndpoint/AdminUsername attributes, CREATING -> AVAILABLE on read, DeleteMember -> DELETED), nodes (full CRUD of nd-... with InstanceType/StateDB and derived Fabric peer / Ethereum HTTP+WebSocket endpoints), proposals + voting (CreateProposal -> p-... IN_PROGRESS; VoteOnProposal records YES/NO and, when the ApprovalThresholdPolicy threshold is met, transitions to APPROVED — materialising invitations into real Invitation records — or REJECTED; ListProposalVotes/GetProposal/ListProposals), invitations (ListInvitations, RejectInvitation), accessors (CreateAccessor -> UUID id + BillingToken; Get/List/DeleteAccessor), and ARN-keyed tags. Model-derived validation (InvalidRequestException/ResourceNotFoundException/IllegalActionException). REST-JSON protocol. Account-partitioned and persisted. Honest gap: no real Hyperledger Fabric or Ethereum network runs — the CA/peer/RPC endpoints are well-formed deterministic URLs pointing at no live chain |
| AWS Shield | 36 | Full 36-op control plane. Protections over supported resources (CreateProtection -> 36-char ProtectionId + arn:aws:shield::<account>:protection/<id> ARN; Describe/List/Delete by id or resource ARN; one protection per resource, else ResourceAlreadyExistsException; a non-ARN resource -> InvalidResourceException), protection groups (Aggregation SUM/MEAN/MAX, Pattern ALL/ARBITRARY/BY_RESOURCE_TYPE, members + ListResourcesInProtectionGroup), the annual auto-renewing Shield Advanced subscription (CreateSubscription, GetSubscriptionState ACTIVE/INACTIVE, DescribeSubscription with full SubscriptionLimits, DeleteSubscription -> LockedSubscriptionException), emergency contacts, DRT access (role + up to 10 log buckets, NoAssociatedRoleException), proactive engagement, application-layer automatic response, Route 53 health-check association, and ARN-keyed tagging. Model-driven input validation (required/length/range/enum). JSON 1.1 protocol (global service, empty-region ARNs). Persisted. Attack surfacing is honest — ListAttacks is empty and DescribeAttackStatistics is zeroed; no synthetic attacks |
| Comprehend | 85 | Full 85-op NLP surface. Synchronous single-document detection (DetectEntities/DetectSentiment/DetectSyntax/DetectKeyPhrases/DetectDominantLanguage/DetectPiiEntities/DetectTargetedSentiment/ContainsPiiEntities/DetectToxicContent/ClassifyDocument) and their BatchDetect* list variants; nine async analysis-job families (dominant-language / entities / key-phrases / sentiment / targeted-sentiment / PII / events / topics / document-classification) minting JobIds + ARNs and settling SUBMITTED -> COMPLETED on read (Stop* -> STOPPED); custom document classifiers and entity recognizers with versioning (SUBMITTED -> TRAINED); real-time endpoints (CREATING -> IN_SERVICE); flywheels + iterations; datasets; resource policies; ImportModel; and ARN-keyed tagging. Model-driven validation with Comprehend's declared exceptions (InvalidRequestException/ResourceNotFoundException/JobNotFoundException/ResourceInUseException). JSON 1.1 protocol. Account-partitioned and persisted. Honest gap: no NLP inference runs, so detection lists come back empty and DetectSentiment returns the neutral default |
| Amazon Translate | 19 | Full 19-op control plane. Synchronous TranslateText / TranslateDocument (structurally correct passthrough echoing the input as the translation with the requested target language applied and existing terminologies listed), asynchronous batch translation jobs (StartTextTranslationJob mints a 32-char JobId at SUBMITTED; Describe/List settle to COMPLETED; Stop -> STOP_REQUESTED -> STOPPED), parallel data (CREATING -> ACTIVE, updates via LatestUpdateAttemptStatus), custom terminologies (ImportTerminology parses the uploaded CSV/TSV for its languages and term count; OVERWRITE merge), the supported-language catalogue (ListLanguages), and ARN-keyed tagging. Model-driven validation surfaced as each op's declared exception (InvalidParameterValueException / InvalidRequestException / ResourceNotFoundException / ConflictException). JSON 1.1 protocol. Account-partitioned and persisted. Honest gap: no neural MT model runs — the translate ops echo the input verbatim rather than fabricating a translation |
Detailed per-service pages are coming. If you need specifics on a service today, the AWS operations index lists every operation grouped by service, the AWS Smithy models in aws-models/ are the authoritative source of truth, the conformance baseline at conformance-baseline.json tracks per-service test counts, and the parity matrix maps control-plane vs data-plane coverage per service.
Pages
- S3 — Objects, multipart, versioning, lifecycle, notifications, replication, website hosting.
- SQS — FIFO queues, dead-letter queues, long polling, batch operations.
- SNS — Topics, subscriptions, fan-out delivery, filter policies, platform applications.
- EventBridge — Event buses, pattern matching, scheduled rules, archives, replay, API destinations.
- Lambda — Real code execution in Docker containers across 23 runtimes. Event source mappings, warm container reuse.
- EventBridge Scheduler — Standalone scheduler service — at, rate, cron expressions, SQS targets, DLQ routing, one-shot self-delete.
- DynamoDB — Tables, items, transactions, PartiQL, backups, global tables, streams, TTL.
- IAM — Users, roles, policies, groups, instance profiles, OIDC/SAML providers.
- STS — AssumeRole, session tokens, federation, caller identity.
- SSM — Parameters, documents, commands, maintenance windows, associations, patch baselines.
- Secrets Manager — Secrets, versioning, rotation via Lambda, replication.
- CloudWatch Logs — Log groups, streams, filtering, subscriptions, queries, anomaly detection.
- KMS — Encryption, key management, aliases, grants, real ECDH, key import.
- CloudFormation — Template parsing, resource provisioning, conditions + intrinsics, nested stacks, SAM transform, drift detection, change sets, stack sets, custom resources.
- SES — Sending, templates, DKIM, suppression, and real inbound receipt rule execution.
- Cognito User Pools — User pools, app clients, MFA, identity providers, full authentication flows.
- Kinesis — Data Streams, records, shard iterators, retention, tagging.
- DocumentDB — Amazon DocumentDB control plane: clusters, instances, snapshots, restore, parameter/subnet/global groups, event subscriptions, and tagging. RDS-shaped Query API.
- Neptune — Amazon Neptune control plane: clusters, instances, cluster endpoints, snapshots, restore, parameter/subnet/global groups, IAM role associations, event subscriptions, and tagging. RDS-shaped Query API.
- RDS — Real PostgreSQL, MySQL, MariaDB, Oracle, SQL Server, and Db2 instances via Docker. Snapshots, read replicas, parameter groups.
- Aurora DSQL — Aurora DSQL (dsql) serverless distributed PostgreSQL control plane on fakecloud: clusters, resource policies, change streams to Kinesis, multi-region properties, and tagging with real account-partitioned, persisted state.
- ElastiCache — Real Redis, Valkey, and Memcached clusters via Docker. Replication groups, snapshots, ACL user management, configuration endpoints.
- RDS Data API — Run real SQL over HTTP with the RDS Data API (ExecuteStatement) against fakecloud's real PostgreSQL and MySQL containers — typed parameters and results, including binary round-trips.
- API Gateway v1 — REST APIs, resources/methods/integrations, deployments, stages, API keys, usage plans, authorizers.
- Redshift — A local Amazon Redshift control plane — clusters, snapshots, parameter/subnet groups, snapshot schedules, endpoint access, and logging, all as real persisted state with AWS-faithful responses.
- Step Functions — Full ASL interpreter, cross-service task integrations, execution history.
- API Gateway v2 — HTTP APIs, Lambda proxy integration, JWT and Lambda authorizers, CORS.
- Bedrock — Foundation models, guardrails, custom models, invocation jobs, evaluation jobs, marketplace endpoints.
- ECR — Elastic Container Registry — full 58-operation API plus real OCI v2 Distribution so docker push and docker pull work against fakecloud.
- Bedrock Agent — Agents, knowledge bases, action groups, flows, prompts, collaborators — full Bedrock Agent control plane.
- ECS — Elastic Container Service — full API: clusters, task definitions, real Fargate-style task execution via Docker, services with rolling deployments, task sets, container instances, ECS Exec.
- Bedrock Agent Runtime — InvokeAgent, Retrieve, RetrieveAndGenerate, flow execution, sessions, memory — Bedrock Agent data plane with real eventstream framing.
- Elastic Load Balancing v2 — ELBv2 control plane — Application/Network/Gateway Load Balancer: load balancers, target groups + targets, listeners + rules + certificates, mTLS trust stores, attributes, capacity reservations, resource policies.
- CloudFront — CloudFront control plane — distributions, invalidations, web ACL/alias association, tags. Full DistributionConfig round-trip with ETag/If-Match concurrency.
- Route 53 — Route 53 control plane — hosted zones, RRsets, health checks, traffic policies, DNSSEC + KSK, query logging, CIDR collections, VPC associations, reusable delegation sets, geo locations, account limits, tags.
- ACM — AWS Certificate Manager — request / import / export / revoke certificates, tags, account configuration. JSON 1.1 protocol.
- Application Auto Scaling — AWS Application Auto Scaling — scalable targets, step / target-tracking / predictive policies, scheduled actions, scaling activities, predictive forecasts, tags. JSON 1.1 protocol.
- EC2 Auto Scaling — Amazon EC2 Auto Scaling — Auto Scaling Groups, Launch Configurations, desired-capacity reconciliation, and scaling activities. Query protocol.
- WAF v2 — AWS WAF v2 — Web ACLs, rule groups, IP sets, regex pattern sets, API keys, logging configs, managed rule catalog, mobile SDK. JSON 1.1 protocol.
- Batch — AWS Batch — compute environments, job queues, job definitions, scheduling policies, and the job control plane. restJson1 protocol.
- Athena — AWS Athena — workgroups, data catalogs, named queries, prepared statements, query executions, notebooks, sessions, capacity reservations. JSON 1.1 protocol with a minimal SQL evaluator that reads Glue tables.
- Glue — AWS Glue full control plane — Data Catalog, jobs, crawlers, connections, triggers, workflows, schema registry, sessions, ML transforms, data quality. JSON 1.1 protocol.
- Organizations — AWS Organizations control plane — accounts, OUs, SCPs, tag policies, handshakes, delegated administrators. Real SCP enforcement across services.
- EventBridge Pipes — Amazon EventBridge Pipes — point-to-point source → enrichment → target integrations. restJson1 protocol.
- Firehose — Amazon Data Firehose delivery streams (control plane), JSON 1.1 protocol.
- CloudWatch (Metrics & Alarms) — Amazon CloudWatch metrics, alarms, dashboards, anomaly detectors, insight rules, and metric streams. awsQuery and awsJson1_0 protocols.
- Amazon Managed Service for Apache Flink — Amazon Managed Service for Apache Flink (kinesisanalyticsv2, formerly Kinesis Data Analytics v2) on fakecloud: full 33-operation control plane for SQL and Flink streaming applications, versions, snapshots, operations, VPC and CloudWatch logging configuration, with persistence.
- EC2 — Amazon EC2 — the full 769-operation control plane. VPCs, subnets, security groups, instances, EBS, AMIs, transit gateways, VPN, IPAM, Verified Access, and the entire networking long tail at 100% Smithy conformance.
- Cloud Control API — AWS Cloud Control API (cloudcontrolapi) on fakecloud: a uniform CRUD-L interface over CloudFormation resource types, driving the same real provisioners as CloudFormation, with JSON Patch updates and request tracking.
- Resource Groups — AWS Resource Groups (resource-groups) on fakecloud: groups, tag/CloudFormation-stack resource queries, explicit membership, group configuration, tagging, account settings, and tag-sync tasks, with real account-partitioned, persisted state.
- Resource Groups Tagging API — AWS Resource Groups Tagging API (tagging) on fakecloud: cross-service tag reads (GetResources / GetTagKeys / GetTagValues), tag writes (TagResources / UntagResources), compliance summary, and tag reports, backed by a real cross-service tag index.
- MemoryDB — Amazon MemoryDB (memorydb) on fakecloud: full 45-operation control plane for Redis/Valkey clusters, shards, ACLs, users, parameter and subnet groups, snapshots, and multi-region clusters, with persistence.
- EKS — Amazon EKS (eks) on fakecloud: complete 65-op Elastic Kubernetes Service control plane — clusters, node groups, Fargate profiles, add-ons, access entries, identity-provider configs, pod identity, insights, capabilities, and EKS Anywhere. restJson1.
- Amazon S3 Glacier — Amazon S3 Glacier (glacier) on fakecloud: a complete 33-operation implementation (100% conformance) with a real data plane — vaults, archive upload/delete with SHA-256 tree hashes, multipart uploads, retrieval and inventory jobs, vault lock, notifications, access policy, tags, data-retrieval policy, and provisioned capacity. restJson1.
- OpenSearch Service — Amazon OpenSearch Service + Amazon Elasticsearch Service (es) on fakecloud: one shared control plane for both APIs (147 operations, 100% conformance) — domains, packages, VPC endpoints, cross-cluster connections, applications, data sources. restJson1.
- Cloud Map — AWS Cloud Map (servicediscovery) on fakecloud: namespace control plane over HTTP, public-DNS, and private-DNS namespaces, driven by the async operation model. awsJson1.1.
- Account Management — AWS Account Management (account) on fakecloud: alternate contacts, primary contact information, account information, primary-email OTP flow, and Region opt-in control. restJson1.
- AWS Backup — AWS Backup (backup) on fakecloud: a complete 109-operation control plane (100% conformance) — backup plans, vaults, recovery points, backup/copy/restore/scan jobs, frameworks, report plans, legal holds, restore testing, tiering. restJson1.
- IAM Identity Center Identity Store — AWS IAM Identity Center Identity Store (identitystore) on fakecloud: users, groups, group memberships, attribute lookups, and IsMemberInGroups. awsJson1.1.
- IAM Identity Center SSO Admin — AWS IAM Identity Center SSO Admin (sso-admin) on fakecloud: instances, permission sets, account assignments, applications, trusted token issuers, regions, and tagging. awsJson1.1.
- Verified Permissions — AWS Verified Permissions (verifiedpermissions) on fakecloud: policy stores, Cedar schemas, static and template-linked policies, policy templates, identity sources, aliases, tagging, and real Cedar authorization. awsJson1.0.
- Database Migration Service — AWS Database Migration Service (dms) control plane on fakecloud: replication instances, endpoints, replication tasks, subnet groups, event subscriptions, certificates, serverless replication configs, data providers, instance profiles, migration projects, schema conversion, and Fleet Advisor — real account-partitioned, persisted state.
- Transfer Family — AWS Transfer Family (transfer) control plane on fakecloud: SFTP/FTPS/FTP/AS2 servers, users, SSH and host keys, accesses, workflows, agreements, connectors, profiles, certificates, security policies, and web apps — real account-partitioned, persisted state.
- AWS AppConfig — AWS AppConfig (appconfig + appconfigdata) on fakecloud: applications, environments, configuration profiles, hosted configuration versions storing real bytes, deployment strategies, deployments, extensions, experiments, and a real data plane that serves deployed configuration — account-partitioned, persisted state.
- CloudTrail — AWS CloudTrail (cloudtrail) control plane on fakecloud: trails, logging status, event and insight selectors, CloudTrail Lake event data stores, channels, imports, queries, dashboards, resource policies, organization delegated admins, and tagging — real account-partitioned, persisted state.
- AWS Resource Access Manager — AWS Resource Access Manager (ram) on fakecloud: a complete 35-operation implementation (100% conformance) — resource shares, principal/resource associations, cross-account share invitations, managed + customer permissions with versions, resource-type catalogue, and tagging. restJson1.
- AWS Cost Explorer — AWS Cost Explorer (ce) on fakecloud: a complete 47-operation implementation (100% conformance) — anomaly monitors + subscriptions, cost category definitions, cost-allocation tags, and structurally-valid zero-usage cost/reservation/savings analytics. awsJson1.1.
- Amazon S3 Tables — Amazon S3 Tables (s3tables) on fakecloud: a complete 49-operation implementation (100% conformance) — table buckets, namespaces, Iceberg tables, metadata-location pointers with version-token concurrency, and every encryption/policy/maintenance/replication sub-resource. restJson1.
- AWS Lake Formation — AWS Lake Formation (lakeformation) on fakecloud: a complete 61-operation implementation (100% conformance) — LF-tags, fine-grained permission grants, registered resources, data lake settings, governance transactions, and data-cell filters. restJson1.
- AWS CodeBuild — AWS CodeBuild (codebuild) on fakecloud: a complete 59-operation implementation (100% conformance) — build projects, builds and build batches, report groups and reports, fleets, webhooks, source credentials, resource policies, and sandboxes. awsJson1.1.
- AWS CodeConnections — AWS CodeConnections (codeconnections) on fakecloud: a complete 27-operation implementation (100% conformance) — connections, hosts, repository links, sync configurations, and the sync-status/blocker read surface. awsJson1.0.
- AWS CodeDeploy — AWS CodeDeploy (codedeploy) on fakecloud: a complete 47-operation implementation (100% conformance) — applications, application revisions, deployment groups, deployment configurations, deployments and their targets, on-premises instances, and tagging. awsJson1.1.
- AWS CodePipeline — AWS CodePipeline (codepipeline) on fakecloud: a complete 44-operation implementation (100% conformance) — pipelines and their versions, pipeline/action/rule executions, custom action types, webhooks, job polling, stage transitions, approvals, and tagging. awsJson1.1.
- AWS CodeArtifact — AWS CodeArtifact (codeartifact) on fakecloud: a complete 48-operation implementation (100% conformance) covering domains, repositories, external connections, package groups, packages and their versions/assets/dependencies, permission policies, authorization tokens, and tagging. restJson1.
- AWS CodeCommit — AWS CodeCommit (codecommit) on fakecloud: a complete 79-operation implementation (100% conformance) covering repositories, branches, commits and files over a real content-addressed object store, pull requests with approvals and events, approval-rule templates and associations, comments and reactions, repository triggers, and tagging. awsJson1.1.
- Elastic Beanstalk — Full Elastic Beanstalk control plane: applications, application versions, environments with a real Launching->Ready lifecycle, configuration templates and option settings, events, platforms, and CNAMEs.
- Amazon EFS — Amazon Elastic File System (elasticfilesystem) on fakecloud: a complete 31-operation control plane (100% conformance) - file systems, mount targets, access points, lifecycle/backup/policy configuration, replication, tagging, and account preferences. restJson1.
- ACM PCA — AWS Certificate Manager Private CA — create private CAs, issue and revoke real X.509 certificates, audit reports, permissions, and resource policies. JSON 1.1 protocol.
- Amazon MQ — Amazon MQ (mq) on fakecloud: a complete 25-operation control plane (100% conformance) plus a real, connectable ActiveMQ/RabbitMQ broker data plane backed by real containers. restJson1.
- Config — AWS Config — configuration recorder, real cross-service config-item recording, config rules with genuine managed-rule and custom-Lambda evaluation, compliance, conformance packs, and aggregators. JSON 1.1 protocol.
- Route 53 Resolver — Amazon Route 53 Resolver — resolver endpoints, resolver rules and VPC associations, query logging, and DNS Firewall. Real control plane validated against EC2 VPC subnets and security groups. JSON 1.1 protocol.
- Amazon MSK — Amazon MSK (Managed Streaming for Apache Kafka, kafka) on fakecloud: a complete 59-operation control plane (100% conformance). restJson1.
- Amazon EMR — Amazon EMR (Elastic MapReduce) on fakecloud: the full 65-operation control plane -- clusters/job flows, steps, instance groups and fleets, EMR Studio, notebook executions, security configurations, scaling and auto-termination policies, block public access, and tags -- with account-partitioned persistence.
- Amazon MWAA — Amazon MWAA (Managed Workflows for Apache Airflow, mwaa) on fakecloud: a complete 12-operation control plane (100% conformance). restJson1.
- AWS FIS — AWS Fault Injection Simulator (fis) on fakecloud: a complete 26-operation control plane (100% conformance). restJson1.
- Amazon Textract — Amazon Textract (textract) on fakecloud: a complete 25-operation surface (100% conformance). awsJson1_1.
- Amazon Transcribe — Amazon Transcribe on fakecloud: the full 43-operation control plane -- transcription, medical-transcription, call-analytics and medical-scribe jobs, custom and medical vocabularies, vocabulary filters, custom language models, call-analytics categories, and tagging -- with account-partitioned persistence. Speech recognition itself is a documented gap.
- Amazon Translate — Amazon Translate on fakecloud: the full 19-operation control plane -- text and document translation, asynchronous batch translation jobs, parallel data, custom terminologies, the supported-language catalogue, and tagging -- with account-partitioned persistence. Neural machine translation itself is a documented gap.
- AWS Shield — AWS Shield / Shield Advanced on fakecloud: the full 36-operation control plane -- protections and protection groups, the annual Shield Advanced subscription, emergency contacts, DRT access, proactive engagement, application-layer automatic response, health-check association, and tags -- with account-partitioned persistence and honest (non-synthetic) attack surfacing.
- AWS X-Ray — AWS X-Ray (xray) on fakecloud: a complete 38-operation surface (100% conformance) with a real in-memory trace data plane — segment ingestion, service-graph derivation, sampling rules, and groups. restJson1.
- AWS Amplify — AWS Amplify (amplify) on fakecloud: a complete 37-operation hosting control plane (100% conformance). restJson1.
- AWS AppSync — AWS AppSync (appsync) on fakecloud: the complete 74-operation surface (100% conformance) — GraphQL APIs, data sources, resolvers, functions, schema types, API caches, domain names, Event APIs, and source-API associations. restJson1.
- AWS Elemental MediaConvert — AWS Elemental MediaConvert (mediaconvert) on fakecloud: a complete 34-operation video-transcoding control plane (100% conformance). restJson1.
- Amazon Comprehend — Amazon Comprehend on fakecloud: the full 85-operation surface -- synchronous and batch text detection, nine async analysis-job families, custom document classifiers and entity recognizers, real-time endpoints, flywheels, datasets, resource policies, model import, and tagging -- with account-partitioned persistence. The NLP inference itself is a documented gap.
- AWS Serverless Application Repository — AWS Serverless Application Repository (serverlessrepo) on fakecloud: a complete 14-operation control plane (100% conformance). restJson1.
- Amazon Pinpoint — Amazon Pinpoint (pinpoint) on fakecloud: a complete 122-operation control plane (100% conformance). restJson1.
- AWS Support — AWS Support on fakecloud: the full 16-operation surface -- support cases, communications, attachment sets, severity levels, the service/category catalogue, and the Trusted Advisor check catalogue + refresh state machine -- with account-partitioned persistence. The Trusted Advisor analysis engine and the live support agent are documented gaps.
- Amazon SWF — Amazon Simple Workflow Service on fakecloud: the full 39-operation control plane -- domains, versioned activity/workflow types, and workflow executions driven by a real decider/worker state machine (decision tasks, activity tasks, and the event history that ties them together) -- with account-partitioned persistence.
- AWS IoT Core — AWS IoT Core (iot) on fakecloud: the full 272-operation control plane — things, policies, certificates, jobs, topic rules, Device Defender, provisioning — at 100% conformance. restJson1.
- Amazon Managed Blockchain — Amazon Managed Blockchain (managedblockchain) on fakecloud: a complete 27-operation control plane for networks, members, nodes, proposals, voting, invitations, and accessors (100% conformance). restJson1.
- AWS IoT Data Plane — AWS IoT Data Plane (iotdata) on fakecloud: device shadows + retained messages, a complete 11-operation data plane (100% conformance). restJson1.
- AWS IoT Wireless — AWS IoT Wireless (iotwireless) on fakecloud: the full 112-operation LoRaWAN + Sidewalk control plane — destinations, device/service profiles, FUOTA tasks, multicast groups, wireless devices + gateways — at 100% conformance. restJson1.
- Amazon Timestream — Amazon Timestream on fakecloud: one crate serving BOTH the Timestream Write and Timestream Query SDK clients over a shared store -- databases, tables, WriteRecords ingestion, a bounded SQL Query engine, scheduled queries, batch-load tasks, account settings, and endpoint discovery that resolves back to fakecloud -- with account-partitioned persistence.
- Amazon SageMaker — Amazon SageMaker (sagemaker) on fakecloud: the full 403-operation ML control plane — models, endpoints, endpoint configs, training/processing/transform/AutoML/tuning jobs, notebook instances, pipelines, feature groups, domains, model packages — at 100% conformance. awsJson1.1.