AWS Service Coverage & API Conformance
fakecloud provides 100% API conformance across 5,413 operations. Explore our supported AWS services for local development.
fakecloud provides 100% API conformance across 5,413 operations. Unlike mocks, fakecloud is built against official AWS Smithy models to ensure wire-protocol compatibility and deterministic behavior for local development.
Coverage Summary
- Total Services: 54
- Total Operations: 4,220
- Conformance Engine: 180,013 Smithy-based test variants
- Startup Time: ~300ms
Supported Services
Compute & Containers
- EC2: 769 operations. The complete EC2 control plane — VPCs, subnets, security groups, route tables, gateways, instances, EBS, AMIs, the full 74-op Transit Gateway surface, Site-to-Site + Client VPN, IPAM, Verified Access, Network Insights, and Outpost / local-gateway networking. Instances run as real containers — Docker/Podman by default or native Kubernetes Pods (
FAKECLOUD_EC2_BACKEND=k8s) — running user-data at boot, with start/stop/reboot/terminate mapped to the container lifecycle andGetConsoleOutputreturning the container log; degrades to metadata-only when no container runtime is present. - Lambda: 70 operations. Full execution environment in real Docker containers across 23 runtimes, cross-service triggers (S3, SNS, SQS, EventBridge).
- ECR: 58 operations. Full OCI v2 Distribution protocol support for
docker pushanddocker pull. - ECS: 77 operations. Real Fargate-style task execution via Docker, services with rolling deployments, ECS Exec.
Storage & Databases
- S3: 107 operations. Bucket lifecycle, Object tagging, Multipart uploads, real
SelectObjectContentEventStream. - DynamoDB: 57 operations. TTL, GSI/LSI, and DynamoDB Streams.
- RDS: 163 operations. Real Postgres, MySQL, MariaDB, Oracle, SQL Server, and Db2 via Docker.
- RDS Data API: 6 operations. Real SQL (
ExecuteStatement/BatchExecuteStatement) on the backing Postgres/MySQL container with typed parameters and results, plus transactions (BeginTransaction/CommitTransaction/RollbackTransaction). - Redshift: 141 operations. Full control plane — clusters, snapshots, parameter/subnet/security groups, snapshot schedules and copy grants, endpoint access, per-cluster logging, cross-region snapshot-copy config, and tagging. No SQL data plane (that is the separate
redshift-dataAPI). - Database Migration Service (DMS): 119 operations. Full control plane — replication instances (settle to
available), endpoints with per-engine settings, replication tasks (with assessment runs and table statistics), replication subnet groups, event subscriptions, certificates, connections (TestConnection), serverless replication configs and replications, data providers, instance profiles, migration projects, schema-conversion / metadata-model requests, Fleet Advisor, recommendations, account attributes, and tagging. Real CRUD with pagination and filters. No data-migration engine — the actual row movement is out of scope, matching how LocalStack Community mocks DMS. - Transfer Family: 71 operations. Full control plane — SFTP/FTPS/FTP/AS2 servers (
StartServer/StopServersettleStatetoONLINE/OFFLINE), users and their SSH public keys, host keys, service-managed accesses, workflows and executions (SendWorkflowStepState), AS2 agreements, connectors (SFTP + AS2, withTestConnection,StartFileTransfer,StartDirectoryListing,StartRemoteDelete/StartRemoteMove,ListFileTransferResults), profiles, certificates, the managed security-policy catalogue, web apps (+ customization),TestIdentityProvider, and tagging. Real CRUD withMaxResults/NextTokenpagination and enforced@length/@range/enum constraints. No SFTP daemon or AS2 transport engine — the file movement itself is out of scope, matching how LocalStack Community mocks Transfer. - CloudTrail: 60 operations. Full control plane — trails (
CreateTrail/GetTrail/UpdateTrail/DeleteTrail,DescribeTrails,ListTrails) with per-trail logging status thatGetTrailStatusreflects (StartLogging/StopLoggingtoggleIsLogging, which startsfalse), event selectors and insight selectors that persist and round-trip, CloudTrail Lake event data stores (full CRUD +RestoreEventDataStorePENDING_DELETION -> ENABLED + ingestion start/stop + federation enable/disable), channels, imports, Lake queries (StartQuery/DescribeQuery/GetQueryResultssettle toFINISHEDwith empty rows,CancelQuery), dashboards, resource policies, organization delegated admins, event configuration, and tagging.LookupEvents,ListPublicKeys, andListInsightsMetricDatareturn real empty result sets. Real CRUD with pagination and enforced@length/@range/enum constraints. No event-recording engine — a fake needn't record its own API activity, matching how LocalStack Community mocks CloudTrail. - Aurora DSQL: 16 operations. Serverless distributed PostgreSQL control plane. Cluster lifecycle (
CreateCluster/GetCluster/UpdateCluster/DeleteCluster/ListClusters) with asyncCREATING->ACTIVEtransitions, cluster resource policies, change streams to Kinesis (CreateStream/GetStream/DeleteStream/ListStreams),GetVpcEndpointServiceName, and tagging. Data plane (reachable container + IAM-token auth) is a follow-up. - ElastiCache: 75 operations. Real Redis, Valkey, and Memcached via Docker.
- MemoryDB: 45 operations. Full control plane for Redis/Valkey clusters, shards, ACLs, users, parameter and subnet groups, snapshots, and multi-region clusters, with persistence. Redis/Valkey data-plane container backing is a follow-up.
- EKS: 65 operations (complete). Full Elastic Kubernetes Service control plane: clusters (incl. connected-cluster register/deregister), managed node groups, Fargate profiles, add-ons, access entries + access policies, OIDC identity-provider configs, pod-identity associations, upgrade insights, capabilities, encryption config, and EKS Anywhere subscriptions (create/describe/list/delete, config + version updates with tracking, cluster-version/add-on/access-policy catalogues, tagging), with persistence. Resources transition
CREATING->ACTIVEon describe. No real Kubernetes control-plane endpoint (models the AWS management API, notkubectl). - Amazon EFS: 31 operations (complete). Full Elastic File System control plane: file systems (async
creating->availableon describe,CreationTokenidempotency, size breakdown, performance/throughput modes, encryption, replication-overwrite protection), mount targets (one per Availability Zone per file system, with the AZ / VPC / network interface / IP resolved from the real referenced subnet), access points (POSIX user + root directory), lifecycle configuration, backup policy, file-system resource policy, replication configurations, resource tagging (resource-id API + the deprecated per-file-system tags API), and account preferences, with persistence (in-flight lifecycle transitions reconcile on restart). No real NFS data plane (models the AWS management API). - Amazon MQ: 25 operations (complete). Full Amazon MQ control plane: brokers (async
CREATION_IN_PROGRESS->RUNNINGon describe,REBOOT_IN_PROGRESSreboot that applies staged pending changes,DELETION_IN_PROGRESSteardown,creatorRequestIdidempotency, per-engine wire endpoints and console URLs for ActiveMQ and RabbitMQ, deployment-mode-awarebrokerInstances), configurations (c-ids, base64Datarevisions with history, engine type, authentication strategy), per-broker users (console access, groups,CREATE/UPDATE/DELETEpending-change staging applied on reboot), ARN-keyed tagging, and the engine-type / instance-option catalogues, with persistence (in-flight broker transitions reconcile on restart).b-/c-ids andarn:aws:mq:...:broker:<name>:<id>/:configuration:<id>ARNs match AWS. No real message broker is served (models the AWS management API, not the AMQP/OpenWire data plane). - Amazon S3 Glacier: 33 operations (complete). Full Glacier surface with a real data plane: vaults (create/describe/delete/list), archive upload/delete storing the real bytes with a computed SHA-256 tree hash, multipart uploads assembled into a stored archive, retrieval and inventory jobs that settle to
Succeededon read soGetJobOutputreturns the exact uploaded bytes (or a JSON inventory), vault notifications, vault access policy, the vault-lock state machine (InProgress->Lockedwith a 24h lock-id expiry), per-vault tags, the account data-retrieval policy, and provisioned capacity, with persistence (archives survive restart). Account-scoped paths accept the literal-; archive/upload/job ids andx-amz-sha256-tree-hash/Locationare mirrored in response headers. - AWS AppConfig: 58 operations (complete). Full AppConfig across both
appconfig(56 ops) andappconfigdata(2 ops): applications, environments, configuration profiles, hosted configuration versions (the raw request bytes and content type are stored and returned verbatim, with an auto-incrementing version number), custom and AWS-predefined deployment strategies, deployments (settled toCOMPLETEsynchronously with an event log), extensions and extension associations, experiment definitions and runs, account settings,ValidateConfiguration, and tagging, with persistence. Real data plane:StartConfigurationSession->GetLatestConfigurationresolves a session token to the latest deployed hosted-config bytes. - AWS Backup: 109 operations (complete). Full AWS Backup control plane: backup plans (with versions) + selections, backup vaults (standard / logically-air-gapped / restore-access) with notifications, access policies, and lock configuration, recovery points, backup / copy / restore / scan jobs (progressed synthetically to a terminal state so Describe/List show completed work;
StartBackupJobrecords a synthetic recovery point thatDescribeRecoveryPointresolves), frameworks, report plans + jobs, legal holds, restore-testing plans + selections, tiering configurations, protected resources, tags, and account-scoped global / region settings, with persistence. No real backup engine runs (control-plane emulation, matching LocalStack Community).
AI & Machine Learning
- Bedrock: 214 operations across 4 APIs (Bedrock 101, Bedrock Runtime 10, Bedrock Agent 72, Bedrock Agent Runtime 31). Guardrails, Model Customization, Provisioned Throughput, Agents, Knowledge Bases.
- Bedrock Runtime: Deterministic
InvokeModel,InvokeModelWithResponseStream, andConverseAPIs (echo / configurable-response mode; no real inference).
Messaging & Integration
- SQS: 23 operations. Standard and FIFO queues, Dead Letter Queues (DLQ).
- SNS: 42 operations. Topic management and fan-out to SQS/Lambda.
- EventBridge: 57 operations. Rules, Targets; EventBridge Scheduler (12 operations) and EventBridge Pipes (10 operations) are separate services.
- EventBridge Pipes: 10 operations. Point-to-point source -> filter -> Lambda enrichment -> target integrations with per-target InputTemplate transforms, driven by a real background runner.
- OpenSearch Service: 93 operations (complete). Full Amazon OpenSearch Service control plane, sharing one domain store with Elasticsearch Service (both sign as
es): domains (create/describe/delete/config persist; a new domain settlesProcessing=false/Created=truewith a synthetic search endpoint on describe), packages, VPC endpoints, cross-cluster connections, applications + capabilities, per-domain data sources + indices, direct-query data sources, reserved instances, tags, and instance-type/version/upgrade catalogues, with persistence. No real OpenSearch cluster is spawned (control-plane emulation). - Elasticsearch Service: 51 operations (complete). The legacy Amazon Elasticsearch Service (
es, API version 2015-01-01), exposed over the SAME shared domain store as OpenSearch Service — a domain created through either API is one entity, surfaced here via theElasticsearchDomainStatusshape. Domains, packages, VPC endpoints, cross-cluster search connections, reserved instances, tags, and catalogues, with persistence. - Cloud Map: 30 operations (complete). Full AWS Cloud Map (
servicediscovery) control plane + discovery API: HTTP/public-DNS/private-DNS namespaces, services (DnsConfig/HealthCheck + attributes), instance register/deregister/get/list + health status,DiscoverInstances/DiscoverInstancesRevisionlookup, and tagging — driven by the async operation model (mutations return anOperationIdthat settlesSUCCESSonGetOperation); persisted. - Account Management: 15 operations (complete). Full AWS Account control plane: alternate contacts (BILLING/OPERATIONS/SECURITY), primary contact information, account information + name, GovCloud account pairing, primary-email management (start/accept OTP flow), and Region opt-in control (ListRegions, GetRegionOptStatus, Enable/DisableRegion with
ENABLING->ENABLEDsettle-on-read over the real opt-in-region catalogue). Honors the optionalAccountIdmember so an organization's management account can act on a member; persisted. - IAM Identity Center Identity Store: 19 operations (complete). Full
identitystoredirectory control plane: users, groups, and group memberships (create/describe/update/delete/list), the attribute-lookup helpersGetUserId/GetGroupId/GetGroupMembershipId(byUniqueAttribute), andIsMemberInGroups. Nested SCIM attribute bags round-trip verbatim;@length/@rangeconstraints enforced. Account-partitioned and persisted. - IAM Identity Center SSO Admin: 79 operations (complete). Full
sso-admincontrol plane: IAM Identity Center instances and regions, permission sets with inline/managed/customer-managed/boundary policies, account assignments and permission-set provisioning (async status settle), applications with assignments/access-scopes/authentication-methods/grants/session config, the application-provider catalogue, trusted token issuers, access-control attribute configuration, and tagging. Nested config objects round-trip verbatim;@length/@rangeconstraints enforced. Account-partitioned and persisted. - Verified Permissions: 34 operations (complete). Full
verifiedpermissionsCedar authorization control plane: policy stores, Cedar schemas (PutSchema/GetSchema), static and template-linked policies, policy templates, identity sources (Cognito/OIDC), policy-store aliases, and tagging.IsAuthorized/IsAuthorizedWithToken/BatchIsAuthorized/BatchIsAuthorizedWithTokencompute real Cedar decisions via the officialcedar-policyengine — policies compile into a CedarPolicySetand the request is evaluated to anALLOW/DENYwith determining policies and errors.*WithTokenresolves the principal from the JWTsubclaim.@length/@range/enum constraints enforced. Account-partitioned and persisted.
Security & Management
- IAM: 176 operations. Policy evaluation including permission boundaries, session policies, ABAC, NotPrincipal, and KMS key policies.
- STS: 11 operations. Local token generation and session management.
- SSM: 146 operations. Parameter Store; Secrets Manager (23 operations) is a separate service.
Technical Conformance Data
fakecloud is validated against the same Smithy models used by the official AWS SDKs. This ensures that every request and response matches the expected wire format exactly, eliminating 'works on my machine' bugs caused by shallow mocks.