| S3 |
107 |
Versioning, lifecycle, notifications, multipart, replication, website, real SSE-KMS encrypt/decrypt |
| SQS |
23 |
FIFO, DLQs, long polling, batch, real KMS encrypt/decrypt on KmsMasterKeyId queues |
| SNS |
42 |
Fan-out to SQS/Lambda/HTTP, filter policies, KMS audit-trail on KmsMasterKeyId topics |
| EventBridge |
57 |
Pattern matching, schedules, archives, replay, API destinations |
| EventBridge Scheduler |
12 |
at/rate/cron, SQS targets, DLQ routing, one-shot self-delete |
| Lambda |
70 |
Real Docker, 23 runtimes, ESM with FilterCriteria + partial-batch failure |
| DynamoDB |
57 |
Transactions, PartiQL, backups, global tables, streams, KMS audit-trail on SSE-KMS tables |
| IAM |
176 |
Users, roles, policies, groups, OIDC/SAML, PassRole trust enforcement |
| STS |
11 |
AssumeRole, session tokens, federation |
| SSM |
146 |
Parameters, documents, commands, maintenance, patch baselines, SecureString -> real KMS encrypt/decrypt |
| Secrets Manager |
23 |
Versioning, rotation via Lambda, replication, real KMS encrypt/decrypt |
| CloudWatch Logs |
113 |
Groups, streams, subscription filters, query language |
| KMS |
53 |
Encryption, aliases, grants, real ECDH, key import, cross-service hook |
| CloudFormation |
90 |
Template parsing, resource provisioning, custom resources |
| SES (v2 + v1 inbound) |
110 |
Sending, templates, DKIM, real receipt rule execution |
| Cognito User Pools |
122 |
Pools, clients, MFA, identity providers, full auth flows; verification email -> SES, SMS -> SNS, all 12 Lambda triggers |
| Kinesis |
39 |
Streams, records, shard iterators, retention |
| RDS |
163 |
Real Postgres, MySQL, MariaDB, Oracle, SQL Server, Db2 via Docker; lifecycle ops emit aws.rds EventBridge events; PostgreSQL aws_lambda + aws_s3 extensions and Aurora-compatible MySQL/MariaDB mysql.lambda_async/mysql.lambda_sync invoke fakecloud Lambda + import/export S3 objects from SQL |
| ElastiCache |
75 |
Real Redis, Valkey, Memcached via Docker |
| Step Functions |
37 |
Full ASL interpreter, Lambda/SQS/SNS/EventBridge/DynamoDB tasks |
| API Gateway v1 |
124 |
REST APIs, resources, methods, integrations (MOCK/HTTP/HTTP_PROXY/AWS_PROXY Lambda), deployments, stages, API keys, usage plans, models, request validators (enforced in data plane), VPC links, domain names, base path mappings, client certs, gateway responses, docs, tags. Authorizers: TOKEN/REQUEST authorizers invoke real Lambda; COGNITO_USER_POOLS validates real RS256 JWT against pool JWKS. |
| API Gateway v2 |
103 |
HTTP APIs, routes, integrations, stages, deployments, domains, models, VPC links, routing rules, developer portals, CORS, tags. Authorizers: TOKEN/REQUEST authorizers invoke real Lambda; COGNITO_USER_POOLS validates real RS256 JWT against pool JWKS. |
| Bedrock |
101 |
Foundation models, guardrails, custom models, invocation/eval jobs |
| Bedrock Runtime |
10 |
InvokeModel, Converse, streaming, configurable responses, fault inject |
| Bedrock Agent |
72 |
Agents, agent versions/aliases, action groups, knowledge bases, data sources, ingestion jobs, prompt management, flows |
| Bedrock Agent Runtime |
31 |
InvokeAgent, Retrieve, RetrieveAndGenerate, InvokeFlow, streaming variants |
| ECR |
58 |
Full API — OCI v2 push/pull, lifecycle, scanning, registry, pull-through |
| ECS |
76 |
Full API — clusters, task definitions, real task execution, services + rolling deployments, container instances, capacity providers, task sets, ECS Exec |
| Elastic Load Balancing v2 |
51 |
ALB/NLB/GWLB CRUD: load balancers, target groups + targets + real health probes, listeners + rules + certificates, LB/listener/target-group attributes, capacity reservations, mTLS trust stores + revocations, SSL policies, resource policies, tags. In-process HTTP data plane for ALBs — per-LB TCP bind, rule matching, forward / fixed-response / redirect, sticky sessions, X-Forwarded-* headers |
| CloudFront |
147 |
Distributions + invalidations + tagging + by-X listings + web ACL/alias association. OAC + Cache/OriginRequest/ResponseHeaders/ContinuousDeployment policies. CloudFront Functions, Public Keys, Key Groups, Key Value Stores, OAIs (legacy), Monitoring Subscriptions. Streaming Distributions (legacy RTMP). Field-Level Encryption configs + profiles + Realtime Log Configs. VPC Origins, Anycast IP Lists, Trust Stores, Resource Policies. Connection Groups + Domain Association/DNS Verification + Managed Certificate Details + Promote-Staging Distribution — full CRUD with ETag/If-Match concurrency. REST-XML protocol, full DistributionConfig round-trip incl. origins, cache behaviors, custom error responses, viewer certificates, geo restrictions |
| Route 53 |
71 |
Full control plane. Hosted zones + RRsets + health checks + traffic policies + DNSSEC + KSK + query logging + CIDR collections + VPC associations + reusable delegation sets + geo locations + account limits + tags — CRUD, default SOA/NS seeding, INSYNC change tracking, hosted zone limits, list-by-name, TestDNSAnswer. Health checks: full lifecycle, HealthCheckVersion optimistic concurrency, ResetElements, HealthCheckInUse on delete, checker IP ranges. Traffic policies + instances: versioned policies, TrafficPolicyAlreadyExists/InUse, TrafficPolicyInstanceAlreadyExists, list-by-zone/by-policy. DNSSEC + KSK: enable/disable signing, CreateKeySigningKey with KMS-ARN, activate/deactivate, InvalidKeySigningKeyStatus blocks delete-while-active. Query logging: one config per zone, public-zone-only, CloudWatch Logs ARN. CIDR collections: PUT/DELETE_IF_EXISTS atomic changes, CollectionVersion optimistic concurrency, CidrCollectionInUseException on delete-with-locations. VPC associations: associate/disassociate (private-zone only, last-VPC removal blocked), CreateVPCAssociationAuthorization + revoke + list, ListHostedZonesByVPC. Reusable delegation sets: 4-NS synthesis, in-use protection on delete, MAX_ZONES_BY_REUSABLE_DELEGATION_SET limit. Geo locations + account limits + tags: ListGeoLocations/GetGeoLocation over a representative dataset (continents + sample countries + US subdivisions), GetAccountLimit for all 5 owner-scoped types, full tag CRUD on health checks + hosted zones via ChangeTagsForResource/ListTagsForResource/ListTagsForResources. REST-XML under /2013-04-01/ |
| WAF v2 |
55 |
Full control plane. WebACLs / RuleGroups / IPSets / RegexPatternSets — Create/Get/List/Update/Delete with LockToken optimistic concurrency (WAFOptimisticLockException on stale tokens, fresh token returned on every mutation). REGIONAL + CLOUDFRONT scope segmentation. ARN-keyed WebACL <-> resource associations (AssociateWebACL/DisassociateWebACL/GetWebACLForResource/ListResourcesForWebACL). WAFAssociatedItemException on delete-while-associated for WebACLs and delete-while-referenced for RuleGroups. CheckCapacity computes WCU as recursive count of statement leaves through AndStatement/OrStatement/NotStatement composition. API keys via CreateAPIKey/DeleteAPIKey/GetDecryptedAPIKey/ListAPIKeys — round-trip the configured TokenDomains. Logging configurations (Put/Get/Delete/List) keyed by WebACL ARN. Permission policies (Put/Get/Delete) on RuleGroups for cross-account share. Tags with WAFNonexistentItemException on unknown ARNs. Managed rule groups + sets: read-only AWS catalog (Common, KnownBadInputs, SQLi), DescribeAllManagedProducts, DescribeManagedProductsByVendor, DescribeManagedRuleGroup, ListAvailableManagedRuleGroups/ListAvailableManagedRuleGroupVersions, GetManagedRuleSet, vendor-side PutManagedRuleSetVersions/UpdateManagedRuleSetVersionExpiryDate. Mobile SDK release lookups + presigned download URL synthesis. GetSampledRequests, GetTopPathStatisticsByTraffic, GetRateBasedStatementManagedKeys return empty observability stubs. JSON 1.1 protocol |
| Application Auto Scaling |
14 |
Full control plane. Scalable targets (Register/Deregister/Describe) for ECS, Lambda, DynamoDB, RDS, ElastiCache, SageMaker, EMR, AppStream, Cassandra, Kafka, Neptune, EC2 Spot Fleet, Comprehend. Step + target-tracking + predictive scaling policies (Put/Describe/Delete). Scheduled actions with cron / one-shot start/end times + Timezone. DescribeScalingActivities (IncludeNotScaledActivities), deterministic GetPredictiveScalingForecast with hourly Load + Capacity buckets. RoleARN defaults to the per-namespace service-linked role ARN. Deregister cascades to policies + scheduled actions for that target. TagResource/UntagResource/ListTagsForResource keyed by ARN. JSON 1.1 protocol |
| Athena |
70 |
Full control plane. Workgroups (default primary seeded), Data Catalogs (default AwsDataCatalog seeded), Named Queries, Prepared Statements (keyed by (workgroup, statement_name)), Query Executions, Notebooks, Sessions + Calculations, Capacity Reservations + Capacity Assignment Configuration. StartQueryExecution synthesizes a SUCCEEDED execution with a single-row [["1"]] result so callers can immediately fetch via GetQueryResults without polling. DeleteWorkGroup rejects primary and refuses non-empty workgroups unless RecursiveDeleteOption=true. DeleteDataCatalog rejects AwsDataCatalog. Statement classification (DML / DDL / UTILITY) from leading SQL keyword. Tags keyed by ARN across workgroup / datacatalog / capacity-reservation resources. ListEngineVersions / ListApplicationDPUSizes / ListExecutors / GetResourceDashboard return read-only catalog data. JSON 1.1 protocol |
| ACM (Certificate Manager) |
17 |
Full control plane. Public-cert lifecycle: RequestCertificate (DNS / EMAIL validation, deterministic synthesized DNS validation records), DescribeCertificate, GetCertificate, ListCertificates, SearchCertificates, DeleteCertificate, RenewCertificate, RevokeCertificate (AMAZON_ISSUED only). Imported certs: ImportCertificate (round-trips PEM, supports re-import to same ARN), ExportCertificate (returns cert + chain + key with passphrase). Tags via Add/Remove/ListTagsForCertificate. Account-wide expiry events via Get/PutAccountConfiguration. UpdateCertificateOptions for transparency-logging + export prefs. ResendValidationEmail only for EMAIL-validated certs. IdempotencyToken dedupes exact matches on token + DomainName + SANs (real ACM keys this on a 1-hour window; fakecloud uses exact match for determinism). JSON 1.1 protocol |
| Glue |
265 |
Full control plane. Data Catalog (databases / tables / partitions with GetPartitions Expression pruning), catalogs + encryption settings + resource policies, jobs + job runs + bookmarks, crawlers + classifiers + schedules (real READY <-> RUNNING), connections, triggers, workflows + runs, blueprints + runs, dev endpoints, schema registry, interactive sessions + statements, ML transforms + task runs, data quality (rulesets / runs / results), user-defined functions, usage profiles, column statistics + stats tasks, table optimizers, custom entity types, security configurations, tagging. Smithy @length / @range / enum constraints enforced server-side. Same Data Catalog store backs Athena. JSON 1.1 protocol. Job / crawler / ML / data-quality execution is synthesized — fakecloud is not a Spark engine |
| Firehose |
12 |
Delivery stream control plane. Stream CRUD + UpdateDestination (ExtendedS3 / Redshift / Elasticsearch / OpenSearch / Splunk / HttpEndpoint / Snowflake / Iceberg), DirectPut + KinesisStreamAsSource, CREATING -> ACTIVE / DELETING lifecycle, BufferingHints range-checked, PutRecord / PutRecordBatch with per-record RecordIds, server-side encryption (Start/StopDeliveryStreamEncryption), tag CRUD. JSON 1.1 protocol. Data plane stops at acknowledgement — records are not delivered |
| Organizations |
63 |
Full control plane. Org tree (roots / OUs / accounts), CreateAccount async IN_PROGRESS -> SUCCEEDED, LeaveOrganization, policies (SCP / TAG / BACKUP / AISERVICES_OPT_OUT) with real SCP enforcement under FAKECLOUD_IAM=strict, handshakes, delegated administrators, AWS service access, effective-policy validation, billing responsibility transfers, resource policy, tagging. JSON 1.1 protocol. Mutating calls are management-account only |
| CloudWatch (Metrics & Alarms) |
46 |
Full control plane. Metrics (PutMetricData / GetMetricData / GetMetricStatistics / ListMetrics / GetMetricWidgetImage), metric + composite alarms with SNS / AppAS / EC2 actions, dashboards, anomaly detectors, insight rules + managed rules + reports, metric streams, alarm mute rules, contributor insights, OTel enrichment, tagging. awsQuery protocol (SigV4 service monitoring, distinct from CloudWatch Logs). Metrics in-memory only; alarms evaluate against published data |
| EC2 |
767 |
Full 767-op control plane. VPCs, subnets, security groups, route tables, gateways (IGW / NAT / egress / carrier), ENIs, instances (real Docker/Podman/Kubernetes-backed execution with per-subnet network isolation + opt-in security-group enforcement), EBS volumes + snapshots, AMIs, network ACLs, VPC peering / endpoints / PrivateLink, flow logs, launch templates, spot / fleet, capacity / reserved / dedicated hosts, the full 74-op transit gateway surface (multicast / peering / Connect / metering), Site-to-Site + Client VPN, IPAM (pools / scopes / discovery / BYOASN / policies / prefix-list resolvers), Verified Access, Network Insights, Outpost / local gateway / CoIP, and Instance Connect. ec2Query protocol with flattened-XML lists |