Home / Changelog

Changelog

Authoritative release history lives on GitHub at github.com/localemu/localemu/releases. The last five releases are mirrored here for convenience and so search engines can index the content.

v1.1.0

2026-06-11 · correctness and coverage

IAM enforcement now respects attached managed policies on every attachment surface (user, role, group), applies managed permission boundaries by intersection with the identity grant, and evaluates resource-based policies on every cross-account call (S3 bucket policy, KMS key policy, SQS / SNS / Lambda / EventBridge policies). Six new condition keys are populated for the policy evaluator: aws:PrincipalAccount, aws:ResourceAccount, aws:SourceAccount, aws:PrincipalOrgID, aws:PrincipalOrgPaths, aws:ResourceOrgID.

The operation → IAM action map now matches AWS for Lambda (lambda:Invokelambda:InvokeFunction), S3 multipart, SQS / SNS batch ops, KMS ReEncrypt, DynamoDB transactions, and the full S3Control access-point surface (s3:CreateAccessPoint rather than the non-existent s3control:CreateAccessPoint).

IMDS at 169.254.169.254 is now reachable from inside instances launched without a key pair (the common AWS CLI default), so the canonical IMDS address stops returning Connection refused. EC2 / SSM / Backup operations that previously raised InternalFailure return AWS-shaped responses: Snapshot Block Public Access, Serial Console toggles, VPC Block Public Access options and exclusions (with real iptables data-plane enforcement on the IGW-facing interface), EC2 Instance Connect Endpoints, AWS Backup protected resources, and SSM patch state stubs.

Multi-account is now documented and surfaced. AWS Organizations is wired with the full 39 ops including DescribeEffectivePolicy; CreateAccount auto-seeds an OrganizationAccountAccessRole in the new member with an inline AdministratorAccess policy. The central account registry is queryable via the new /_localemu/api/accounts admin endpoints.

S3 replicates objects on every matching rule: PutObject / CompleteMultipartUpload / CopyObject on a versioned source bucket with a ReplicationConfiguration flips x-amz-replication-status from PENDING to COMPLETED on the source and REPLICA on the destination, preserving the VersionId and carrying metadata, tags, and content-type across. Filters (Prefix / Tag / And), priority resolution, multi-destination, DeleteMarkerReplication gating, and the no-chained-replication rule all follow the AWS contract.

S3 Access Points have a real data plane: object operations addressed by ARN, alias, or hostname route to the underlying bucket; the access-point policy is consulted alongside the bucket policy; three new S3 condition keys are populated for AP requests: s3:DataAccessPointArn, s3:DataAccessPointAccount, s3:AccessPointNetworkOrigin. The bucket-policy delegation pattern (s3:DataAccessPointAccount on the bucket policy) works the AWS way and lets the AWS-canonical access-point bypass scenario be reproduced locally.

Coverage: 132 AWS services, 9,000 documented operations, 8,780 implemented (97.6%). See the full API coverage matrix. New docs: Multi-Account, Organizations, Cross-Account Access.

v1.0.0

2026-05-18 · initial release

First public release of LocalEmu. The gateway listens on localhost:4566 for all AWS services. The awsemu CLI is a thin wrapper over AWS CLI v1 pre-pointed at LocalEmu. Persistence (PERSISTENCE=1) saves all service state across restarts. IAM enforcement (IAM_ENFORCEMENT=1) evaluates identity, resource, and permission-boundary policies with the real AWS algorithm (explicit deny → resource → identity → boundary). The Export pipeline emits Terraform, CloudFormation, and JSON snapshots from live state.

Docker-backed services run real binaries against real wire protocols: EC2 (real VMs via docker run), ECS (RunTask + Service, real container exec), EKS (k3d-backed, real kubectl), RDS (Postgres, MySQL, MariaDB on real ports), Redshift (postgres:15, psql + JDBC clients connect for real), MQ (RabbitMQ broker), MSK (Apache Kafka KRaft cluster), OpenSearch (real cluster).

Athena ships a DuckDB-backed SQL engine: literal SELECTs, queries over Glue CSV / JSON / Parquet tables, partition pruning, CTAS and INSERT INTO writing Parquet back to S3 and registering Glue tables. SSM Session Manager (StartSession) is a real WebSocket-bridged shell into the EC2 container. EC2 IMDS is reachable at the canonical 169.254.169.254 address from inside containers via DNAT + MASQUERADE. DynamoDB Streams emit INSERT / MODIFY / REMOVE events. API Gateway v2 supports --target integrations end-to-end and ELBv2 ALB → Lambda forwarding works under real Terraform.

Future entries will be added in reverse-chronological order as we ship. For point-release detail follow the GitHub releases feed directly.