Home / Changelog
Changelog
Authoritative release history lives on GitHub at github.com/localemu/localemu/releases. The last five releases are mirrored here for convenience and so search engines can index the content.
v1.1.0
2026-06-11 · correctness and coverage
IAM enforcement now respects attached managed policies on every
attachment surface (user, role, group), applies managed permission
boundaries by intersection with the identity grant, and evaluates
resource-based policies on every cross-account call (S3 bucket
policy, KMS key policy, SQS / SNS / Lambda / EventBridge policies).
Six new condition keys are populated for the policy evaluator:
aws:PrincipalAccount,
aws:ResourceAccount,
aws:SourceAccount,
aws:PrincipalOrgID,
aws:PrincipalOrgPaths,
aws:ResourceOrgID.
The operation → IAM action map now matches AWS for Lambda
(lambda:Invoke →
lambda:InvokeFunction), S3 multipart,
SQS / SNS batch ops, KMS ReEncrypt,
DynamoDB transactions, and the full S3Control access-point surface
(s3:CreateAccessPoint rather than the
non-existent s3control:CreateAccessPoint).
IMDS at 169.254.169.254 is now
reachable from inside instances launched without a key pair (the
common AWS CLI default), so the canonical IMDS address stops
returning Connection refused. EC2 / SSM / Backup operations that
previously raised InternalFailure
return AWS-shaped responses: Snapshot Block Public Access, Serial
Console toggles, VPC Block Public Access options and exclusions
(with real iptables data-plane enforcement on the IGW-facing
interface), EC2 Instance Connect Endpoints, AWS Backup protected
resources, and SSM patch state stubs.
Multi-account is now documented and surfaced. AWS Organizations is
wired with the full 39 ops including
DescribeEffectivePolicy;
CreateAccount auto-seeds an
OrganizationAccountAccessRole in the
new member with an inline
AdministratorAccess policy. The
central account registry is queryable via the new
/_localemu/api/accounts admin
endpoints.
S3 replicates objects on every matching rule:
PutObject /
CompleteMultipartUpload /
CopyObject on a versioned source
bucket with a ReplicationConfiguration
flips x-amz-replication-status from
PENDING to
COMPLETED on the source and
REPLICA on the destination,
preserving the VersionId and
carrying metadata, tags, and content-type across. Filters
(Prefix / Tag / And), priority resolution, multi-destination,
DeleteMarkerReplication gating, and the no-chained-replication
rule all follow the AWS contract.
S3 Access Points have a real data plane: object operations
addressed by ARN, alias, or hostname route to the underlying
bucket; the access-point policy is consulted alongside the bucket
policy; three new S3 condition keys are populated for AP requests:
s3:DataAccessPointArn,
s3:DataAccessPointAccount,
s3:AccessPointNetworkOrigin. The
bucket-policy delegation pattern (s3:DataAccessPointAccount
on the bucket policy) works the AWS way and lets the AWS-canonical
access-point bypass scenario be reproduced locally.
Coverage: 132 AWS services, 9,000 documented operations, 8,780 implemented (97.6%). See the full API coverage matrix. New docs: Multi-Account, Organizations, Cross-Account Access.
v1.0.0
2026-05-18 · initial release
First public release of LocalEmu. The gateway listens on
localhost:4566 for all AWS services. The
awsemu CLI is a thin wrapper over AWS CLI v1
pre-pointed at LocalEmu. Persistence (PERSISTENCE=1)
saves all service state across restarts. IAM enforcement
(IAM_ENFORCEMENT=1) evaluates identity,
resource, and permission-boundary policies with the real AWS algorithm
(explicit deny → resource → identity → boundary). The Export
pipeline emits Terraform, CloudFormation, and JSON snapshots from
live state.
Docker-backed services run real binaries against real wire protocols:
EC2 (real VMs via docker run), ECS
(RunTask + Service, real container exec), EKS (k3d-backed, real
kubectl), RDS (Postgres, MySQL, MariaDB
on real ports), Redshift (postgres:15, psql + JDBC clients connect
for real), MQ (RabbitMQ broker), MSK (Apache Kafka KRaft cluster),
OpenSearch (real cluster).
Athena ships a DuckDB-backed SQL engine: literal SELECTs, queries
over Glue CSV / JSON / Parquet tables, partition pruning, CTAS and
INSERT INTO writing Parquet back to S3 and registering Glue tables.
SSM Session Manager (StartSession) is a real WebSocket-bridged shell
into the EC2 container. EC2 IMDS is reachable at the canonical
169.254.169.254 address from inside
containers via DNAT + MASQUERADE. DynamoDB Streams emit INSERT /
MODIFY / REMOVE events. API Gateway v2 supports
--target integrations end-to-end and
ELBv2 ALB → Lambda forwarding works under real Terraform.
Future entries will be added in reverse-chronological order as we ship. For point-release detail follow the GitHub releases feed directly.