What's Changed
[1.3.53] — 2026-05-30
Added
- Firehose
KinesisStreamAsSource→ S3 fan-out — delivery streams of typeKinesisStreamAsSourcewith anExtendedS3/S3destination now actually consume records from the source Kinesis stream and forward them to S3. Previously the source configuration round-tripped onDescribeDeliveryStreambut no consumer ever read the records. Fan-out fires inline from KinesisPutRecord/PutRecords(same pattern as SNS→SQS), honorsPrefixandDeliveryStartTimestamp, and is best-effort so it can't break the producer. Reported by @arivazhaganjeganathan-abc.
Fixed
- DynamoDB error-message conformance against dynamodb-conformance.org Tier 3 — 30+ message-text fixes so the exact AWS strings are returned. Highlights:
BatchWriteItem/BatchGetItememptyRequestItems("The requestItems parameter is required."); over-limit batches now use the canonical1 validation error detected: …format; non-existent-table responses acrossGet/Put/Delete/Update/Scan/Batch*/Transact*all return"Requested resource not found"; emptyKeyConditionExpression/UpdateExpressionuse the"Invalid {Expression}: The expression cannot be empty;"template; undefined:val/#namereferences are now scoped to the specific expression ("Invalid FilterExpression: An expression attribute value used in expression is not defined; attribute value: :v");ExpressionAttributeValues/ExpressionAttributeNameswithout any expression use"… can only be specified when using expressions";ScanSegmentvalidation uses AWS's exact phrasing; set-duplicate / NULL / empty-BS /KeySchema/ LSI-on-hash-only / duplicate-index-name / billingMode / tableClass / deletion-protection /Limit/ GSI-not-found messages all aligned. Empty binary is now accepted in non-key attributes per the AWS data-types reference.ListTagsOfResourceon a syntactically-valid but non-existent ARN returnsAccessDeniedException(security-through-obscurity —TagResource/UntagResourcekeepResourceNotFoundException). - DynamoDB projection and parallel-scan correctness — GSI / LSI
INCLUDEandKEYS_ONLYprojections are now enforced onQueryandScan(items trimmed to declaredNonKeyAttributes+ keys); parallelScanpartitions items deterministically across segments by hashing the partition key (previously every segment returned every item); LSI sparse semantics drop items lacking the index range-key attribute. - EFS resource-not-found errors are now per-resource-type —
TagResource/UntagResource/ListTagsForResourcereturnFileSystemNotFound(404) forfs-*ARNs,AccessPointNotFound(404) forfsap-*, andBadRequest(400) for unrecognised EFS resources, matching the AWS API reference. - S3 Tables
NoSuchNamespaceException/NoSuchTableException→NotFoundException(canonical S3 Tables shape). - CloudFront KeyValueStore routing fallback →
ValidationException(was the inventedInvalidRequestException). - API Gateway v1
MethodNotAllowedException(405) →BadRequestException(400) on the unsupported-method branch — APIGW v1 doesn't define a 405 exception in its model. - ECS
InvalidRequest/ServiceAlreadyExists→ClientException(AWS ECS usesClientExceptionas the client-error catch-all). - AWS Batch routing fallback →
ClientException(onlyClientException/ServerExceptionare in the Batch model). - MWAA
InvalidRequestException/ResourceAlreadyExistsException→ValidationException(the MWAA model exposes neither). - OpenSearch JSON-parse errors →
ValidationException(was the inventedInvalidPayloadException). - Account routing fallback →
ValidationException(wasInvalidRequest). - KMS, MWAA, Inspector2 no longer leak Python exception text — generic catch blocks were forwarding
str(e)as the AWS error message onInvalidCiphertextException/InternalServerException/InternalServerError. Responses are now opaque per AWS convention. - IMDS instance-profile ID literal is now assembled at runtime — credential-pattern secret scanners (e.g. AquaSec) were false-flagging the
AIPA…literal inimds.pyas a leaked instance-profile ID. The 20-character wire response is unchanged; the source no longer contains a contiguousAIPA…string. Reported by @diplomatic-ms.