What's Changed
New Contributors
- @jey-mfv made their first contribution in #1082
- @vvaide made their first contribution in #1095
- @asleeponduty made their first contribution in #1098
- @Sanjays2402 made their first contribution in #1089
- @squirmy made their first contribution in #1090
- @nirajsapkota made their first contribution in #1103
[1.4.3] — 2026-07-18
Added
- IoT — device shadow operations —
GetThingShadow,UpdateThingShadow, andDeleteThingShadowon theiot-dataendpoint (classic and named shadows via?name=) previously returnedInvalidRequestException: Unsupported iot-data path: .../shadow. Shadows now storedesired/reportedstate: updates deep-merge into the stored document (anullvalue removes the field), bump the version, and stamp per-attributemetadatatimestamps (only the attributes an update touches are re-stamped); the/acceptedresponse echoes only the sections sent, whileGetThingShadowreturns the full document including the computedstate.deltaand itsmetadata.delta. A staleversionin an update is rejected with a409, deleting a shadow keeps its version (as on real AWS, it is not reset), and reading or deleting a nonexistent shadow returnsResourceNotFoundException. Shadows are account-scoped and persisted with the rest of the IoT state. Contributed by @maximoosemine. - IoT — MQTT publishes are routed through topic rules to Lambda — an MQTT/
iot-datapublish is now matched against each account's topic rules by the rule'sFROM '<topic filter>'clause (with+/#wildcards), and every matching enabled rule'slambdaactions are invoked asynchronously with the message payload as the event (SELECT *). Basic Ingest is supported: a publish to$aws/rules/<ruleName>is delivered straight to that rule's actions and bypasses pub/sub. Disabled rules are skipped. Contributed by @maximoosemine. - API Gateway v2 —
AWS::ApiGatewayV2::AuthorizerCloudFormation support — deploying a stack with a JWT authorizer on an HTTP API previously failed withUnsupported resource type: AWS::ApiGatewayV2::Authorizerand rolled the stack back, even though the same authorizer already worked via the raw API and Terraform. A provisioner now maps the CFN properties onto the existing authorizer store (Refreturns the authorizer id,Fn::GetAtt AuthorizerIdsupported, per the CFN resource reference), andAWS::ApiGatewayV2::RoutecarriesAuthorizerId/AuthorizationScopesthrough (previously dropped) so the route is actually enforced. Contributed by @ryan-bennett.
Changed
- EventBridge, ECS, and Firehose — region-isolated state — continuing the multi-region work, three more services move their state to account+region scope: EventBridge (event buses, rules, targets, archives, replays, connections, API destinations, and endpoints; replays run under the region they were started in, and S3→EventBridge notifications dispatch in the bucket's region), ECS (clusters, task definitions and their revisions, services, tasks, capacity providers, account settings, and attributes), and Firehose (delivery streams, with Kinesis-source ingest kept within the stream's account and region). Same-name resources in different regions no longer collide, cross-region lookups return the same errors real AWS returns, and legacy persisted state migrates by recovering each record's region from its stored ARNs (ECS bumps its on-disk state format to v3). Contributed by @Areson.
Fixed
- Cognito —
ListUsersstatusfilter matched against the wrong field —Filter='status = "Enabled"'/"Disabled"was compared againstUserStatus(the confirmation-state enum:CONFIRMED,FORCE_CHANGE_PASSWORD,UNCONFIRMED, etc.), which never equals the literal string"Enabled"/"Disabled". As a result, filtering bystatusalways returned an empty list, regardless of how many users existed or their actual enabled/disabled state.statusnow correctly reflects the account'sEnabledboolean toggled byAdminEnableUser/AdminDisableUser, matching real AWS Cognito'sListUsersFilter semantics. Contributed by @jey-mfv. - Cognito —
PreTokenGenerationtriggerSourcereflects the call path — every issued token reportedTokenGeneration_Authentication; refresh flows (REFRESH_TOKEN_AUTHand the/oauth2/tokenrefresh_tokengrant) now sendTokenGeneration_RefreshTokens, and the managed-loginauthorization_codegrant sendsTokenGeneration_HostedAuth, matching the trigger-sources table in the Cognito developer guide. Contributed by @kjdev. - Cognito —
PreSignUp_ExternalProvidertrigger fires on federated sign-up — SAML/OIDC federation callbacks persisted new users without ever invoking the pool's PreSignUp Lambda, which real Cognito always fires immediately before creating a federated user. The trigger now runs fail-closed (a throwing Lambda blocks the sign-up withUserLambdaValidationExceptionand the user is never persisted), and itsautoVerifyEmail/autoVerifyPhoneoverrides are applied to the created user. Federated users keepUserStatus: EXTERNAL_PROVIDERas on real AWS (autoConfirmUserdoes not change a federated user's status). Contributed by @kjdev. - EventBridge Pipes — cross-region source or target rejected — a pipe whose source or target ARN is in a different region than the pipe is now rejected before any state is written (surfaced through CloudFormation as
CREATE_FAILED), matching AWS, where a pipe's source and target are same-region. Global and malformed ARNs are still accepted as before. Contributed by @Areson. - Lambda — Node warm-worker invoke no longer fails on fd 1 writes —
fs.writeSync/fs.writeon stdout bypassed the existingprocess.stdout.writeredirect to stderr, so sync loggers (e.g. pino with{ sync: true }) could emit on the JSON-line protocol channel and surface falseRuntime.HandlerError/Unknown errorresponses even when the handler succeeded. The Node worker bootstrap now redirects fd 1 throughfs.writeSync/fs.write, and the warm-worker stdout reader accepts only protocol lines whosestatusisokorerror. Contributed by @vvaide. Reported by @kofuk. - Lambda —
X-Amz-Log-ResulthonorsLogType— the execution-log header was attached to every synchronous invoke; per the Invoke API reference it is returned only whenLogType=Tail, carrying the last 4 KB of the execution log base64-encoded. Both now match. Contributed by @Sanjays2402. Reported by @w-zx. - Lambda — event source mappings pace failed-invoke retries per ESM — a failing ESM was retried at full poll-loop speed whenever another busy ESM kept the loop awake, and a burst on a healthy ESM was throttled to one batch per tick. The poll loop now keeps draining while work is being processed and each failing ESM backs off independently; failure semantics are unchanged (SQS messages redrive after the visibility timeout, stream shards retry the same batch). Contributed by @squirmy.
- S3 — a versioned delete with an explicit
VersionIdpermanently removes that version —DeleteObjectandDeleteObjectsaddressed with aVersionIdreported success but never touched the version store, soListObjectVersionsstill returned every version and delete marker (DeleteObjecteven appended a new marker, driving the count up). Both paths now purge the exact version/marker and reconcile the current version; a delete without aVersionIdstill creates a delete marker as before. Contributed by @asleeponduty. - S3 — versioned object reads preserve
Content-Type—GetObjectwith aVersionIdalways returnedapplication/octet-stream, even when that version was written with an explicit content type. PutObject version records now retain their own content type, and versioned reads return it while preserving the existing fallback for older records. Contributed by @vvaide. Reported by @aaronsteed. - S3 —
CreateBucketapplies and validates request-bodyTags— the<Tags>container in aCreateBucketbody was ignored (onlyLocationConstraintwas parsed), so tags supplied at creation were silently dropped and a follow-upGetBucketTaggingreturnedNoSuchTagSetwhile S3 ControlListTagsForResourcereturned an empty list. Create-time tags are now stored and returned by both, validated before the bucket is created (key 1-128 chars, value 0-256, the reservedaws:prefix rejected withInvalidTag, at most 50 tags, and a duplicate key returns a500 InternalError); an invalid tag set leaves no bucket behind. Contributed by @nirajsapkota.