AmazonMQ, IAM account posture, IAM credential report, and a cross-account fix for S3 event notifications

June 10, 2026 · v1.3.61

v1.3.61 brings a brand-new service — AmazonMQ, covering both RabbitMQ and ActiveMQ — so Terraform and SDK flows that stand up a message broker run locally. Alongside it, two IAM additions that posture-probing and compliance tooling reach for (account summary, password policy, account aliases, and the credential report), and a multi-tenancy fix: S3 event notifications were being silently dropped for any non-default account.

AmazonMQ — new service (mq), RabbitMQ + ActiveMQ

A control-plane emulator for AWS MQ. The original request was RabbitMQ-only; the contribution covers ActiveMQ too. Broker lifecycle and metadata:

• CreateBroker, ListBrokers, DescribeBroker, UpdateBroker, DeleteBroker, RebootBroker — brokers come up RUNNING immediately (metadata only, no container). CreateBroker validates engine type, version, deployment mode, host instance type, and storage type against the supported matrix and returns the AWS-shape errorAttribute / message envelope on a bad field.
• DescribeBrokerEngineTypes and DescribeBrokerInstanceOptions — engine / version / instance / storage combinations sourced from real aws mq describe-broker-instance-options output.
• ActiveMQ user management — CreateUser, DescribeUser, UpdateUser, DeleteUser, ListUsers (passwords are never returned on describe, matching AWS).
• Broker tagging — CreateTags, ListTags, DeleteTags.

State is account-scoped and persisted across restarts. The REST routing matches AWS's mq request URIs (/v1/brokers, /v1/brokers/{id}/users/{username}, /v1/tags/{arn}, …) so boto3 and the Terraform aws_mq_broker resource talk to it unchanged. Contributed by @lucas-giaco.

IAM — account posture (GetAccountSummary, password policy, account aliases)

The account-level reads that compliance and posture tooling audits first. GetAccountSummary returns computed counts (Users, Groups, Roles, Policies, MFADevices, MFADevicesInUse, AccountMFAEnabled) plus the static quota map. GetAccountPasswordPolicy returns NoSuchEntity (404) before any policy is set — matching real AWS — and round-trips after UpdateAccountPasswordPolicy; DeleteAccountPasswordPolicy clears it. Account aliases (ListAccountAliases, CreateAccountAlias, DeleteAccountAlias) are stored per account with replace-on-create semantics. Contributed by @lahmish.

IAM — credential report (GenerateCredentialReport + GetCredentialReport)

Security auditors call generate-credential-report then get-credential-report to pull a CSV snapshot of every IAM user's credential state. The report is built with the exact AWS 22-column header. Each row reflects live state: password_enabled (from login profiles), mfa_active (from MFA device assignments), and access_key_1/2_active (from access-key status), plus a synthetic <root_account> row. GetCredentialReport returns ReportNotPresent (410) before a report is generated and base64-encodes Content per the AWS blob contract. Contributed by @lahmish.

S3 — event notifications now fire for non-default accounts

S3 delivers PutObject / object-removed notifications from a background thread, and that thread did not inherit the request's account context — so it ran under the default account (000000000000). The account-scoped bucket-notification config then resolved empty and the event was silently dropped for any non-default account, while SQS / SNS / Lambda / EventBridge targets resolved under the wrong account. The delivery thread now copies the request context (account and region); the s3:TestEvent path had the same gap and is fixed too. Reported by @rsking.

Upgrade

docker pull ministackorg/ministack:1.3.61
docker run -d -p 4566:4566 ministackorg/ministack:1.3.61

Or pin in compose.yaml:

services:
  ministack:
    image: ministackorg/ministack:1.3.61
    ports:
      - "4566:4566"