July 18, 2026 · v1.4.3
v1.4.3 adds IoT device shadow operations and topic-rule routing to Lambda, extends region isolation to EventBridge, ECS, and Firehose, adds AWS::ApiGatewayV2::Authorizer CloudFormation support, and fixes Cognito federation and token-generation triggers, Lambda invoke logging, and S3 versioned deletes, content-type, and CreateBucket tags.
GetThingShadow, UpdateThingShadow, and DeleteThingShadow on the iot-data endpoint (classic and named shadows via ?name=) previously returned InvalidRequestException: Unsupported iot-data path. Shadows now store desired/reported state: updates deep-merge into the document (a null value removes the field), bump the version, and stamp per-attribute metadata timestamps so only the attributes an update touches are re-stamped. GetThingShadow returns the full document including the computed state.delta and its metadata.delta; a stale version is rejected with a 409; deleting a shadow keeps its version (it is not reset); and reading or deleting a missing shadow returns ResourceNotFoundException. Contributed by @maximoosemine.FROM '<topic filter>' clause (with +/# wildcards), and every matching enabled rule's lambda actions are invoked asynchronously with the payload as the event (SELECT *). Basic Ingest is supported: a publish to $aws/rules/<ruleName> is delivered straight to that rule's actions and bypasses pub/sub. Contributed by @maximoosemine.AWS::ApiGatewayV2::Authorizer deploys. A JWT authorizer on an HTTP API previously failed with Unsupported resource type and rolled the stack back, even though the same authorizer already worked via the raw API and Terraform. A provisioner maps the CFN properties onto the existing authorizer store (Ref returns the authorizer id, Fn::GetAtt AuthorizerId supported), and AWS::ApiGatewayV2::Route now carries AuthorizerId/AuthorizationScopes through so the route is enforced. Contributed by @ryan-bennett.PreSignUp_ExternalProvider fires on federated sign-up. SAML/OIDC federation callbacks persisted new users without ever invoking the pool's PreSignUp Lambda. The trigger now runs fail-closed (a throwing Lambda blocks the sign-up with UserLambdaValidationException and the user is never persisted), and its autoVerifyEmail/autoVerifyPhone overrides are applied. Federated users keep UserStatus: EXTERNAL_PROVIDER. Contributed by @kjdev.PreTokenGeneration triggerSource reflects the call path. Every issued token reported TokenGeneration_Authentication; refresh flows now send TokenGeneration_RefreshTokens and the managed-login authorization_code grant sends TokenGeneration_HostedAuth. Contributed by @kjdev.ListUsers status filter matches the right field. Filter='status = "Enabled"' was compared against the UserStatus confirmation enum and always returned an empty list; it now reflects the account's Enabled boolean toggled by AdminEnableUser/AdminDisableUser. Contributed by @jey-mfv.fs.writeSync/fs.write on stdout bypassed the existing stdout→stderr redirect, so sync loggers (e.g. pino with { sync: true }) could corrupt the JSON-line protocol channel and surface false Runtime.HandlerError responses. The bootstrap now redirects fd 1, and the reader accepts only ok/error protocol lines. Contributed by @vvaide. Reported by @kofuk.X-Amz-Log-Result honors LogType. The execution-log header was attached to every synchronous invoke; per the Invoke API reference it is returned only when LogType=Tail, carrying the last 4 KB base64-encoded. Contributed by @Sanjays2402. Reported by @w-zx.VersionId removes that version. DeleteObject/DeleteObjects reported success but never touched the version store (and DeleteObject even appended a new marker). Both paths now purge the exact version/marker and reconcile the current version; a delete without a VersionId still creates a delete marker. Contributed by @asleeponduty.Content-Type. GetObject with a VersionId always returned application/octet-stream; version records now retain their own content type. Contributed by @vvaide. Reported by @aaronsteed.CreateBucket applies and validates request-body Tags. The <Tags> container was ignored, so create-time tags were dropped and GetBucketTagging returned NoSuchTagSet. Tags are now stored and returned, validated before the bucket is created (key 1–128 chars, value 0–256, reserved aws: prefix rejected, at most 50 tags), with no bucket left behind on an invalid set. Contributed by @nirajsapkota.docker pull ministackorg/ministack:1.4.3 docker run -d -p 4566:4566 ministackorg/ministack:1.4.3
Or pin in compose.yaml:
services:
ministack:
image: ministackorg/ministack:1.4.3
ports:
- "4566:4566"
Issues and PRs welcome on GitHub. Discussion on r/ministack.