Announcing the LocalStack for AWS 2026.04.0 Release

Introduction

LocalStack for AWS 2026.04.0 is now available. This is the second monthly release on our calendar versioning cadence, and it ships the launch of App Inspector, our new observability layer for local cloud development, end-to-end Athena and S3 Tables federation via Glue catalogs, native execution for custom resource types in the CloudFormation registry, SSL/TLS support for RDS PostgreSQL, expanded AWS Organizations coverage, support for the five new S3 checksum algorithms, and parity improvements across CloudFormation, Athena, Lambda, ECS, Route 53, and KMS.

Get your free LocalStack account to access the latest features and enhancements in LocalStack for AWS 2026.04.0.

How to upgrade?

To upgrade to LocalStack for AWS 2026.04.0 using the LocalStack CLI, run:

localstack update all

Alternatively, you can use the new LocalStack CLI, which will automatically authenticate you and pull the latest image when started using:

lstk

If using Docker CLI or Docker Compose, update the Docker image:

docker pull localstack/localstack-pro:2026.04.0

Both DockerHub images (localstack/localstack and localstack/localstack-pro) are still supported and contain the same image. Refer to the 2026.03.0 release notes for more on the consolidated image and auth token requirement.

What’s new in LocalStack for AWS 2026.04.0?

Introducing App Inspector
Athena and S3 Tables Federation via Glue Catalogs
CloudFormation Registry: Custom Resource Type Execution
RDS PostgreSQL SSL Support
AWS Organizations Replication and CloudFormation Coverage
Support for New S3 Checksum Algorithms
Enhancements in the CloudFormation provider
Enhancements in the Athena provider
Enhancements in the Lambda provider
Miscellaneous
Deprecations
Conclusion

Introducing App Inspector

LocalStack for AWS 2026.04.0 includes the launch of App Inspector, a new observability layer for local cloud development. App Inspector continuously monitors your locally emulated AWS environment to surface misconfigurations, runtime errors, and missing permissions before they reach the real cloud. It is available as a core feature of LocalStack and works with your existing workflows without any extra setup or configuration.

With App Inspector, you can trace service-to-service calls and see exactly where a request stopped and why, inspect the data payloads exchanged between services at every hop (for example, confirming that a Lambda is passing the correct payload to SNS or that an SQS message body matches what the consumer expects), and catch IAM misconfigurations such as missing or overly restrictive permissions while you are still in your local environment. Read more about App Inspector on our announcement blog.

Athena and S3 Tables Federation via Glue Catalogs

LocalStack for AWS 2026.04.0 wires Athena, Glue, and S3 Tables together so data stored in S3 Tables can be queried directly from Athena via Glue federated catalogs. This matches AWS’s s3tablescatalog federation pattern.

On the Glue side, this release adds:

Federated catalog support for the s3tablescatalog pattern, with CRUD APIs (CreateCatalog, GetCatalog, GetCatalogs, DeleteCatalog).
A Glue Iceberg REST endpoint at /iceberg/v1/catalogs/... for accessing S3 Tables data.
Glue GetDatabase, GetTable, GetDatabases, GetTables, CreateDatabase, and CreateTable now act on S3 Tables when the catalog ID matches s3tablescatalog.

On the Athena side, you can query S3 Tables by referencing catalogs of the form s3tablescatalog/<bucket>, which Athena resolves against the federated Glue catalog. Existing direct Iceberg/Delta Lake catalog flows are unchanged.

The Trino engine that powers Athena’s bigdata container has also been upgraded from 440 to 480 (Java 25).

CloudFormation Registry: Custom Resource Type Execution

CloudFormation custom resource types are extensions packaged by the CloudFormation CLI that behave like custom resources, except the lifecycle of the backing Lambda is hidden from the user. LocalStack previously supported only the CRUD and mock parts of the CloudFormation registry, so uploading and listing extensions worked but executing them did not.

Custom resource types uploaded via RegisterType are now executed end-to-end. When a stack references a registered type, LocalStack resolves it against the registry first (falling back to built-in providers) and invokes the extension’s Lambda with the original CloudFormation handler payload. Both Python and Java-based extensions are supported. Note that only the RESOURCE extension type is executable in this release.

RDS PostgreSQL SSL Support

Amazon RDS supports SSL/TLS connections to PostgreSQL, and clients (such as psycopg2 and psql) typically negotiate SSL by default when available. The RDS provider in 2026.04.0 now accepts SSL connections to its emulated PostgreSQL instances, including sslmode=require.

Note that pg_stat_ssl reports ssl=false even when the client is connecting with TLS; the connection between the client and LocalStack is still encrypted.

AWS Organizations Replication and CloudFormation Coverage

AWS Organizations coverage is expanded with replication support and a new CloudFormation resource provider.

The AWS Replicator can now replicate organizations from a real AWS account into LocalStack, with:

Deterministic identifier generation for organizations and policies, so IDs stay stable across replication runs.
Replication of organization policies (Service Control Policies, Tag Policies, etc.) along with their attachments at the account, organizational unit, and root level.
Full hierarchy coverage, with batched and filtered replication modes.

On the CloudFormation side, this release adds the AWS::Organizations::OrganizationalUnit resource provider with full CRUDL support, including via Cloud Control.

Support for New S3 Checksum Algorithms

AWS recently added five additional S3 checksum algorithms: MD5, XXHash3, XXHash64, XXHash128, and SHA-512, bringing the total to ten. LocalStack for AWS 2026.04.0 supports all five in S3 for object uploads, downloads, and multipart uploads, with end-to-end validation against client-supplied checksum values.

Enhancements in the CloudFormation provider

LocalStack’s CloudFormation provider includes the following parity improvements:

Tags set on a stack now propagate to every taggable resource the stack creates. Resource-level tags continue to take priority on key conflicts.
Update support for AWS::ECS::Service. Updates to task definition, desired count, deployment and network configuration, load balancers, service registries, and tags are now applied to existing services. The service ARN and name do not change.
Update support for AWS::KMS::Key. KMS key resources now support in-place updates of mutable properties.

Enhancements in the Athena provider

In addition to the federated query work above, the Athena provider now includes:

UpdateDataCatalog support for updates to the Type, Description, and Parameters fields. The CloudFormation AWS::Athena::DataCatalog resource provider also handles Update lifecycle events.
GetTableMetadata and ListTableMetadata support, with Expression regex filtering on ListTableMetadata.
Aligned error responses for GetDataCatalog and DeleteDataCatalog with AWS, returning InvalidRequestException with the appropriate AthenaErrorCode instead of ResourceNotFoundException.
Newly created data catalogs report a Status of CREATE_COMPLETE to match AWS, and the default workgroup engine version has been bumped from v2 to v3 with a default EnableMinimumEncryptionConfiguration field.

Enhancements in the Lambda provider

LocalStack’s Lambda provider includes a few targeted improvements:

Lambda functions written in Java 17+ using the AWS SDK V1 are now correctly redirected to LocalStack via Transparent Endpoint Injection, picking up $AWS_ENDPOINT_URL automatically and removing the need to disable SSL verification in user code.
Customers running LocalStack behind a corporate HTTP proxy may need to set no_proxy so Lambda traffic to LocalStack does not get routed through the proxy. The Lambda provider now ensures $LOCALSTACK_HOST is always present in no_proxy for Lambda runtimes, appending to any existing user-supplied value rather than overwriting it.

Miscellaneous

The x-localstack response header now contains the running LocalStack version (e.g. 2026.04.0) instead of the static string "true". Existing clients that only check for the presence of the header (such as the AWS Toolkit for VS Code) remain compatible, while clients that need version-aware behavior can now read it directly.
Glue jobs now honor user-supplied --conf entries in DefaultArguments (matching the AWS Glue convention of packing multiple Spark configs into a single --conf argument joined by --conf), and have AWS_ENDPOINT_URL and AWS_ENDPOINT_URL_S3 exported into their environment so SDK calls from inside the job script target LocalStack.
EKS now supports Kubernetes 1.30 through 1.35. Support for Kubernetes 1.29 has been removed in line with its EKS end-of-support; users still pinned to 1.29 should upgrade to 1.30 or newer.
Implemented ListRegions in the Account service, with pagination and filtering. All regions are reported as ENABLED_BY_DEFAULT.
Route 53 weighted routing now applies weights correctly for ResourceRecords-based (CNAME) records, in addition to the existing AliasTarget flow added in 4.13. Updates to the underlying AliasTarget propagate without stale caching, unblocking weighted CNAME routing on Kubernetes.
Upgraded Netty inside the DynamoDB Local installation to address several CVEs (CVE-2025-67735, CVE-2026-33870, CVE-2026-33871, CVE-2025-59419).
Improved the error message printed when the per-organization TLS certificate fails to download, and added a new SSL_NO_VERIFY environment variable that disables TLS verification when fetching the public certificate for localhost.localstack.cloud. This is intended for environments behind non-compliant corporate proxies.
Fixed a race condition in DMS CDC replication with a PostgreSQL source, where stopping a task could incorrectly set its status to Error instead of Stopped.

Deprecations

The legacy v1 EventBridge provider, deprecated since the 4.0.0 release, has been removed in 2026.04.0. Remove any reference to PROVIDER_OVERRIDE_EVENTS from your configuration; setting it now points to invalid configuration and prevents the events provider from loading.
The legacy CloudFormation engine (engine-legacy / engine-legacy_pro), still selectable via PROVIDER_OVERRIDE_CLOUDFORMATION after the v2 engine became the default in 4.14, now logs a deprecation warning at boot. The legacy engine is planned for removal in 2026.05. Please migrate to the v2 engine ahead of that date.
The legacy CloudWatch v1 provider, still selectable via PROVIDER_OVERRIDE_CLOUDWATCH=v1, now logs a deprecation warning at boot. The v1 provider is planned for removal in 2026.05. Please remove PROVIDER_OVERRIDE_CLOUDWATCH from your configuration ahead of that date to switch to the default v2 provider.
The Event Studio extension is deprecated in favor of App Inspector. Running both at the same time can lead to inconsistent behavior, so uninstall Event Studio if you have App Inspector enabled.

Conclusion

LocalStack for AWS 2026.04.0 launches App Inspector and brings end-to-end Athena, S3 Tables, and Glue federation, an upgraded Trino engine, executable CloudFormation registry types, RDS PostgreSQL SSL, broader Organizations coverage, and support for the new S3 checksum algorithms.

Upgrade to LocalStack for AWS 2026.04.0 today to try out the new capabilities, and let us know on GitHub Discussions what you’d like to see next.