Announcing the LocalStack for AWS 2026.05.0 Release

Introduction

LocalStack for AWS 2026.05.0 is now available. This release ships AWS Batch Multi-Node Parallel (MNP) job execution, self-managed EC2 nodes joining emulated EKS clusters on the AmazonLinux2023 AMI family (with Karpenter autoscaling as an early use case), expanded AWS Replicator coverage for Organizations, S3 buckets, DynamoDB tables, and RDS clusters, and a port of the base Docker image to Debian sid. It also completes the round-trip on Athena against S3 Tables federated catalogs, adds the Ruby 4.0 Lambda runtime, and tightens IAM enforcement parity for RDS and S3 workflows.

In addition, our published Docker image set has been reorganized:

• The new dev tag includes all untagged changes on the main branch of our repository.
• The new nightly tag is pushed from scheduled nightly runs.
• The latest tag now replicates the stable tag, meaning it is pushed only from tagged releases (e.g. 2026.05.0, 2026.05.1).

If you previously pinned to latest to follow our main branch, switch to dev (or nightly for the scheduled build).

Get your free LocalStack account to access the latest features and enhancements in LocalStack for AWS 2026.05.0.

How to upgrade?

To upgrade to LocalStack for AWS 2026.05.0 using the LocalStack CLI, run:

localstack update all

Alternatively, you can use the new LocalStack CLI, which will automatically authenticate you and pull the latest image when started using:

lstk

If using Docker CLI or Docker Compose, update the Docker image:

docker pull localstack/localstack-pro:2026.05.0

Both DockerHub images (localstack/localstack and localstack/localstack-pro) are still supported and contain the same image. Refer to the 2026.03.0 release notes for more on the consolidated image and auth token requirement.

What’s new in LocalStack for AWS 2026.05.0?

• AWS Batch Multi-Node Parallel Jobs
• Self-Managed EC2 Nodes on EKS (AmazonLinux2023)
• Expanded AWS Replicator Coverage
• Debian sid Base Image
• Enhancements in the CloudFormation provider
• Enhancements in the IAM enforcement engine
• Enhancements in the ECS provider
• Enhancements in the Organizations provider
• Miscellaneous
• Deprecations
• Conclusion

AWS Batch Multi-Node Parallel Jobs

AWS Batch Multi-Node Parallel (MNP) jobs run a single job across multiple coordinated nodes, with one main node that workers connect to over the private network. They are commonly used for HPC and distributed training workloads. LocalStack for AWS 2026.05.0 supports MNP jobs in the Batch provider, including the full job lifecycle, the MainNode/numNodes overrides, per-node environment variables, per-node log streams, and termination propagation across child nodes.

To make worker-to-main networking work, ECS tasks in awsvpc network mode now report the container’s private IPv4 address in networkInterfaces[].privateIpv4Address on DescribeTasks. Bridge and host mode tasks continue to return an empty interface list, matching AWS.

Self-Managed EC2 Nodes on EKS (AmazonLinux2023)

LocalStack for AWS 2026.05.0 adds support for self-managed EC2 nodes joining an emulated EKS cluster on the AmazonLinux2023 AMI family. As an early use case, this enables basic Karpenter autoscaling against LocalStack. Karpenter provisions nodes by calling EC2 RunInstances with an application/node.eks.aws NodeConfig in the user data, and that flow is now supported end-to-end on AL2023:

• EC2 instances launched with a NodeConfig in their user data join the matching EKS cluster as worker nodes. The supported NodeConfig fields are clusterDNS, maxPods, evictionHard, registerWithTaints, and nodeLabels.
• EKS-optimised AMIs for all supported Kubernetes versions are now resolvable via DescribeImages and from the standard SSM Parameter Store paths. IaC tooling that looks up an EKS-optimised AMI ID and then launches an EC2 instance from it now works against LocalStack.
• A number of parity improvements around CreateFleet and RunInstances have been applied. CreateFleet instances launched from a launch template now carry the launch template’s security groups instead of an empty SecurityGroups list, fleet system tags are applied, $Latest/$Default launch template version aliases are resolved, and RunInstances assigns the default VPC security group when none is specified.

Karpenter coverage against this flow has not been validated across all Karpenter versions yet, and Bottlerocket AMIs are not in scope for this release. Both are on the roadmap for a near-term release.

Expanded AWS Replicator Coverage

The AWS Replicator gains coverage for several frequently-requested resource types in this release:

• For Organizations, the replicator now covers organizational units and member accounts. Identifiers are generated deterministically so that resources keep the same IDs across replication runs.
• For S3, single-bucket replication via ARN or identifier is supported, alongside batch replication of all buckets in the source account, including their per-bucket configurations.
• For DynamoDB, AWS::DynamoDB::Table replication is supported, including tables with Global Secondary Indexes and KMS-managed encryption.
• For RDS, AWS::RDS::DBCluster is now replicable. Cloud Control Read/List is also available for the wider set of RDS resource types (see the CloudFormation section below).

Debian sid Base Image

The base image for the LocalStack Docker image has been moved to Debian sid. The motivation is the number of OS-level vulnerabilities Debian trixie accumulates and classifies as wontfix. For many of them, fixes are already available in sid via newer upstream package versions, so tracking sid lets LocalStack pick those updates up directly rather than waiting for trixie backports.

The Python runtime version is unchanged.

Enhancements in the CloudFormation provider

LocalStack’s CloudFormation provider has expanded resource coverage and broader Cloud Control read coverage in this release:

• Full CRUD support for the AWS::Kinesis::ResourcePolicy resource type, including in-place updates.
• Cloud Control Read/List for the API Gateway V2 resource types AWS::ApiGatewayV2::Api, AWS::ApiGatewayV2::Route, AWS::ApiGatewayV2::Integration, and AWS::ApiGatewayV2::Deployment. These resources now show up under Stack Overview in the LocalStack Web App.
• Cloud Control Read/List for the RDS resource types AWS::RDS::DBCluster, AWS::RDS::DBInstance, AWS::RDS::GlobalCluster, and AWS::RDS::DBClusterParameterGroup.

Enhancements in the IAM enforcement engine

This release tightens parity in the IAM enforcement engine for cases where LocalStack was stricter than AWS and rejected valid requests with AccessDenied under ENFORCE_IAM=1:

• For S3 CopyObject, s3:GetObject is now checked against the source object referenced by CopySource instead of the destination. s3:ListBucket is no longer required at all (AWS does not require it for CopyObject). s3:PutObjectTagging is required only when the request sets TaggingDirective=REPLACE with an explicit Tagging parameter, and s3:PutObjectAcl is no longer required.
• For RDS cluster and instance creation, the cluster parameter group, DB parameter group, option group, subnet group, and target group resources are now correctly treated as optional.
• rds:AddTagsToResource is now required only when a Tags parameter is actually passed, and only against the specific resource being tagged (cluster, instance, snapshot, parameter group, option group, etc.).

The result is fewer false AccessDenied errors when running Terraform or CloudFormation stacks under strict IAM enforcement.

Enhancements in the ECS provider

In addition to the awsvpc private IP work described in the Batch section above, LocalStack’s ECS provider improves parity with services behind load balancers:

• Service targets are no longer registered against the target group at deployment time. Registration is deferred until each task reaches RUNNING, so traffic is not forwarded to backends that are still starting up.
• Service targets are now deregistered when the underlying task transitions to STOPPED or FAILED, instead of staying registered until the service is deleted.

Enhancements in the Organizations provider

Organizations has two parity improvements:

• ListTargetsForPolicy now correctly scopes its result set to the organization that owns the policy. When multiple organizations exist in the same LocalStack state, the call no longer returns targets from a different organization.
• Tags passed to CreateOrganizationalUnit are now stored on the OU instead of being dropped.

Miscellaneous

• Ruby 4.0 Lambda runtime (ruby4.0) is now available in LocalStack.
• CloudWatch Logs subscription filters and FilterLogEvents now correctly match the double-quoted phrase syntax in unstructured filter patterns.
• Route 53 records are now restored to the embedded DNS server when state is reloaded via persistence or a Cloud Pod.
• DynamoDB Query now returns a ValidationException when TableName is null, matching AWS, instead of returning an HTTP 500.
• Resource Groups CreateGroup and UpdateGroupQuery now reject invalid ResourceQuery.Query payloads with BadRequestException (HTTP 400), matching AWS’s response.
• DocumentDB cluster creation now accepts MasterUserPassword values containing single quotes and other special characters that AWS allows.
• Bedrock foundation model setup no longer fails on macOS Docker Desktop with a filesystem permission error, and surfaces a clearer error message when initialization fails for any other reason.
• CloudFront now respects PathPattern in CacheBehaviors even when AllowedMethods is omitted on the behavior, treating it as “all methods allowed” instead of “none”.
• App Inspector and /_localstack/info HTTP traffic now logs at DEBUG instead of INFO, so the default log stream no longer interleaves App Inspector polling with deployment/test output.
• AWS::S3::Bucket now supports Cloud Control Read, covering bucket sub-configurations such as ACLs, encryption, lifecycle, replication, versioning, and CORS.
• Athena now fully supports CREATE TABLE, INSERT, and SELECT (including CTAS) against s3tablescatalog/<bucket> federated catalogs, so the same Iceberg dataset can be written by Athena and read by an external Iceberg client like pyiceberg.
• Batch job definitions now honor containerProperties.secrets. Secrets Manager and SSM Parameter Store references are resolved and injected as environment variables when the container starts, instead of being dropped silently.
• RDS (PostgreSQL) ships with bug fixes: large response payloads are now forwarded correctly over both plain and SSL connections, and a deadlock causing sessions to hang indefinitely on bulk-write workloads over SSL has been resolved.

Deprecations

The LocalStack CLI v1 (the Python localstack package) is no longer installed inside the Docker image. Most workflows are unaffected since the CLI is typically invoked from the host. If you were calling the CLI from inside an initialization hook or from a Dockerfile extending localstack/localstack-pro, install it explicitly inside your initialization hook:

pip install --upgrade localstack

PostgreSQL 12 has also reached its upstream end-of-life and is no longer available in the LocalStack image as part of the Debian sid move described above.

Conclusion

LocalStack for AWS 2026.05.0 closes several long-running gaps in our AWS coverage. Distributed Batch workloads now run through MNP, self-managed EC2 nodes can join emulated EKS clusters on AL2023 (with Karpenter as an early use case), the Replicator covers the resources most often pulled out of customer accounts (Organizations, S3, DynamoDB, RDS), and the Athena/S3 Tables/Glue federation introduced in 2026.04.0 is usable for full CREATE/INSERT/SELECT round trips. The Debian sid base image clears most of the OS-level CVE backlog, and the IAM enforcement fixes remove a class of false AccessDenied errors on RDS and S3 workflows.

Upgrade to LocalStack for AWS 2026.05.0 today, and let us know on GitHub Discussions what you’d like to see in the next release.