Announcing the LocalStack for AWS 2026.06.0 Release

Introduction

LocalStack for AWS 2026.06.0 is now available. This release adds S3 Replication emulation, Service Control Policy enforcement in the IAM policy engine, a SQLite-backed v2 implementation of CloudWatch Logs, Bottlerocket self-managed nodes for EKS, Lambda runtime init error reporting, Kubernetes pod configuration controls for LocalStack-spawned workloads, expanded AWS Replicator coverage, and first support for the Aurora DSQL control plane.

The release also includes targeted parity improvements across Lambda, SQS, ECS, CloudFormation, S3 Tables, Amazon MQ, OpenSearch, Organizations, RDS, Step Functions, Firehose, API Gateway, ELBv2, CloudTrail, KMS, Backup, AppSync, Route 53, IoT, Glue, DynamoDB, Batch, and Secrets Manager.

Get your free LocalStack account to access the latest features and enhancements in LocalStack for AWS 2026.06.0.

How to upgrade?

To upgrade to LocalStack for AWS 2026.06.0 using the LocalStack CLI, run:

localstack update all

Alternatively, you can use the new LocalStack CLI, which will automatically authenticate you and pull the latest image when started using:

lstk

If using Docker CLI or Docker Compose, update the Docker image:

docker pull localstack/localstack-pro:2026.06.0

Both DockerHub images (localstack/localstack and localstack/localstack-pro) are still supported and contain the same image. Refer to the 2026.03.0 release notes for more on the consolidated image and auth token requirement.

What’s new in LocalStack for AWS 2026.06.0?

S3 Replication Emulation
Service Control Policies in the IAM enforcement engine
CloudWatch Logs v2 provider
EKS Bottlerocket support
Kubernetes runtime pod configuration
Expanded AWS Replicator coverage
Aurora DSQL control-plane emulation
Enhancements in the Lambda provider
Enhancements in the S3 provider
Enhancements in the CloudFormation provider
Service provider improvements
Deprecations and removals
Conclusion

S3 Replication Emulation

LocalStack for AWS 2026.06.0 adds emulation for Amazon S3 Replication. Replication lets users copy object versions from one bucket to another, including cross-Region and cross-account topologies, and is commonly deployed through both direct S3 APIs and CloudFormation.

The S3 provider now supports one-way and bidirectional object replication between buckets. Replication rules support prefix and tag-based filtering, destination storage class configuration, replication status metadata, and delete-marker behavior aligned with the current S3 replication configuration format. Legacy v1 replication configurations are also accepted by PutBucketReplication.

Metadata replication is included for object metadata that can change without creating a new object version, including object tags and Object Lock settings. For bidirectional configurations, replica metadata synchronization can propagate changes back from the replica to the source when the destination bucket is configured for that behavior. ACL replication is not included in this release.

S3 replication also supports IAM enforcement when ENFORCE_IAM=1. LocalStack evaluates replication permissions such as s3:ReplicateObject, s3:ReplicateDelete, and related actions before applying replicated changes.

CloudFormation support is also included. The AWS::S3::Bucket resource provider now accepts the ReplicationConfiguration property on create and update flows.

Service Control Policies in the IAM enforcement engine

This release includes a larger set of changes to the IAM enforcement engine. LocalStack now evaluates Service Control Policies (SCPs), improves denial diagnostics, and extends the supported IAM policy grammar.

SCPs are managed by AWS Organizations and define the maximum permissions available to accounts and organizational units. They do not grant permissions by themselves; they restrict what identity-based and resource-based policies can allow. With ENFORCE_IAM=1, LocalStack now evaluates SCPs together with identity-based policies, resource-based policies, and permissions boundaries.

SCP enforcement applies both to the common single-account case and to cross-account access, where a principal in one account accesses a resource owned by another account. The IAM policy simulator path also includes SCP evaluation. LocalStack’s policy simulator evaluates SCPs through the same enforcement engine used for live requests, including cases where AWS’s own policy simulator has documented limitations around SCP conditions.

Denied requests now return more actionable messages. Instead of a generic Access to the specified resource is denied, LocalStack reports which principal was denied, which action and resource were involved, whether the deny was explicit or implicit, and which policy type caused the decision. For example, an SCP denial can identify the service control policy ARN, while an identity-based denial can point to the managed policy or inline policy name where available.

LocalStack debug logs include the same information, including extra detail for inline policies. This is useful when debugging generated policies or IaC deployments where AWS would otherwise report the inline policy only as an anonymous identity-based policy.

The IAM policy grammar has also been expanded:

Numeric condition operators such as NumericEquals, NumericNotEquals, NumericLessThan, NumericLessThanEquals, NumericGreaterThan, and NumericGreaterThanEquals.
Negated string operators such as StringNotEquals, StringNotEqualsIgnoreCase, and StringNotLike.
Negated ARN operators such as ArnNotEquals and ArnNotLike.
The iam:PolicyArn condition key for policy attach/detach operations.
S3 tag-based condition keys, including bucket tag and existing object tag checks for bucket-level ABAC.
EC2 metadata option condition keys such as IMDSv2-related HttpTokens values.

These changes make LocalStack’s IAM enforcement engine usable for more realistic organization-level security workflows, including policies that enforce required tags, restrict security-service changes, or require EC2 instances to use IMDSv2.

CloudWatch Logs v2 provider

CloudWatch Logs now has a SQLite-backed v2 provider. You can opt in with PROVIDER_OVERRIDE_LOGS=v2. The new implementation stores log events in a persistent SQLite database (logs.sqlite) through a pluggable storage helper instead of keeping large event sets in memory. The main motivation is long-running LocalStack environments that generate high log volume.

The v2 provider includes persistence migration support for existing log groups and streams. It is also wired into the provider lifecycle so CloudWatch Logs state is loaded before ECS state restoration; this prevents restored ECS tasks from emitting logs before their log groups exist. The current plan is to make this implementation the default CloudWatch Logs provider in an upcoming release.

EKS Bottlerocket support

LocalStack for AWS 2026.05.0 added support for self-managed EC2 nodes joining emulated EKS clusters on the AmazonLinux2023 AMI family. LocalStack for AWS 2026.06.0 extends that flow to Bottlerocket AMIs.

Bottlerocket does not use the multipart MIME user-data format used by AL2023. It passes Kubernetes bootstrap settings as TOML under [settings.kubernetes]. LocalStack now detects and parses that format, resolves Bottlerocket EKS-optimized AMIs through EC2 DescribeImages and the standard SSM Parameter Store paths, and lets Bottlerocket EC2 instances join the target k3d-backed EKS cluster as self-managed nodes.

The EKS provider also includes two stability improvements:

EKS now supports Kubernetes 1.36. The default version remains 1.35, and the supported version set is 1.30 through 1.36.
Each emulated EKS cluster receives non-overlapping CIDR ranges from a shared pool. Cluster deletion remains visible as DELETING until teardown, including route cleanup, has finished. This avoids transient routing conflicts when one cluster is being deleted while another is starting.

Kubernetes runtime pod configuration

For LocalStack running in Kubernetes, LOCALSTACK_K8S_POD_CONFIG now controls pod placement and resource configuration for LocalStack-spawned workloads. Profiles can specify tolerations, nodeSelector, affinity, topologySpreadConstraints, priorityClassName, resources, labels, and annotations, with service-specific and architecture-specific resolution. This is wired into Lambda, ECS, Glue, EC2, CodeBuild, DocumentDB, ElastiCache, Kafka/MSK, Managed Service for Apache Flink, MWAA, and RDS container or pod launches.

The new K8S_POD_SECURITY_CONTEXT configuration also applies pod-level security context settings to spawned pods, complementing the existing container security context support.

Expanded AWS Replicator coverage

The AWS Replicator gains more resource coverage and better handling of dependent resources:

IAM role TREE replication is supported. When a role is replicated, related policies can be brought over first.
IAM policy BATCH replication is supported.
EC2 VPC TREE replication is supported for VPCs, subnets, and security groups. Subnets and security groups can also be replicated in batch mode.
SNS topic replication is supported for standard and FIFO topics, including attributes, tags, data protection policies, FIFO settings, KMS configuration, and policy document account/Region transformation.
Replication jobs can ignore already-existing resources where the target service returns the corresponding AWS error. This prevents a replication job from failing when multiple replicated resources share the same dependency, such as several IAM roles referencing the same managed policy.
The Replicator resource metadata endpoint now exposes BATCH and TREE capabilities so documentation and tooling can reflect the supported replication modes.

Aurora DSQL control-plane emulation

LocalStack now includes first support for Aurora DSQL, AWS’s serverless distributed PostgreSQL-compatible database.

This release implements the DSQL control plane, including cluster create/list/get/update/delete, deletion protection, tagging, resource policies, stream create/list/get/delete, VPC endpoint service-name synthesis, and basic data-plane connectivity. Dialect support, CloudFormation, and full data-plane persistence will be added in future releases.

This is an initial implementation focused on local development and IaC compatibility for DSQL-dependent workloads.

Enhancements in the Lambda provider

The Lambda provider now reports runtime initialization failures as init errors instead of opaque timeouts or generic service failures. This covers runtime process exits, init timeouts, missing exec wrappers, and related failures in the init phase.

SQS event source mapping concurrency has also been improved. Standard SQS event source mappings now use concurrent pollers, bringing LocalStack closer to AWS behavior for high-throughput queue consumers:

SQS event source mappings now use concurrent pollers for standard queues. LocalStack starts five pollers by default for standard queues, while FIFO queues keep a single poller to preserve message group ordering.
ScalingConfig.MaximumConcurrency now caps the poller count for standard SQS queues.
ProvisionedPollerConfig is accepted, validated, stored, and returned for SQS event source mappings. MinimumPollers controls the number of pollers used by LocalStack, while MaximumPollers is stored for API parity. Dynamic scaling between the two bounds is not implemented in this release.
ProvisionedPollerConfig is validated as mutually exclusive with ScalingConfig.MaximumConcurrency, matching AWS.
Updating an event source mapping with an empty ScalingConfig clears the stored scaling config, matching AWS behavior and avoiding Terraform drift.
Malformed CreateEventSourceMapping EventSourceArn values now return a modeled ValidationException.
Lambda API requests that reference S3 code without S3Key now return an AWS-style 400 validation error instead of an internal error.

Enhancements in the S3 provider

In addition to replication support, the S3 provider includes the following parity improvements:

Bucket policy validation is now implemented, catching invalid S3 bucket policies before they are stored.
Conditional deletes are supported for DeleteObject and DeleteObjects via the IfMatch precondition, matching the S3 conditional deletes feature.
The new default bucket encryption behavior is implemented, including BlockedEncryptionTypes support to block writes that use customer-provided encryption keys.
S3 bucket tag and existing object tag condition keys are now evaluated by IAM enforcement for bucket-level ABAC workflows. The S3 provider also supports the PutBucketAbac and GetBucketAbac API operations that enable this behavior.

S3 Tables also supports resource tagging for table buckets and tables via TagResource, UntagResource, and ListTagsForResource, including tags passed during CreateTableBucket and CreateTable.

Enhancements in the CloudFormation provider

The legacy CloudFormation v1 provider and engine have been removed. The v2 engine/provider path is now the only implementation.

The CloudFormation provider also includes the following improvements:

AWS::DynamoDB::Table supports in-place updates for stream specification, billing mode, provisioned throughput, deletion protection, table class, SSE configuration, attribute definitions, tags, TTL, point-in-time recovery, and Kinesis streaming destination configuration.
StackSets created through the v2 provider can be described, listed, and updated through the v2 state path. DescribeStackSet now echoes PermissionModel when it was explicitly supplied, avoiding Terraform drift.
CreateChangeSet returns AWS-style ValidationError responses when a TemplateURL references a missing S3 bucket or object key.
DescribeChangeSet handles Secrets Manager dynamic references that use the minimal {{resolve:secretsmanager:name:SecretString}} form, and masks Secrets Manager references in change-set output instead of resolving them.
Lambda function tags can be added, removed, or updated through CloudFormation stack updates.
AWS::WAFv2::WebACL now generates a default name when Name is omitted, matching AWS.

Service provider improvements

Amazon MQ now supports RabbitMQ brokers using the official rabbitmq:<version>-management image. AMQP and management UI ports are proxied from the LocalStack runtime, and the provider validates RabbitMQ engine versions and credentials.
OpenSearch supports versions 3.3 and 3.5. The default OpenSearch version is now 3.5, and OpenSearch 2.9 has been updated to its latest available patch version.
App Inspector now includes text search for spans, so users can search traces by ARN fragments, resource names, payload snippets, and other span text.
ECS forwards container entryPoint to the Docker entrypoint and Kubernetes pod command, stores enableFaultInjection on task definitions, applies enableExecuteCommand on UpdateService, defaults managedDraining to ENABLED, and handles repeated capacity provider deletion like AWS.
ELBv2 supports regular expressions in ALB listener rule conditions for host-header, http-header, and path-pattern. ALB routing now selects listeners by the request arrival port when multiple same-scheme listeners exist, and ModifyListener applies the same port handling as CreateListener. Distinct same-scheme ALB listener ports should be published through GATEWAY_LISTEN and targeted directly.
Organizations enforces the AWS limit of ten attached policies of the same type per target and prevents detaching the last policy from an organization entity.
RDS allows global write forwarding for Aurora PostgreSQL 15.4 and newer, populates the GlobalCluster.Endpoint from the primary writer endpoint, and includes fixes for PostgreSQL SSL and encoding edge cases.
Step Functions supports JSONata Arguments inside a Map state’s ResultWriter, and distributed Map ResultWriter now writes result files and populates the manifest.
Firehose implements Decompression and CloudWatchLogProcessing processors for CloudWatch Logs subscription payloads sent to Firehose destinations, including extracted log-message output when DataMessageExtraction=true.
Cognito now challenges TOTP and email MFA factors during sign-in, persists email MFA configuration, and returns MFA preference state through user APIs.
CodePipeline emits pipeline status-change events to EventBridge.
CloudTrail trail metadata now includes HomeRegion, HasCustomEventSelectors, and HasInsightSelectors flags, and advanced event selectors are returned by GetEventSelectors.
API Gateway now preserves and returns tags for API keys and client certificates across create, update, list, and get flows.
KMS honors BypassPolicyLockoutSafetyCheck for PutKeyPolicy.
Kinesis returns compact JSON from GetResourcePolicy, matching AWS, and the embedded kinesis-mock package has been upgraded to 0.6.2.
CloudWatch GetDashboard now returns a 404 ResourceNotFound response for missing dashboards.
SQS returns the modeled 400 queue-not-found response when DeleteQueue is called without QueueUrl, and a Standard Queue race condition around visible-message heap mutation has been fixed.
Secrets Manager RotateSecret with RotateImmediately=False now creates the pending version without invoking the rotation Lambda immediately.
IAM service-specific credentials now accept bedrock.amazonaws.com, including expiration handling and Bedrock-specific credential fields.
Glue preserves CreateTableDefaultPermissions on CreateDatabase.
DynamoDB updates the stream view type in place when the backing Kinesis stream already exists.
Backup clears ScanSettings and AdvancedBackupSettings when omitted from UpdateBackupPlan.
AppSync preserves channel namespace handlerConfigs during updates.
Route 53 DELETE changes no longer fail if the embedded DNS server entry is already missing.
IoT DescribeBillingGroup includes the version field and preserves the missing-resource 404 behavior.
Batch accepts lowercase type values in CreateComputeEnvironment, matching AWS and Terraform behavior.
GATEWAY_LISTEN and LOCALSTACK_HOST accept port 0, allowing the operating system to select a free port for parallel LocalStack instances.
Cloud Pods loading now honors SSL_NO_VERIFY for platform requests, matching the existing save path behavior.

Deprecations and removals

The legacy CloudFormation v1 provider and engine have been removed. If you still set PROVIDER_OVERRIDE_CLOUDFORMATION to select the legacy path, remove that configuration and use the default v2 provider.

The legacy Glue job execution paths have also been removed. GLUE_JOB_EXECUTOR_PROVIDER and the in-process GLUE_JOB_EXECUTOR=local flow are no longer supported. Glue jobs now use the container-based Docker or Kubernetes execution path.

Managed Service for Apache Flink runtime 1.13 has been removed because it is no longer supported by AWS. Requests for unsupported future runtimes now return validation errors instead of deprecated-runtime messages.

The nightly Docker image tag introduced during the image publishing transition has been removed from the publishing flow. Use dev to follow the main branch and stable/latest or a pinned calendar version for release images.

Conclusion

LocalStack for AWS 2026.06.0 closes several AWS parity gaps. S3 replication can now be exercised locally through APIs, CloudFormation, and IAM enforcement; IAM can evaluate organization-level SCP guardrails with more useful denial diagnostics; CloudWatch Logs has a lower-memory v2 storage backend; EKS supports Bottlerocket self-managed nodes and Kubernetes 1.36; and the AWS Replicator covers more dependent resource trees.

The release also adds first Aurora DSQL control-plane support and continues the work of tightening Terraform and CloudFormation compatibility across the long tail of AWS services.

Upgrade to LocalStack for AWS 2026.06.0 today, and let us know on GitHub Discussions what you’d like to see in the next release.