v1.3.60

What's Changed

---

[1.3.60] — 2026-06-09

Added

• IAM — CreateLoginProfile, GetLoginProfile, UpdateLoginProfile, DeleteLoginProfile — models whether an IAM user has a console password (the signal that a user is a human). CreateLoginProfile stores UserName, CreateDate, and PasswordResetRequired without persisting the password value (seed-side). GetLoginProfile returns NoSuchEntity (404) when no profile exists. UpdateLoginProfile updates PasswordResetRequired. DeleteLoginProfile removes the profile. All four operations match the real AWS request/response shapes exactly so identity-discovery agents can distinguish humans from service accounts using get-login-profile. Contributed by @lahmish.
• IAM — CreateVirtualMFADevice, EnableMFADevice, DeactivateMFADevice, ResyncMFADevice, ListMFADevices, ListVirtualMFADevices, DeleteVirtualMFADevice — full virtual MFA device lifecycle. CreateVirtualMFADevice returns SerialNumber (ARN form arn:aws:iam::<acct>:mfa/<name>) plus Base32StringSeed and QRCodePNG blobs (base64-encoded). EnableMFADevice accepts any TOTP codes (seed-side lenience). ListVirtualMFADevices supports AssignmentStatus filter (Assigned / Unassigned / Any; default Any). DeleteVirtualMFADevice returns DeleteConflict (409) for assigned devices. Contributed by @lahmish.
• IAM — GetAccountAuthorizationDetails — the one-shot identity graph. Returns UserDetailList (inline policies, attached managed policies, group memberships, tags), GroupDetailList, RoleDetailList (inline policies, attached managed policies, instance profiles, tags, assume-role document url-encoded), and Policies (customer-managed, with url-encoded version documents). Filter.member.N honored: User, Group, Role, LocalManagedPolicy. IsTruncated=false; pagination optional. Contributed by @lahmish.
• IAM — CreateSAMLProvider, GetSAMLProvider, ListSAMLProviders, UpdateSAMLProvider, DeleteSAMLProvider, ListOpenIDConnectProviders — SAML IdP CRUD plus OIDC provider enumeration. Accepts any non-empty SAMLMetadataDocument (real AWS requires valid XML ≥1000 chars; that validation is seed-side). GetSAMLProvider returns SAMLMetadataDocument, CreateDate, ValidUntil, and Tags. ListOpenIDConnectProviders returns {Arn} entries (create/get/delete existed previously). Enables agents to enumerate federated IdPs cross-referenced with role trust policies. Contributed by @lahmish.
• IAM — GenerateServiceLastAccessedDetails, GetServiceLastAccessedDetails — Access Advisor generate→get job handshake. Returns a UUID JobId. GetServiceLastAccessedDetails returns JobStatus=COMPLETED and an empty ServicesLastAccessed list (no CloudTrail data). Contributed by @lahmish.

Fixed

• Cognito — RespondToAuthChallenge / AdminRespondToAuthChallenge merge CUSTOM_AUTH verify result into the pending challenge round — the verify result was appended as a second, metadata-less session entry, splitting one round across two records. AWS records one ChallengeResult per round, carrying both challengeMetadata (from CreateAuthChallenge) and challengeResult (from VerifyAuthChallengeResponse) — multi-round flows that read both fields from the same element (e.g. magic-link → SMS-OTP) never advanced. The pending round is now updated in place. Contributed by @AdigaAkhil.
• SQS — out-of-range numeric attributes rejected with InvalidAttributeValue — CreateQueue and SetQueueAttributes accepted any value and stored it verbatim, so VisibilityTimeout=99999 (and every other numeric attribute) was silently kept. Now VisibilityTimeout (0..43200), MaximumMessageSize (1024..262144), MessageRetentionPeriod (60..1209600), DelaySeconds (0..900), ReceiveMessageWaitTimeSeconds (0..20), and KmsDataKeyReusePeriodSeconds (60..86400) are validated against the AWS ranges and rejected with InvalidAttributeValue (400) when outside the documented bounds or non-numeric. Reported by @dcabib.
• EventBridge — anything-but honors nested prefix / suffix / wildcard content filters — {"anything-but": {"prefix": "TEST-"}} (and suffix / wildcard variants) was silently ignored at dispatch and every event matched regardless of the field value, because the handler only recognized literal and list-of-literal forms. The nested-matcher form per AWS docs is now negated correctly: an event whose field matches the nested filter is excluded. Reported by @aldirrix.
• ElastiCache — Redis container respawned after restart — with PERSIST_STATE=1, restored cluster metadata reported CacheClusterStatus=available but the persisted Docker container id no longer existed, so the endpoint was unreachable even though DescribeCacheClusters looked healthy. Restored clusters and replication groups are now marked pending respawn at restore_state time and lazily spawned (under a lock to prevent concurrent first-requests from double-spawning) on the first dispatcher call — endpoint metadata is rewritten to the freshly-spawned container before any caller can read it. Failures are logged once and cleared from the pending set (no retry storm). Reported by @ItsSmiffy.