The platform's standard library adds six Amazon Web Services to the Ax.cloud.aws namespace, callable from server-side JavaScript and Python. Each client wraps the official AWS SDK for Java v2 and exposes a JavaScript-friendly facade — methods accept and return plain objects, errors map to JavaScript exceptions, and pagination is hidden behind iterable result sets.
Credentials resolve through three mechanisms in order : the platform credential store (Ax.ext.user.getCredentialsByType) for centrally-managed rotations, an explicit access-key / secret-key pair for ad-hoc scripts, or the AWS SDK default provider chain — environment variables, instance profile, ECS task role — for deployments where IAM does the binding.
S3 — Simple Storage Service
- Bucket lifecycle. Create, list and delete buckets with DNS-compliant names ; the client enforces the bucket-naming rules at construction time so policy violations surface before the API call.
- Object operations. Upload, download, copy, move and delete objects ; list with prefix filtering for virtual-folder traversal ; signed-URL generation for time-limited public access.
- Virtual filesystem layer. Buckets and objects are mappable to relational rows, with bidirectional synchronisation between the database and the bucket so back-office data and storage stay aligned.
- Streaming I/O. Multi-part upload for large objects ; range-read for partial downloads ; both honour the platform's BLOB streaming so memory stays bounded.
EC2 — Elastic Compute Cloud
- Instance lifecycle. Start, stop, reboot, terminate ; describe state and metadata ; wait-until-running for orchestration scripts that need to block until an instance is reachable.
- Image, key-pair and security-group inventory. List AMIs, key pairs and security groups to drive automated provisioning without leaving the platform.
Lambda
- Function lifecycle. Create, update, wait-until-active and delete — the wait-until-active gate prevents the common race where an immediate invoke fails because the runtime is still initialising.
- Four invocation modes. Synchronous (block for the response), asynchronous via
IOPromise, fire-and-forget event triggering, and concurrent multi-function invocation on virtual threads. - Event-driven integration. Used as the back-end for asynchronous workflows where the platform delegates compute-bound work to serverless functions without standing up a queue.
IAM — Identity and Access Management
- User, account and role inventory. List and inspect users, accounts, roles and the policies attached to each — read-only by design so a misconfigured script cannot escalate privilege.
- Policy queries. Resolve effective permissions on a principal-resource pair for compliance reporting and access reviews.
Pinpoint SMS
- Synchronous and asynchronous delivery. Send transactional (OTP, security alerts) and promotional (marketing) messages with configurable sender identity.
- Delivery telemetry. Per-message status surfaces back to the calling script so business workflows can react to failures rather than fire-and-forget.
CloudFront
- Distribution inventory. List distributions and inspect their configuration for audit and operational review.
- Cache invalidation. Trigger targeted invalidations after a content release so users see the new assets immediately rather than waiting for TTL expiry.
The six clients share a uniform shape — same credential resolution, same error handling, same paging semantics — so a script that talks to S3 reads the same as a script that talks to Lambda. The platform's permission perimeter still applies on the calling side : a role that cannot invoke Ax.cloud.aws.Lambda.invoke cannot reach Lambda even if the underlying AWS credentials would allow it.