add switches to detect read_only APIs

Author: whummer

aws-proxy/AGENTS.md

@@ -40,10 +40,13 @@ Some services have operations that are functionally read-only (don't modify stat
 
 If you find such operations, add them to the service-specific rules in `aws_proxy/server/aws_request_forwarder.py` in the `_is_read_request` method. This ensures that read-only proxy configurations correctly forward these operations rather than blocking them.
 
+**IMPORTANT**: This step is mandatory when adding a new service. Failure to identify non-standard read-only operations will cause `read_only: true` configurations to incorrectly block legitimate read requests.
+
 Example services with non-standard read-only operations:
 - **AppSync**: `EvaluateCode`, `EvaluateMappingTemplate`
 - **IAM**: `SimulateCustomPolicy`, `SimulatePrincipalPolicy`
 - **Cognito**: `InitiateAuth`
+- **DynamoDB**: `Scan`, `BatchGetItem`, `PartiQLSelect`
 
 When adding new integration tests, consider the following:
 * Include a mix of positive and negative assertions (i.e., presence and absence of resources).

aws-proxy/aws_proxy/server/aws_request_forwarder.py

@@ -262,6 +262,18 @@ def _is_read_request(self, context: RequestContext) -> bool:
             "EvaluateMappingTemplate",
         }:
             return True
+        if context.service.service_name == "logs" and operation_name in {
+            "FilterLogEvents",
+            "StartQuery",
+            "GetQueryResults",
+            "TestMetricFilter",
+        }:
+            return True
+        if context.service.service_name == "monitoring" and operation_name in {
+            "BatchGetServiceLevelObjectiveBudgetReport",
+            "BatchGetServiceLevelIndicatorReport",
+        }:
+            return True
         # TODO: add more rules
         return False