Boto3

General Information

Field	Value
Package Name	boto3
Manufacturer / Vendor	Amazon Web Services (AWS)
Software Category	Library
Primary Documentation	Documentation, GitHub, PyPI, AWS SDK Guide
Programming Language(s)	Python
License	Apache License 2.0
Deployed Version(s)	>=1.41.0 (version-locked at 1.40.61–1.42.26 across services)
Most Recent Available Version	1.42.35
Last Review Date	2026-01-27

Overview

Boto3 is the official AWS SDK for Python, maintained and published by Amazon Web Services. It provides an object-oriented API as well as low-level access to AWS services such as Amazon S3, Amazon DynamoDB, and AWS Systems Manager Parameter Store. The SDK is built on top of botocore, which provides the low-level functionality shared between the Python SDK and the AWS CLI. With over 9,700 GitHub stars, boto3 is the de facto standard for Python applications interacting with AWS services and is in the full support phase of its availability lifecycle.

Within the medical device software, boto3 serves as the cloud infrastructure access layer enabling secure storage, configuration management, and persistent data operations across the distributed microservices architecture. It is integrated in several critical capacities:

• Model weight storage: The legithp-expert framework uses S3 to store and retrieve pre-trained AI model weights, downloading them on-demand during expert microservice initialization via the S3Storage adapter
• Configuration management: AWS Systems Manager Parameter Store provides centralized, encrypted configuration for all 60+ expert microservices, including inference parameters, storage credentials, and service endpoints via the SSMSettings provider
• User authentication persistence: The API Gateway uses DynamoDB (via aioboto3 async wrapper) to store user credentials, organization data, and account lockout records through repository pattern implementations
• Audit trail compliance: All API interactions are recorded in DynamoDB for regulatory audit compliance via the DynamoDBCallRecordRepository
• Device labeling: The Control Plane retrieves medical device labeling information (UDI, manufacturer details) from S3 for regulatory compliance

Boto3 was selected over alternatives due to:

• Official support and maintenance by AWS with regular updates and security patches
• Comprehensive coverage of AWS services required by the device (S3, DynamoDB, SSM)
• Well-documented API with extensive examples and integration guides
• Support for both synchronous and asynchronous operations (via aioboto3)
• Native credential chain supporting IAM roles for containerized deployments
• Apache 2.0 license permitting commercial use in medical device software
• Semantic versioning with backwards compatibility guarantees

Functional Requirements

The following functional capabilities of this SOUP are relied upon by the medical device software.

Requirement ID	Description	Source / Reference
FR-001	Create S3 client with configurable credentials and region	boto3.client('s3') with credential parameters
FR-002	Download objects from S3 buckets	s3.get_object() with Bucket and Key parameters
FR-003	Check S3 object existence and metadata	s3.head_object() for existence verification
FR-004	Create SSM client for parameter store access	boto3.client('ssm') with region configuration
FR-005	Retrieve configuration parameters with optional decryption	ssm.get_parameter() with WithDecryption=True
FR-006	Create DynamoDB resource for table operations	boto3.resource('dynamodb') via aioboto3 async wrapper
FR-007	Retrieve items by primary key from DynamoDB tables	table.get_item() with Key parameter
FR-008	Store items in DynamoDB tables	table.put_item() with Item parameter
FR-009	Delete items from DynamoDB tables	table.delete_item() with Key parameter
FR-010	Query DynamoDB tables with key conditions and indexes	table.query() with KeyConditionExpression and IndexName
FR-011	Configure connection timeouts and pool sizes	Config object with connect_timeout, max_pool_connections

Performance Requirements

The following performance expectations are relevant to the medical device software.

Requirement ID	Description	Acceptance Criteria
PR-001	S3 downloads shall complete within acceptable latency for model loading	Model weight downloads complete within service startup SLA
PR-002	DynamoDB operations shall not introduce significant API latency	Database operations < 100ms under normal conditions
PR-003	Connection pooling shall prevent resource exhaustion	Stable connection count under sustained load
PR-004	SSM parameter retrieval shall support fail-fast initialization	Configuration errors detected at startup, not runtime

Hardware Requirements

The following hardware dependencies or constraints are imposed by this SOUP component.

Requirement ID	Description	Notes / Limitations
HR-001	Network interface for AWS API communication	Required for all AWS service interactions
HR-002	Sufficient system memory for response buffering	Memory scales with S3 object sizes being downloaded
HR-003	x86-64 or ARM64 processor architecture	Pre-built wheels available for common platforms

Software Requirements

The following software dependencies and environmental assumptions are required by this SOUP component.

Requirement ID	Description	Dependency / Version Constraints
SR-001	Python runtime environment	Python >=3.9 (Python 3.10+ recommended)
SR-002	Botocore low-level library	Bundled dependency; provides core AWS functionality
SR-003	AWS credentials (IAM role or access keys)	Via default credential chain or explicit configuration
SR-004	Network access to AWS API endpoints	HTTPS connectivity to regional AWS endpoints
SR-005	Async wrapper for non-blocking operations	aioboto3 >=15.4.0 for DynamoDB async operations

Known Anomalies Assessment

This section evaluates publicly reported issues, defects, or security vulnerabilities associated with this SOUP component and their relevance to the medical device software.

Anomaly Reference	Status	Applicable	Rationale	Reviewed At
CVE-2025-50181 (urllib3 redirect bypass)	Open	No	Medium severity (CVSS 5.3) SSRF via redirect policy bypass in urllib3 <2.5.0. Not applicable: the device does not use PoolManager-level redirect configuration and AWS SDK handles redirects internally	2026-01-27
CVE-2025-50182 (urllib3 Pyodide redirect)	Fixed	No	Medium severity (CVSS 5.3) redirect control vulnerability in Pyodide runtime. Not applicable: the device runs in standard Python runtime environment, not Pyodide/browser contexts	2026-01-27
GitHub Issue #3499 (botocore urllib3 version constraint)	Open	No	Botocore constrains urllib3 to <1.27, preventing upgrade to 2.5.0. Not applicable: the device's usage pattern does not expose the vulnerable redirect configuration; AWS SDK uses standard credential flows	2026-01-27

Boto3 is actively maintained by Amazon Web Services with a robust security response process. The project maintains a security policy directing reporters to use AWS's vulnerability reporting page or email aws-security@amazon.com rather than public GitHub issues. According to Snyk's vulnerability database, boto3 itself has no direct known vulnerabilities; reported issues relate to transitive dependencies (urllib3).

The device's usage pattern minimizes attack surface exposure:

• AWS credential chain: The device uses IAM roles when running in AWS infrastructure or environment variables for local deployment; no hardcoded credentials exist in the codebase
• HTTPS-only communication: All AWS API calls use HTTPS with TLS certificate validation
• Internal network isolation: AWS service calls originate from containerized microservices within controlled network boundaries
• No user-supplied AWS parameters: Bucket names, table names, and parameter paths are configured by operators, not derived from user input
• Version locking: Requirements lock files pin boto3 to specific versions (1.40.61–1.42.26) ensuring reproducible deployments
• Connection timeouts: Explicit timeout configuration (5s connect, 30s read) prevents indefinite hangs

Risk Control Measures

The following risk control measures are implemented to mitigate potential security and operational risks associated with this SOUP component:

• Version locking via requirements_lock.txt ensures reproducible, auditable deployments
• IAM roles with least-privilege permissions limit potential blast radius of credential compromise
• All S3 buckets use server-side encryption (SSE-S3 or SSE-KMS) for data at rest
• DynamoDB tables use encryption at rest with AWS-managed keys
• SSM parameters use SecureString type with KMS encryption for sensitive values
• Container isolation limits network access to required AWS endpoints only
• Circuit breaker patterns prevent cascading failures from AWS service unavailability

Assessment Methodology

The following methodology was used to identify and assess known anomalies:

• Sources consulted:

  • National Vulnerability Database (NVD) search for "boto3" and "botocore"
  • GitHub Security Advisories for boto/boto3
  • GitHub Security Advisories for boto/botocore
  • Snyk vulnerability database for boto3
  • Snyk vulnerability database for botocore
  • AWS Security Bulletins and ALAS (Amazon Linux Security Advisories)
  • PyPI package security reports

• Criteria for determining applicability:

  • Vulnerability must affect deployed versions (boto3 1.40.61–1.42.26)
  • Vulnerability must be exploitable through the device's operational context (containerized microservices, IAM authentication)
  • Attack vector must be reachable through the device's interfaces (no user-supplied AWS parameters)
  • Network isolation, credential management, and encryption controls must not already mitigate the vulnerability

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

• Author: Team members involved
• Reviewer: JD-003, JD-004
• Approver: JD-001