Page tree
Skip to end of metadata
Go to start of metadata

Amazon Web Services SDK

The Python library boto3 for the AWS SDK is supported. The Python library aws-cdk (v1 and v2) is only supported for AWS Lambdas.

AWS Lambda in AWS deployment frameworks

New in 1.4.0-beta7

The AWS Lambda functions declared in deployment framework configuration files are analyzed by a different extensions (com.castsoftware.cloudconfig). The Python analyzer will be responsible, however, of creating the link between Lambda Function objects having the runtime property value consistent with a python runtime (python3.5, ...) and the corresponding handler (a Python method object) during the application-level analysis step. It is highly recommended to add the com.castsoftware.cloudconfig extension so that proper migration of AWS objects takes place upon upgrading com.castsoftware.python extension from versions < 1.4.0-beta7.

Available in 1.4.0-beta6 and below (deprecated)

Serverless framework, Serverless Application Model (SAM), and Cloudformation are supported. These are frameworks using *.yml and *.yaml (or *.json, currently not supported in this extension) file to set up AWS environment. 
Whenever the runtime set in these files is pythonX.Y, the com.castsoftware.python extension is responsible for creating the corresponding Python AWS Lambda Function, Python AWS Lambda Operation (which represent AWS APIGateway events), and Python AWS Simple Queue objects. 


In the .yml deployment file below (taken from the Serverless examples for AWS) a Lambda function is defined (hello) and the handler's method name is referred:

service: aws-python # NOTE: update this with your service name

frameworkVersion: '2'

  name: aws
  runtime: python3.8
  lambdaHashingVersion: 20201221

    handler: handler.hello

Where the Python code of the handler:


def hello(event, context):
    body = {
        "message": "Go Serverless v2.0! Your function executed successfully!",
        "input": event,

    return {"statusCode": 200, "body": json.dumps(body)}

The results in Enlighten:

AWS Lambda (Boto3)

Supported API methods (boto3)

Link TypeCallerCallee
  • botocore.client.Lambda.invoke

callLinkPython callable artifact

Python Call to AWS Lambda Function

  • botocore.client.Lambda.invoke_async


A simple example showing representation of an invocation of a AWS Lambda function:

def func():

AWS SQS (Boto3)

Supported API methods (boto3)

Link TypeCallerCallee
  • botocore.client.SQS.send_message

  • botocore.client.SQS.send_message_batch
callLinkPython callable artifact

Python AWS SQS Publisher
Python AWS SQS Unknown Publisher

  • botocore.client.SQS.receive_message

Python AWS SQS Unknown Receiver
Python AWS SQS Receiver

Python callable artifact

Code samples

In this code, the module publishes a message into the "SQS_QUEUE_URL" queue and in is received:

# Adapted from

import boto3

# Create SQS client
sqs = boto3.client('sqs')

queue_url = 'SQS_QUEUE_URL'

# Receive message from SQS queue
response = sqs.receive_message(QueueUrl=queue_url, ...)


# Adapted from
import boto3

# Create SQS client
sqs = boto3.client('sqs')

queue_url = 'SQS_QUEUE_URL'

# Send message to SQS queue
response = sqs.send_message(QueueUrl=queue_url, ...)

The results derived from the analysis of the above code can be seen Enlighten:

Click to enlarge

When the name of the queue passed to the API method calls is resolvable (either because of unavailability or because of technical limitations), the analyzer will create Unknown Publisher and Receive objects.

AWS SNS (Boto3)

There are two different APIs to manage SNS services, one based on a low-level client and the higher-level one based on resources.

Supported API methods (boto3)

Link TypeCallerCalleeRemarks




Determines the topic

Python callable artifact

Python AWS SNS Publisher,
Python AWS SNS Unknown Publisher, Python SMS

botocore.client.SNS.publish_batchcallLinkPython callable artifactPython AWS SNS Publisher,
Python AWS SNS Unknown Publisher

Python AWS SNS Receiver,
Python AWS SNS Unknown Receiver

Python Call to AWS Lambda Function, 
Python AWS SQS Publisher, Python SMS, Python Email

boto3.resources.factory.sns.create_topicN/AN/AN/ADetermines the topic
boto3.resources.factory.sns.ServiceResource.TopicN/AN/AN/ADetermines the topic
boto3.resources.factory.sns.Topic.publishcallLinkPython callable artifact

Python AWS SNS Publisher,
Python AWS SNS Unknown Publisher, Python SMS


Python AWS SNS Receiver,
Python AWS SNS Unknown Receiver

Python Call to AWS Lambda Function, 
Python AWS SQS Publisher, Python SMS, Python Email

boto3.resources.factory.sns.PlatformEndpoint.publishcallLinkPython callable artifact

Python AWS SNS Publisher,
Python AWS SNS Unknown Publisher, Python SMS

The supported protocols are the following:


Object/s created

Name of the object

emailPython AWS Emailan Email   (the email addresses are not evaluated)
http/httpsPython POST service requestthe url (evaluated from the endpoint)
lambdaPython Call to AWS Lambda Functionthe name of the lambda function (evaluated from the endpoint)
smsPython AWS SMSan SMS   (the SMS numbers are not evaluated)
sqsPython AWS Simple Queue Service Publisherthe name of the queue (evaluated from the endpoint)


The code example below shows a basic usage of the boto3 library and the results as seen in Enlighten after analysis of the code.

import boto3

client = boto3.client('sns', region_name='eu-west-3')
topicArn1 = client.create_topic( Name = "TOPIC1")['TopicArn']

def publish(topic):
    client.publish(TopicArn=topic, Message='<your message>')

def subscribe(topic):
    client.subscribe(TopicArn=topic, Protocol="email", Endpoint="")
    client.subscribe(TopicArn=topic, Protocol="sms", Endpoint="123456789")
    client.subscribe(TopicArn=topic, Protocol="sqs", Endpoint="arn:partition:service:region:account-id:queueName")
    client.subscribe(TopicArn=topic, Protocol="http", Endpoint="http://foourl")
    client.subscribe(TopicArn=topic, Protocol="lambda", Endpoint="fooarn:function:lambda_name:v2")

The callLink links between the Publisher and the respective Subscribers are created by the Web Services Linker extension during application level.

For each method a maximum of one subscriber per given topic will be created as shown in the image above. In the absence of a well-resolved topic, the analyzer will create Unknown Publishers and Subscribers. There is no link created between unknown objects.

We can also have direct sms deliveries from calls to publish API methods:

import boto3
AWS_REGION = "us-east-1"

def send_sms_from_resource():
    sns = boto3.resource("sns", region_name=AWS_REGION)
    platform_endpoint = sns.PlatformEndpoint('endpointArn')

def send_sms():
    conn = boto3.client("sns", region_name=AWS_REGION)

Where the corresponding objects and links are:

AWS DynamoDB (Boto3)

See DynamoDB support for Python source code.

AWS S3 (Boto3)

Supported API methods

Link Type (CRUD-like)CallerCalleeOther effects


useInsertLinkPython callable artifact

Python S3 Bucket, Python Unknown S3 Bucket


useDeleteLinkPython callable artifact

Python S3 Bucket. Python Unknown S3 Bucket




useSelectLinkPython callable artifact

Python S3 Bucket, Python Unknown S3 Bucket





useUpdateLinkPython callable artifactPython S3 Bucket, Python Unknown S3 Bucket

Supported API methods() (botocore.client.S3)

Link Type (generic)CallerCalleeOther effects


callLinkPython callable artifact

Python S3 Bucket, Python Unknown S3 Bucket

Creation of S3 bucket

abort_multipart_upload, complete_multipart_upload,
copy, copy_object, create_multipart_upload,
delete_bucket_analytics_configuration, delete_bucket_cors,
delete_bucket_encryption, delete_bucket_intelligent_tiering_configuration,
delete_bucket_inventory_configuration, delete_bucket_lifecycle,
delete_bucket_metrics_configuration, delete_bucket_ownership_controls,
delete_bucket_policy, delete_bucket_replication, delete_bucket_tagging,
delete_bucket_website, delete_object_tagging, delete_public_access_block,
download_file, download_fileobj, generate_presigned_post,
get_bucket_acl, get_bucket_analytics_configuration, get_bucket_cors,
get_bucket_encryption, get_bucket_intelligent_tiering_configuration,
get_bucket_inventory_configuration, get_bucket_lifecycle,
get_bucket_lifecycle_configuration, get_bucket_location,
get_bucket_logging, get_bucket_metrics_configuration, get_bucket_notification,
get_bucket_notification_configuration, get_bucket_ownership_controls,
get_bucket_policy, get_bucket_policy_status, get_bucket_replication,
get_bucket_request_payment, get_bucket_tagging, get_bucket_versioning,
get_bucket_website, get_object_acl, get_object_legal_hold,
get_object_lock_configuration, get_object_retention, get_object_tagging,
get_object_torrent, get_public_access_block,
head_bucket, head_object,
list_bucket_analytics_configurations, list_bucket_intelligent_tiering_configurations,
list_bucket_inventory_configurations, list_bucket_metrics_configurations,
list_multipart_uploads, list_object_versions, list_parts,
put_bucket_accelerate_configuration, put_bucket_acl,
put_bucket_cors, put_bucket_encryption, put_bucket_intelligent_tiering_configuration,
put_bucket_inventory_configuration, put_bucket_lifecycle, put_bucket_lifecycle_configuration,
put_bucket_metrics_configuration, put_bucket_notification,
put_bucket_ownership_controls, put_bucket_policy, put_bucket_replication
put_bucket_request_payment, put_bucket_tagging, put_bucket_versioning
put_bucket_website, put_object_acl, put_object_legal_hold, put_object_lock_configuration,
put_object_retention, put_object_tagging, put_public_access_block, restore_object,
select_object_content, upload_file, upload_fileobj, upload_part, upload_part_copy

callLinkPython callable artifactPython S3 Bucket, Python Unknown S3 Bucket

In the absence of a create_bucket call, references to buckets in other method calls are used to create table objects. In the case the name is well resolved, a regular S3 Bucket is created, otherwise an Unknown S3 Bucket is created. A maximum of one Unknown S3 Bucket per file is created, however a maximum of one per project (as it is already the case in analyzers for other languages such as TypeScript) is under consideration by CAST.

The long list of methods added to the last arrow in the table above correspond to methods that act on S3 Buckets and presumably using the AWS SDK API behind the scenes (those few methods only acting on the boto3 client object are not considered).


AWS Lambda (AWS-CDK)

Supported API (aws_cdk, v1 and v2)

Link type

Creates object (caller)


Support details

aws_cdk.aws_lambda.FunctioncallLinkPython AWS Lambda FunctionPython Method

aws_cdk.aws_lambda.CfnFunctioncallLinkPython AWS Lambda FunctionPython Method

aws_cdk.aws_lambda_python.PythonFunctioncallLinkPython AWS Lambda FunctionPython Methoddefault runtime = pythonOnly cdk v1
aws_cdk.aws_lambda_python_alpha.PythonFunctioncallLinkPython AWS Lambda FunctionPython Methoddefault runtime = pythonOnly cdk v2

"from_image" not supported

Determines the runtime
aws_cdk.aws_lambda.Code.from_inlineN/AN/AN/Acode argument supportedDetermines the handler
aws_cdk.aws_lambda.Code.inlineN/AN/AN/Acode argument supportedDetermines the handler (deprecated in cdk v1)
aws_cdk.aws_lambda.Code.from_assetN/AN/AN/Apath argument supportedDetermines the handler
aws_cdk.aws_lambda.Code.assetN/AN/AN/Apath argument supportedDetermines the handler (deprecated in cdk v1)
aws_cdk.aws_lambda.InlineCodeN/AN/AN/Acode argument supportedDetermines the handler
aws_cdk.aws_lambda.AssetCodeN/AN/AN/Apath argument supportedDetermines the handler
aws_cdk.aws_lambda.AssetCode.from_assetN/AN/AN/Apath argument supportedDetermines the handler


  • Monolithic pattern for lambda functions is not properly supported
  • No labels