Customer compliance and security during the post-quantum cryptographic migration
Security Blog
This article discusses customer compliance and security during the migration to post-quantum cryptography. It covers the shared responsibility between AWS and customers in enabling quantum-resistant algorithms for secure connections to AWS services.
Specifically, the article covers:
- AWS's process of introducing post-quantum (PQ) hybrid key exchanges in TLS, SSH, and VPN connections to provide quantum resistance while maintaining backwards compatibility
- The decision of prioritizing quantum-resistant algorithms over classical algorithms when both client and server support PQ key exchanges, even if it introduces a slight delay
- How AWS services like KMS, ACM, and Secrets Manager will send a HelloRetryRequest to trigger the use of mutually supported PQ key exchanges
- Steps customers can take to verify PQ key exchange support on AWS endpoints and enable PQ algorithms on their clients
- The shared responsibility where AWS prioritizes quantum resistance on the server side, while customers must enable it on their client applications
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Dec 5
2024
2024
AWS post-quantum cryptography migration plan
Nov 11
2025
2025
Accenture and AWS accelerate customer’s post-quantum cryptography journey
May 14
2026
2026
Automating post-quantum cryptography readiness using AWS Config
Nov 21
2025
2025
AWS Payments Cryptography announces support for post-quantum cryptography to secure data in transit
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.