Automating post-quantum cryptography readiness using AWS Config
Security Blog
This article introduces the PQC Readiness Scanner, an automated AWS Config tool for assessing post-quantum cryptography readiness across TLS endpoints.
- Inventories ALB, NLB, and API Gateway endpoints for PQC migration readiness
- Classifies endpoints into three tiers based on TLS 1.3 and PQC key exchange support
- Tier 1: TLS 1.3 only with PQC (optimal, no action needed)
- Tier 2: TLS 1.2 and 1.3 with PQC (low priority, backward compatible)
- Tier 3: No PQC support (high priority, requires immediate upgrade)
- Built using AWS Config conformance packs with Lambda-powered custom rules
- Supports single-account and multi-account (Organizations) deployment via CloudFormation StackSets
- Provides continuous monitoring and audit-ready compliance reporting
The scanner automates PQC migration planning by identifying which endpoints need quantum-resistant cryptography upgrades first, reducing manual configuration reviews.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Dec 5
2024
2024
AWS post-quantum cryptography migration plan
Nov 11
2025
2025
Accenture and AWS accelerate customer’s post-quantum cryptography journey
Nov 21
2025
2025
AWS Application and Network Load Balancers Now Support Post-Quantum Key Exchange for TLS
Jun 13
2025
2025
How to create post-quantum signatures using AWS KMS and ML-DSA
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.