Amazon S3 now supports post-quantum TLS key exchange on S3 endpoints
Amazon S3 now supports post-quantum TLS key exchange on regional S3, S3 Tables, and S3 Express One Zone endpoints providing customers with post-quantum cryptography options for encryption of their data in-transit. All regional S3, S3 Tables, and S3 Express One Zone endpoints now support Module Lattice-Based Key Encapsulation Mechanisms (ML-KEM), one of National Institute of Standards & Technology (NIST) standardized post-quantum cryptographic algorithms. Through the new PQ-TLS key exchange, Amazon S3 now supports quantum-resistant cryptography for the encryption of data in-transit. This new support combined with Amazon S3’s server-side encryption by default utilizing AES-256 algorithms offers customers quantum-resistant encryption both in-transit and at-rest.
Post-quantum TLS key exchange for Amazon S3 is available for all clients configured to use the ML-KEM key exchange algorithm, where you receive the benefits of the post-quantum TLS key exchange. This is because Amazon S3 will automatically negotiate the highest TLS protocol version that your client software supports.
Post-quantum TLS key exchange for Amazon S3 is supported at no additional cost in all regional S3, S3 Tables, and S3 Express One Zone endpoints in all AWS regions. To learn more about PQ-TLS support in Amazon S3, visit our documentation.