AWS Post-Quantum Confidentiality Readiness
Explore service-wise status and resources for protecting data in transit against harvest now, decrypt later
PQ Key Exchange Support in AWS Service
| Service Name | Status of ML-KEM support for quantum-resistant confidentiality | Shared Responsibility: Transparent or Opt-In | Observability and Governance | Additional Notes and Resources |
|---|---|---|---|---|
| AWS Certificate Manager (ACM) | Hybrid PQ key exchange launched in FIPS & non-FIPS endpoints, in commercial and US GovCloud regions. | Transparent. Customers must update clients. | CloudTrail events, through tlsDetails, provide TLS version, cipher suite, and key exchange. | This row covers TLS security for data exchanged with public service endpoints. For details on public and private certificate types supported by ACM, refer to ACM documentation. |
| Amazon CloudFront | Connections between TLS client and CloudFront POP prefer hybrid PQ key exchange. | Transparent. No action needed by customers. End users should use updated web browsers or client applications as appropriate. | Coming soon |
Read the What's New post announcing automatically enabled support for hybrid PQ key exchange. Explore service documentation. Note: For client-to-edge connections, PQC support is available on all existing security policies by default, requiring no re-configuration by customers. For connections to origin servers, support is coming soon. |
| AWS CloudHSM | On the control plane, hybrid PQ key exchange launched in FIPS & non-FIPS endpoints, in commercial and US GovCloud regions. | Transparent. Customers must update clients used to make control plane calls. | CloudTrail includes TLS version and cipher suite. Key exchange coming soon. |
This row covers TLS security for data exchanged with public service endpoints. On the data plane, HSM instances are accessed by your clients within your VPC, over a channel that is encrypted end-to-end between your client and your HSM instance (learn more). For details on algorithms and key types supported within CloudHSM for direct use by your workloads, refer to CloudHSM documentation. |
| Elastic Load Balancing: Network Load Balancer (ALB) | TLS policies that prefer hybrid PQ key exchange are available for customers to apply to listeners. | Opt-in: Customers must update listener configuration via API or console. |
Connection logs include keyExchange (documentation) IAM condition keys support allowlist of PQ-ready SSL policies and denylist of legacy SSL policies (learn more). |
Read the What's New post announcing support for hybrid PQ-key exchange. |
| Elastic Load Balancing: Network Load Balancer (NLB) | TLS policies that prefer hybrid PQ key exchange are available for customers to apply to listeners. | Opt-in: Customers must update listener configuration via API or console. | Access logs include keyExchange (documentation). |
Read the What's New post announcing support for hybrid PQ key exchange. |
| AWS Key Management Service (KMS) | Hybrid PQ key exchange launched in FIPS & non-FIPS endpoints, in commercial and US GovCloud regions | Transparent. Customers must update clients. | CloudTrail events, through tlsDetails, provide TLS version, cipher suite, and key exchange |
Read the Launch blog, including in-depth performance analysis of hybrid PQ key exchange. Refer to service documentation. Explore the hands-on Builder Workshop Note: This row covers TLS security for data exchanged with public service endpoints. For details on algorithms and key types supported within KMS for direct use by your workloads, refer to KMS documentation. |
| AWS Payment Cryptography (APC) | Hybrid PQ key exchange launched in FIPS & non-FIPS endpoints, in commercial and US GovCloud regions. | Transparent. Customers must update clients. | CloudTrail events, through tlsDetails, provide TLS version, cipher suite, and key exchange. | Read the launch announcement. |
| AWS Secrets Manager (ASM) | Hybrid PQ key exchange launched in FIPS & non-FIPS endpoints, in commercial and US GovCloud regions | Transparent. Customers must update clients. | CloudTrail includes TLS version, cipher suite, and key exchange. |
Read the Launch blog, including in-depth performance analysis of hybrid PQ key exchange. Note: As of April 2026, current versions of all caching clients including the Secrets Manager Agent enable and prefer hybrid PQ key exchange by default (learn more). |
| Amazon Simple Storage Service (S3) | Hybrid PQ key exchange launched in FIPS & non-FIPS endpoints, in commercial and US GovCloud regions. | Transparent. Customers must update clients. |
Data plane logs include TLS version and ciphersuite, with key exchange coming soon. IAM condition keys support enforcing use of TLS to access buckets. |
Read the launch announcement. Explore service documentation. |
| AWS Transfer Family (SFTP domains) | SFTP configurations that prefer ML-KEM are available for customers to apply. | Opt-in: Customers must update SFTP endpoint configuration. | SFTP logs include cipher suite and key exchange. |
Read the blog post to understand how AWS Transfer Family supports post-quantum hybrid SFTP file transfers. Refer to service documentation for in-depth guidance on upgrading your SFTP endpoint and clients that connect to the endpoint. |
Learn More about Migrating to PQC
To explore resources on your migration to PQC, visit PQC Migration Strategies or Contact Us.