Amazon S3 now supports post-quantum TLS key exchange
Amazon S3 now supports post-quantum TLS key exchange on regional S3 endpoints providing customers with post-quantum cryptography options for encryption of their data in-transit. Regional S3 endpoints now support Module Lattice-Based Key Encapsulation Mechanisms (ML-KEM), one of National Institute of Standards & Technology (NIST) standardized post-quantum cryptographic algorithms. Through the new PQ-TLS key exchange, Amazon S3 now supports quantum-resistant cryptography for the encryption of data in-transit. This new support combined with Amazon S3’s server-side encryption by default utilizing AES-256 algorithms offer customers quantum-resistant encryption both in-transit and at-rest.
Post-quantum TLS key exchange for Amazon S3 is available for all clients configured to use the ML-KEM key exchange algorithm, where you receive the benefits of the post-quantum TLS key exchange. This is because Amazon S3 will automatically negotiate the highest TLS protocol version that your client software supports.
Post-quantum TLS key exchange for Amazon S3 is supported at no additional cost in regional S3 endpoints in all Amazon Web Services regions, including the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more about PQ-TLS support in Amazon S3, visit our documentation.