IAM Roles Anywhere now supports post-quantum digital certificates
Amazon Identity and Access Management (IAM) Roles Anywhere now supports the FIPS 204 Module-Lattice Digital Signature Standard (ML-DSA), a quantum-resistant digital signature algorithm standardized by the National Institute of Standards and Technology (NIST) to help protect against threat actors in possession of a large-scale quantum computer. ML-DSA is particularly valuable for IAM Roles Anywhere customers who authenticate workloads to Amazon using X.509 certificates issued by certificate authorities, where a weakened signature algorithm could allow an unintended user to issue certificates and obtain unauthorized access.
IAM Roles Anywhere enables workloads running outside of Amazon to obtain temporary Amazon credentials using X.509 certificates to access Amazon Web Services resources. You establish trust between your Amazon Web Services environment and your public key infrastructure (PKI) by creating a trust anchor, either by referencing your Amazon Private Certificate Authority or registering your own certificate authorities (CAs) with IAM Roles Anywhere. You can now use ML-DSA-signed CA certificates as IAM Roles Anywhere trust anchors, and issue end entity certificates bound to ML-DSA keys.
IAM Roles Anywhere is available in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more, see the IAM Roles Anywhere User Guide.