ML-KEM post-quantum TLS is now compatible with Secrets Manager, ACM, and AWS KMS
Amazon Web Services (AWS) announces that three AWS services now use the most recent hybrid post-quantum key agreement standards for TLS
These three AWS services served CRYSTALS-Kyber, ML-KEM's predecessor. ML-KEM will replace CRYSTALS-Kyber across all AWS service endpoints in 2026
AWS Libcrypto (AWS-LC), an open-source FIPS-140-3-validated cryptographic library, and s2n-tls, used across AWS service HTTPS endpoints, enabling hybrid post-quantum key agreement negotiations
Switching from a classical to a hybrid post-quantum key agreement will add 1600 bytes to the TLS handshake. ML-KEM cryptographic procedures need 80–150 microseconds more processing time
Hybrid post-quantum TLS connections utilised X25519 with ML-KEM-768 for key agreement, whereas classical TLS connections to AWS KMS used P256
The maximum TPS rate was only lowered by 2.3% when SDK settings were modified to force a fresh TLS handshake for each request, according to AWS
Customers using the general release of the AWS SDK for Java v2 can upgrade from CRYSTALS-Kyber to ML-KEM without code modifications
Depending on its network route, intermediary hosts, proxies, or DPI firewalls may deny your request
If TLS connection reuse is allowed, hybrid post-quantum TLS may not affect speed. Invoking AWS KMS GenerateDataKey merely reduced the maximum number of transactions per second by 0.05 percent
AWS customers must update their TLS clients and SDKs to ensure ML-KEM key agreement when connecting to AWS service HTTPS endpoints