Day 24: AWS PQC Initiatives — s2n-tls, aws-lc, KMS, ACM

Phase 3 · July 31, 2026

Agenda (2–3 hours)

• Read (60 min): AWS Security blog: "Preparing for post-quantum cryptography"; s2n-tls GitHub README (PQC section); aws-lc-rs README
• Study (45 min): What AWS has shipped, what's on the roadmap, what it means for your stack
• Challenge (45 min): AWS-specific dependency audit

AWS's PQC Stack

Amazon has invested heavily in PQC infrastructure:

s2n-tls: Amazon's TLS Library

s2n-tls is used internally across AWS (including ELB, API Gateway, CloudFront).
It has had hybrid PQC key exchange since 2022.

// s2n-tls PQC usage (C, for context)
s2n_config_set_cipher_preferences(config, "PQ-TLS-1-3-2023-06-01");
// This preference list includes X25519Kyber768 as the preferred group

Implication for your Lambda service: API Gateway and ALB in front of your Lambda
may already be negotiating hybrid TLS for inbound connections.
The Lambda → downstream service connection (using reqwest/hyper → rustls) is what you control.

aws-lc-rs: Your Rust PQC Library

aws-lc-rs is the production PQC library for Rust at AWS:

aws-lc-rs/
├── kem/        ML-KEM-512, ML-KEM-768, ML-KEM-1024
├── signature/  ML-DSA-44, ML-DSA-65, ML-DSA-87
│               SLH-DSA variants
│               ECDSA (P-256, P-384, P-521)
│               Ed25519, Ed448
├── agreement/  X25519, P-256, P-384 (classical)
└── hkdf, digest, aead, ...

Used in production by: Amazon, Rust Foundation (for crates.io TLS), Mozilla (planned).

ACM Private CA Roadmap

AWS Certificate Manager Private CA (ACM PCA) is the service your team likely uses
or coordinates with for certificate issuance.

Current state (2026): ACM PCA supports ECDSA P-256, P-384, RSA 2048/4096.
PQC roadmap: ML-DSA support announced but no GA date confirmed.

What to watch:

• ACM PCA ML-DSA support announcement
• CloudHSM PQC key material support
• ACM PCA support for custom certificate templates with PQC extensions

When ACM PCA supports ML-DSA: your team can issue PQC certs without running
your own CA infrastructure. This may be the easiest migration path.

AWS IoT Core and Device Provisioning

AWS IoT Core is relevant because Amazon Leo may use it for device fleet management.

IoT device certificates have two phases:

1. Bootstrap cert: used to authenticate the device on first connection
2. Operational cert: provisioned during first connection, used thereafter

Both phases need PQC migration:

• Bootstrap certs burned into hardware (long lifetime, HNDL risk)
• Operational certs issued by your service (shorter lifetime, more manageable)

The hard problem: updating bootstrap certs on deployed satellite terminals
may require physical access or a firmware update mechanism.

Challenge Assignment

Perform an AWS service dependency audit for your provisioning service:

For each AWS service your team uses or depends on, document:

Save to your migration roadmap as "AWS Service Dependencies."

Resources

• s2n-tls GitHub: github.com/aws/s2n-tls — README PQC section
• aws-lc-rs GitHub: github.com/aws/aws-lc-rs
• AWS Security blog: "aws.amazon.com/blogs/security" — search "post-quantum"
• AWS re:Invent 2023/2024 talks on PQC (YouTube)