AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2025-06-16 · Documentation medium

File: kms/latest/developerguide/create-keys.md

Summary

Added ML-DSA key pairs as a supported key spec for post-quantum migration in signing operations

Security assessment

Introduces documentation for ML-DSA, a post-quantum cryptographic algorithm, which is a proactive security feature but does not address an existing vulnerability.

Diff

diff --git a/kms/latest/developerguide/create-keys.md b/kms/latest/developerguide/create-keys.md
index 8d6f9b5b7..93d120bb2 100644
--- a//kms/latest/developerguide/create-keys.md
+++ b//kms/latest/developerguide/create-keys.md
@@ -132 +132 @@ If your use case requires encryption outside of AWS by users who cannot call AWS
-To sign messages and verify signatures, you must use an [asymmetric KMS key](./symmetric-asymmetric.html). You can use a KMS key with a [key spec](./symm-asymm-choose-key-spec.html) that represents an RSA key pair, an elliptic curve (ECC) key pair, or an SM2 key pair (China Regions only). The key spec you choose is determined by the signing algorithm that you want to use. The ECDSA signing algorithms that ECC key pairs support are recommended over the RSA signing algorithms. However, you might need to use a particular key spec and signing algorithm to support users who verify signatures outside of AWS.
+To sign messages and verify signatures, you must use an [asymmetric KMS key](./symmetric-asymmetric.html). You can use a KMS key with a [key spec](./symm-asymm-choose-key-spec.html) that represents an RSA key pair, an elliptic curve (ECC) key pair, an ML-DSA key pair, or an SM2 key pair (China Regions only). The key spec you choose is determined by the signing algorithm that you want to use. The ECDSA signing algorithms that ECC key pairs support are recommended over the RSA signing algorithms. Use an ML-DSA key pair when migrating from RSA or ECC keys to post-quantum keys. However, you might need to use a particular key spec and signing algorithm to support users who verify signatures outside of AWS.