AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2025-06-19 · Documentation low

File: kms/latest/developerguide/mldsa.md

Summary

1. Updated ML-DSA key spec names to underscores. 2. Removed a paragraph about message size limits and EXTERNAL_MU processing.

Security assessment

The naming convention update is non-functional. Removing the message size guidance could impact usability but lacks evidence of addressing a security flaw. No explicit security context is provided.

Diff

diff --git a/kms/latest/developerguide/mldsa.md b/kms/latest/developerguide/mldsa.md
index 98a91483e..6de6eb637 100644
--- a//kms/latest/developerguide/mldsa.md
+++ b//kms/latest/developerguide/mldsa.md
@@ -7 +7 @@
-AWS Key Management Service (AWS KMS) supports Module-Lattice Digital Signature Algorithm (ML-DSA) for post-quantum cryptographic signatures. This implementation follows the [Federal Information Processing Standards (FIPS) 204 standard](https://csrc.nist.gov/pubs/fips/204/final) to help protect against future quantum computing threats. AWS KMS creates and protects all ML-DSA keys and signature operations in FIPS 140-3 Security Level 3 validated hardware security modules. To help balance security with performance, ML-DSA in AWS KMS offers three distinct security levels through different key specifications, ML-DSA-44, ML-DSA-65, and ML-DSA-87.
+AWS Key Management Service (AWS KMS) supports Module-Lattice Digital Signature Algorithm (ML-DSA) for post-quantum cryptographic signatures. This implementation follows the [Federal Information Processing Standards (FIPS) 204 standard](https://csrc.nist.gov/pubs/fips/204/final) to help protect against future quantum computing threats. AWS KMS creates and protects all ML-DSA keys and signature operations in FIPS 140-3 Security Level 3 validated hardware security modules. To help balance security with performance, ML-DSA in AWS KMS offers three distinct security levels through different key specifications, ML_DSA_44, ML_DSA_65, and ML_DSA_87.
@@ -11,2 +10,0 @@ AWS KMS supports asymmetric key signatures for messages up to 4 KB using the `RA
-AWS KMS supports asymmetric key signatures for messages up to 4 KB using the RAW message type. For larger messages, you must compute an EXTERNAL_MU value. Use the EXTERNAL_MU message type to identify these pre-processed messages when signing.
-