AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2025-11-10 · Documentation low

File: kms/latest/developerguide/create-keys.md

Summary

Updated terminology from 'NIST-recommended' to 'NIST-standard' elliptic curves in key derivation guidance

Security assessment

The change clarifies compliance with NIST standards but does not introduce new security features or address vulnerabilities. It is a documentation refinement.

Diff

diff --git a/kms/latest/developerguide/create-keys.md b/kms/latest/developerguide/create-keys.md
index 3f8ce6fab..483cc91b5 100644
--- a//kms/latest/developerguide/create-keys.md
+++ b//kms/latest/developerguide/create-keys.md
@@ -150 +150 @@ To avoid these errors, anyone using a public key outside of AWS KMS must store t
-To derive shared secrets, use a KMS key with [NIST-recommended elliptic curve](./symm-asymm-choose-key-spec.html#key-spec-ecc) or [SM2](./symm-asymm-choose-key-spec.html#key-spec-sm) (China Regions only) key material. AWS KMS uses the [Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60) (ECDH) to establish a key agreement between two peers by deriving a shared secret from their elliptic curve public-private key pairs. You can use the raw shared secret that the [ DeriveSharedSecret](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeriveSharedSecret.html) operation returns to derive a symmetric key that can encrypt and decrypt data that is sent between two parties, or generate and verify HMACs. AWS KMS recommends that you follow [NIST recommendations for key derivation](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf) when using the raw shared secret to derive a symmetric key.
+To derive shared secrets, use a KMS key with [NIST-standard elliptic curve](./symm-asymm-choose-key-spec.html#key-spec-ecc) or [SM2](./symm-asymm-choose-key-spec.html#key-spec-sm) (China Regions only) key material. AWS KMS uses the [Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60) (ECDH) to establish a key agreement between two peers by deriving a shared secret from their elliptic curve public-private key pairs. You can use the raw shared secret that the [ DeriveSharedSecret](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeriveSharedSecret.html) operation returns to derive a symmetric key that can encrypt and decrypt data that is sent between two parties, or generate and verify HMACs. AWS KMS recommends that you follow [NIST recommendations for key derivation](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf) when using the raw shared secret to derive a symmetric key.