AWS Security ChangesHomeSearch

AWS AmazonS3 medium security documentation change

Service: AmazonS3 · 2025-11-22 · Security-related medium

File: AmazonS3/latest/userguide/inter-network-traffic-privacy.md

Summary

Added guidance for TLS 1.3 with hybrid post-quantum key exchange and updated section title to reference PQ-TLS

Security assessment

Explicitly introduces post-quantum cryptography (PQ-TLS) recommendations to address future quantum computing threats. The change adds documentation about quantum-resistant security features and updates encryption best practices.

Diff

diff --git a/AmazonS3/latest/userguide/inter-network-traffic-privacy.md b/AmazonS3/latest/userguide/inter-network-traffic-privacy.md
index 54d859f7b..b89c3dc1f 100644
--- a//AmazonS3/latest/userguide/inter-network-traffic-privacy.md
+++ b//AmazonS3/latest/userguide/inter-network-traffic-privacy.md
@@ -22 +22 @@ The following connections can be combined with AWS PrivateLink to provide connec
-Access to Amazon S3 via the network is through AWS published APIs. Clients must support Transport Layer Security (TLS) 1.2. We recommend TLS 1.3. Clients must also support cipher suites with Perfect Forward Secrecy (PFS), such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE). Most modern systems such as Java 7 and later support these modes. Additionally, you must sign requests using an access key ID and a secret access key that are associated with an IAM principal, or you can use the [AWS Security Token Service (STS)](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) to generate temporary security credentials to sign requests.
+Access to Amazon S3 via the network is through AWS published APIs. Clients must support Transport Layer Security (TLS) 1.2. We recommend utilizing TLS 1.3 with hybrid post-quantum key exchange. Clients must also support cipher suites with Perfect Forward Secrecy (PFS), such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE). Most modern systems such as Java 7 and later support these modes. Additionally, you must sign requests using an access key ID and a secret access key that are associated with an IAM principal, or you can use the [AWS Security Token Service (STS)](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) to generate temporary security credentials to sign requests.
@@ -34 +34 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Using client-side encryption
+Configure PQ-TLS client