AWS payment-cryptography documentation change
Summary
Updated AWS CLI installation instructions to enable PQ TLS with OpenSSL 3.5+
Security assessment
The changes provide guidance for enabling post-quantum TLS (PQ-TLS), a security feature. This documents a security enhancement but does not address a specific existing vulnerability.
Diff
diff --git a/payment-cryptography/latest/userguide/pqtls-details.md b/payment-cryptography/latest/userguide/pqtls-details.md index 67f948e36..9a95671ad 100644 --- a//payment-cryptography/latest/userguide/pqtls-details.md +++ b//payment-cryptography/latest/userguide/pqtls-details.md @@ -80 +80,5 @@ You can also configure a Docker container to use OpenSSL 3.5 to enable PQ TLS on -The AWS CLI relies on system libssl/libcrypto. To use PQ TLS, use this tool on an operating system distribution that has at least OpenSSL 3.5 installed. +PQ TLS support with the [AWS CLI installer](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) is coming soon. To enable immediately, you can use alternative installers for the AWS CLI, which varies by operating system, and can enable PQ TLS. + +For MacOS, install the AWS CLI via [Homebrew](https://brew.sh/) and ensure that your Homebrew-vended OpenSSL is upgraded to version 3.5+. You can do this with “brew install [email protected]” and validate with “brew list | grep openssl”. + +For Ubuntu or Debian Linux: ensure the Linux distribution you are using has OpenSSL 3.5+ installed as system OpenSSL. Then, install the AWS CLI using apt or [PyPI](https://pypi.org/project/awscliv2/). With these prerequisites, the AWS CLI vended by apt or PyPI will be configured to negotiate PQ-TLS. For step-by-step instructions to validate the installation, see [github repository](https://github.com/aws-samples/sample-post-quantum-tls-python/) and accompanying [blog post](https://aws.amazon.com/blogs/security/post-quantum-tls-in-python/).