AWS kms documentation change
Summary
Updated post-quantum TLS testing guidance with CloudTrail verification and legacy system compatibility notes
Security assessment
Enhances documentation for quantum-resistant cryptography without evidence of security vulnerability remediation. The change documents security features (post-quantum TLS) and adds troubleshooting guidance for security implementations.
Diff
diff --git a/kms/latest/developerguide/pqtls-how-to.md b/kms/latest/developerguide/pqtls-how-to.md index 6f7d4de15..dfef63c41 100644 --- a//kms/latest/developerguide/pqtls-how-to.md +++ b//kms/latest/developerguide/pqtls-how-to.md @@ -54 +54 @@ Consider running the following tests with hybrid cipher suites on your applicati - * Run load tests and benchmarks. The hybrid cipher suites perform differently than traditional key exchange algorithms. You might need to adjust your connection timeouts to allow for the longer handshake times. If you’re running inside an AWS Lambda function, extend the execution timeout setting. + * View the `tlsDetails` section in the CloudTrail log entry for an AWS KMS API call made by your application. The `keyExchange` field should mention a hybrid algorithm such as `X25519MLKEM768`. For an example, see [Decrypt with a standard symmetric encryption key over a post-quantum TLS connection](./ct-decrypt.html#ct-decrypt-default-pqtls). @@ -56 +56,3 @@ Consider running the following tests with hybrid cipher suites on your applicati - * Try connecting from different locations. Depending on the network path your request takes, you might discover that intermediate hosts, proxies, or firewalls with deep packet inspection (DPI) block the request. This might result from using the new cipher suites in the [ClientHello](https://tools.ietf.org/html/rfc5246#section-7.4.1.2) part of the TLS handshake, or from the larger key exchange messages. If you have trouble resolving these issues, work with your security team or IT administrators to update the relevant configuration and unblock the new TLS cipher suites. + * Run benchmarks using hybrid post-quantum TLS. Hybrid key exchange increases the size and processing time of some messages in the TLS handshake, but the overall performance impact should be imperceptible in most cases. + + * Try connecting from different locations. Depending on the network path your request takes, you might discover that legacy intermediate hosts, proxies, or firewalls with deep packet inspection (DPI) block the request. This might result from using the new key exchange groups in the [ClientHello](https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.2) part of the TLS handshake, or from the larger key exchange messages. If you have trouble resolving these issues, work with your security team or IT administrators to update the relevant configuration and unblock the new TLS key exchange groups.