AWS Security ChangesHomeSearch

AWS prescriptive-guidance high security documentation change

Service: prescriptive-guidance · 2026-02-28 · Security-related high

File: prescriptive-guidance/latest/encryption-best-practices/aws-cryptography-services.md

Summary

Updated cryptographic algorithm recommendations - changed key agreement algorithm from ECDSA to ECDH(E), consolidated ECDSA signature entries, and expanded details about AWS-LC validation

Security assessment

Changes update recommended quantum-resistant algorithms and emphasize formal verification of implementations. These updates reflect security best practices for post-quantum cryptography and implementation assurance.

Diff

diff --git a/prescriptive-guidance/latest/encryption-best-practices/aws-cryptography-services.md b/prescriptive-guidance/latest/encryption-best-practices/aws-cryptography-services.md
index 904fade94..d7238d059 100644
--- a//prescriptive-guidance/latest/encryption-best-practices/aws-cryptography-services.md
+++ b//prescriptive-guidance/latest/encryption-best-practices/aws-cryptography-services.md
@@ -17 +17 @@ AWS follows the [shared responsibility model](https://aws.amazon.com/compliance/
-AWS defaults to high-assurance cryptographic implementations and prefers hardware-optimized solutions that are efficient. Our cryptographic core library, [AWS-LC](https://github.com/aws/aws-lc), is available as open source for transparency and industry-wide reuse. The recommended cryptographic algorithms in AWS-LC are formally verified for correctness, and the library is validated under NIST's FIPS-140 program.
+AWS defaults to high-assurance cryptographic implementations and prefers hardware-optimized solutions that are efficient. Our cryptographic core library, [AWS-LC](https://github.com/aws/aws-lc), is available as open source for transparency and industry-wide reuse. Many cryptographic algorithm implementations in AWS-LC are formally verified to increase assurance of the correctness and security of the implementation in several different platforms. The library is also validated under NIST's FIPS-140 program.
@@ -56 +56 @@ Key agreement | ML-KEM-768 or ML-KEM-1024 | Preferred (quantum-resistant)
-Key agreement | ECDSA with P-256, P-384, P-521, or Ed25519 | Acceptable  
+Key agreement | ECDH(E) with P-256, P-384, P-521, or X25519 | Acceptable  
@@ -60,2 +60 @@ Signatures | SLH-DSA | Acceptable (quantum-resistant)
-Signatures | ECDSA with P-384 | Acceptable  
-Signatures | ECDSA with P-256, P-521, or Ed25519 | Acceptable  
+Signatures | ECDSA with P-256, P-384, P-521, or Ed25519 | Acceptable