AWS prescriptive-guidance high security documentation change
Summary
Added content about quantum-resistant ML-DSA certificates, including comparison with X.509 certificates and guidance on when to use ML-DSA
Security assessment
Introduces quantum-resistant cryptography (ML-DSA) to address future quantum computing threats. Specifically mentions protecting against quantum attacks and provides migration guidance. References NIST FIPS 204 standard.
Diff
diff --git a/prescriptive-guidance/latest/certificate-based-access-controls/introduction.md b/prescriptive-guidance/latest/certificate-based-access-controls/introduction.md index 0fea6b5b2..1ec22fecd 100644 --- a//prescriptive-guidance/latest/certificate-based-access-controls/introduction.md +++ b//prescriptive-guidance/latest/certificate-based-access-controls/introduction.md @@ -7 +7 @@ -Intended audienceObjectives +Intended audienceObjectivesChoosing between X.509 and ML-DSA certificates @@ -13,3 +13 @@ Intended audienceObjectives - _July 2025_ ([document history](./doc-history.html)) - -As organizations expand their cloud footprints and embrace automation, it's increasingly critical to manage secure access for non-human identities, such as applications, servers, and containers. Traditional approaches use long-term credentials or hard-coded secrets, but these approaches can create security risks and operational overhead. [AWS Identity and Access Management Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) addresses these challenges by allowing workloads outside of the AWS Cloud to access AWS resources securely through [X.509 certificates](https://en.wikipedia.org/wiki/X.509) (Wikipedia) instead of long-term credentials. +As organizations expand their cloud footprints and embrace automation, it's increasingly critical to manage secure access for non-human identities, such as applications, servers, and containers. Traditional approaches use long-term credentials or hard-coded secrets, but these approaches can create security risks and operational overhead. [AWS Identity and Access Management Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) addresses these challenges by allowing workloads outside of the AWS Cloud to access AWS resources securely through digital certificates, including traditional [X.509 certificates](https://en.wikipedia.org/wiki/X.509) (Wikipedia) and [quantum-resistant ML-DSA (FIPS 204) certificates](https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.204.pdf) (NIST), instead of long-term credentials. @@ -50 +48 @@ This guide is intended for cloud architects, security engineers, and DevOps engi - * Public key infrastructure (PKI) and X.509 certificate management + * Public key infrastructure (PKI) and digital certificate management (X.509 and ML-DSA post-quantum certificates) @@ -61 +59 @@ This guide is intended for cloud architects, security engineers, and DevOps engi -Using IAM Roles Anywhere and X.509 certificates for authentication can deliver the following key business outcomes: +Using IAM Roles Anywhere and digital certificates (X.509 or ML-DSA) for authentication can deliver the following key business outcomes: @@ -63 +61 @@ Using IAM Roles Anywhere and X.509 certificates for authentication can deliver t - * **Enhanced security** – Eliminates risks associated with use of long-term credentials + * **Enhanced security** – Eliminates risks associated with use of long-term credentials and provides quantum-resistant authentication options @@ -70,0 +69,2 @@ Using IAM Roles Anywhere and X.509 certificates for authentication can deliver t + * **Future-proof cryptography** – Helps protect against emerging quantum computing threats through ML-DSA support + @@ -75,0 +76,37 @@ Using IAM Roles Anywhere and X.509 certificates for authentication can deliver t +## Choosing between X.509 and ML-DSA certificates + +IAM Roles Anywhere supports two types of digital certificates: + + * _X.509 certificates_ are traditional PKI certificates that are suitable for most current use cases and are widely supported across systems and tools. + + * _ML-DSA certificates (FIPS 204)_ are post-quantum cryptographic certificates that help protect against potential future quantum computing threats + + + + +Consider using ML-DSA in the following situations: + + * If your organization has long-term data protection requirements, such as over 10 years + + * If your industry has stringent compliance requirements and you anticipate post-quantum standards + + * If certificate compromise by quantum computers poses significant risk to your environment + + * If your organization is proactively preparing for a post-quantum cryptography migration + + + + +X.509 remains appropriate in the following circumstances: + + * For standard enterprise workloads with typical security requirements + + * For environments that require broad compatibility with existing tools + + * For short-to-medium term credential lifecycles + + + + +Both certificate types work identically within IAM Roles Anywhere and can coexist in the same environment. This helps organizations to adopt ML-DSA gradually, based on their specific risk profile and compliance requirements. +