AWS Security ChangesHomeSearch

AWS prescriptive-guidance high security documentation change

Service: prescriptive-guidance · 2026-06-07 · Security-related high

File: prescriptive-guidance/latest/certificate-based-access-controls/introduction.md

Summary

Added content about quantum-resistant ML-DSA certificates, including comparison with X.509 certificates and guidance on when to use ML-DSA

Security assessment

Introduces quantum-resistant cryptography (ML-DSA) to address future quantum computing threats. Specifically mentions protecting against quantum attacks and provides migration guidance. References NIST FIPS 204 standard.

Diff

diff --git a/prescriptive-guidance/latest/certificate-based-access-controls/introduction.md b/prescriptive-guidance/latest/certificate-based-access-controls/introduction.md
index 0fea6b5b2..1ec22fecd 100644
--- a//prescriptive-guidance/latest/certificate-based-access-controls/introduction.md
+++ b//prescriptive-guidance/latest/certificate-based-access-controls/introduction.md
@@ -7 +7 @@
-Intended audienceObjectives
+Intended audienceObjectivesChoosing between X.509 and ML-DSA certificates
@@ -13,3 +13 @@ Intended audienceObjectives
- _July 2025_ ([document history](./doc-history.html))
-
-As organizations expand their cloud footprints and embrace automation, it's increasingly critical to manage secure access for non-human identities, such as applications, servers, and containers. Traditional approaches use long-term credentials or hard-coded secrets, but these approaches can create security risks and operational overhead. [AWS Identity and Access Management Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) addresses these challenges by allowing workloads outside of the AWS Cloud to access AWS resources securely through [X.509 certificates](https://en.wikipedia.org/wiki/X.509) (Wikipedia) instead of long-term credentials.
+As organizations expand their cloud footprints and embrace automation, it's increasingly critical to manage secure access for non-human identities, such as applications, servers, and containers. Traditional approaches use long-term credentials or hard-coded secrets, but these approaches can create security risks and operational overhead. [AWS Identity and Access Management Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) addresses these challenges by allowing workloads outside of the AWS Cloud to access AWS resources securely through digital certificates, including traditional [X.509 certificates](https://en.wikipedia.org/wiki/X.509) (Wikipedia) and [quantum-resistant ML-DSA (FIPS 204) certificates](https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.204.pdf) (NIST), instead of long-term credentials.
@@ -50 +48 @@ This guide is intended for cloud architects, security engineers, and DevOps engi
-  * Public key infrastructure (PKI) and X.509 certificate management
+  * Public key infrastructure (PKI) and digital certificate management (X.509 and ML-DSA post-quantum certificates)
@@ -61 +59 @@ This guide is intended for cloud architects, security engineers, and DevOps engi
-Using IAM Roles Anywhere and X.509 certificates for authentication can deliver the following key business outcomes:
+Using IAM Roles Anywhere and digital certificates (X.509 or ML-DSA) for authentication can deliver the following key business outcomes:
@@ -63 +61 @@ Using IAM Roles Anywhere and X.509 certificates for authentication can deliver t
-  * **Enhanced security** – Eliminates risks associated with use of long-term credentials
+  * **Enhanced security** – Eliminates risks associated with use of long-term credentials and provides quantum-resistant authentication options
@@ -70,0 +69,2 @@ Using IAM Roles Anywhere and X.509 certificates for authentication can deliver t
+  * **Future-proof cryptography** – Helps protect against emerging quantum computing threats through ML-DSA support
+
@@ -75,0 +76,37 @@ Using IAM Roles Anywhere and X.509 certificates for authentication can deliver t
+## Choosing between X.509 and ML-DSA certificates
+
+IAM Roles Anywhere supports two types of digital certificates:
+
+  * _X.509 certificates_ are traditional PKI certificates that are suitable for most current use cases and are widely supported across systems and tools.
+
+  * _ML-DSA certificates (FIPS 204)_ are post-quantum cryptographic certificates that help protect against potential future quantum computing threats
+
+
+
+
+Consider using ML-DSA in the following situations:
+
+  * If your organization has long-term data protection requirements, such as over 10 years
+
+  * If your industry has stringent compliance requirements and you anticipate post-quantum standards
+
+  * If certificate compromise by quantum computers poses significant risk to your environment
+
+  * If your organization is proactively preparing for a post-quantum cryptography migration
+
+
+
+
+X.509 remains appropriate in the following circumstances:
+
+  * For standard enterprise workloads with typical security requirements
+
+  * For environments that require broad compatibility with existing tools
+
+  * For short-to-medium term credential lifecycles
+
+
+
+
+Both certificate types work identically within IAM Roles Anywhere and can coexist in the same environment. This helps organizations to adopt ML-DSA gradually, based on their specific risk profile and compliance requirements.
+