Full Report
Amazon Web Services (AWS) has added support for the ML-KEM post-quantum key encapsulation mechanism to AWS Key Management Service (KMS), AWS Certificate Manager (ACM), and AWS Secrets Manager, making TLS connections more secure. [...]
Analysis Summary
This summary focuses on the transition and implementation of ML-KEM (Machine Learning Key Encapsulation Mechanism) for Post-Quantum Cryptography (PQC) within specific AWS services, which is an enhancement for future security rather than the patching of a traditional vulnerability.
# Vulnerability: AWS Transitioning to ML-KEM for Post-Quantum TLS Security
*Note: This summary describes a proactive security enhancement (migration to a PQC standard) rather than a conventional software vulnerability (like a CVE-tracked flaw).*
## CVE Details
- CVE ID: N/A (Proactive security update, not a vulnerability disclosure)
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- **Products:** AWS Key Management Service (KMS), AWS Certificate Manager (ACM), AWS Secrets Manager.
- **Versions:** Services previously supporting CRYSTALS-Kyber; update required for SDKs to utilize ML-KEM. Specifically, **SDK for Java version 2.30.22 and later** is mentioned for enabling the feature.
- **Configurations:** Any client connecting to these AWS services that wishes to leverage Post-Quantum TLS via ML-KEM must explicitly enable the feature in their SDK configuration.
## Vulnerability Description
The context describes AWS proactively implementing ML-KEM, a candidate for standardization in Post-Quantum Cryptography (PQC), to secure TLS communications against potential future "harvest now, decrypt later" attacks enabled by quantum computers. This move replaces the previously supported algorithm, CRYSTALS-Kyber, which is scheduled for deprecation across AWS service endpoints in 2026.
## Exploitation
- **Status:** N/A (This is a defensive implementation, not an exploited flaw.)
- **Complexity:** N/A
- **Attack Vector:** N/A
## Impact
- **Confidentiality:** Significantly improved against future quantum decryption threats.
- **Integrity:** Not directly addressed by this key encapsulation mechanism change, but security posture is strengthened.
- **Availability:** Minimal performance impact expected (see below).
## Remediation
### Patches
- **Action Required:** Users must update their client SDKs to versions supporting ML-KEM (e.g., SDK for Java 2.30.22+) and explicitly enable the ML-KEM Post-Quantum TLS feature.
- **Deprecation Notice:** Support for the predecessor, CRYSTALS-Kyber, will be removed across all AWS service endpoints **in 2026**.
### Workarounds
- **Temporary Mitigation:** None needed as ML-KEM is an enhancement. However, if explicit enablement fails, clients may fall back to extant, non-PQC algorithms if configured, though this is discouraged.
## Detection
- **Indicators of Compromise:** N/A
- **Detection Methods and Tools:** Administrators should monitor connection establishments to KMS, ACM, and Secrets Manager to ensure PQC configuration is correctly applied if desired. Standard TLS monitoring tools should verify cipher suites negotiated with the client.
## References
- AWS Announcement (Defanged): hxxps://aws.amazon.com/blogs/security/ml-kem-post-quantum-tls-now-supported-in-aws-kms-acm-and-secrets-manager/