Post-quantum readiness for AWS KMS
PostQ inventories your AWS KMS keys, CloudHSM-backed keys, and ACM certificates — including RSA and ECC usage and signing workflows — so you can see cloud key exposure and plan a post-quantum migration. The focus is discovery and reporting.
- Inventory KMS keys and key specs (RSA, ECC, symmetric)
- Include CloudHSM-backed keys and ACM certificates
- Surface signing usage and key policies
- Prioritize migration by exposure and criticality
What PostQ inventories in AWS
- KMS asymmetric keys (RSA and ECC) and their key specs
- CloudHSM-backed keys and their algorithms
- ACM certificates, algorithms, and expiry
- Signing usage and where keys are referenced
Discovery and reporting first
AWS KMS asymmetric keys are classical RSA and ECC. PostQ does not claim KMS supports ML-DSA or ML-KEM — it gives you an accurate inventory and readiness report so you can plan migration as AWS and CA support evolves.
Inventory your AWS KMS keys
Connect AWS in the PostQ dashboard scanner to inventory KMS and CloudHSM keys, ACM certificates, and signing usage — and get a prioritized readiness view.
Cloud scans run from your dashboard — sign in or apply for the beta to get access.
Algorithms that need a migration plan
| RSA | Integer factorisation — broken by Shor's algorithm. |
| ECDSA | Elliptic-curve discrete log — broken by Shor's algorithm. |
| DH | Finite-field Diffie-Hellman — quantum-vulnerable key exchange. |
| ECDH | Elliptic-curve Diffie-Hellman — quantum-vulnerable key exchange. |
| X25519 | Modern ECDH curve, still classical and quantum-vulnerable. |
| Ed25519 | Modern EdDSA signature, still classical and quantum-vulnerable. |
| RS256 | JWT RSA-SHA256 signature — quantum-vulnerable public-key signature. |
| ES256 | JWT ECDSA-P256 signature — quantum-vulnerable public-key signature. |
NIST-standardised replacements
| ML-KEM (FIPS 203) | Key encapsulation / key exchange (formerly Kyber). |
| ML-DSA (FIPS 204) | Digital signatures (formerly Dilithium). |
| SLH-DSA (FIPS 205) | Stateless hash-based signatures (formerly SPHINCS+). |
PostQ detects where quantum-vulnerable algorithms are used and reports them. We don’t claim a target algorithm is supported in your stack unless detection confirms it.
Frequently asked questions
Does AWS KMS support post-quantum keys?
AWS KMS asymmetric keys are classical RSA and ECC. PostQ does not claim KMS supports ML-DSA or ML-KEM. We inventory your existing keys and report their quantum posture for migration planning.
What does PostQ inventory in AWS?
KMS asymmetric keys and key specs, CloudHSM-backed keys, ACM certificates and their algorithms and expiry, plus signing usage and key references where the APIs expose them.
Is private key material exported?
No. PostQ reads key metadata and usage through least-privilege, authenticated access. KMS and CloudHSM never export private key material.
Where should I start migrating?
Start with externally exposed, long-lived, and high-value keys. Use a readiness assessment to turn the inventory into a prioritized roadmap.
Run a free PQC readiness scan
Scan any public domain for quantum-vulnerable TLS, certificate, and key-exchange cryptography. No signup required.
No signup required for the basic TLS scan. We only inspect public metadata.