AWS IAM Roles Anywhere adds post-quantum certificate support

Amazon Web Services (AWS) has updated its IAM Roles Anywhere service to include support for post-quantum digital certificates. The change adds compatibility with the FIPS 204 Module-Lattice Digital Signature Standard (ML-DSA), a quantum-resistant digital signature algorithm standardized by the National Institute of Standards and Technology (NIST).

The update aims to proactively protect against threat actors who may possess large-scale quantum computers capable of breaking current digital signatures. ML-DSA is designed to resist such attacks, a critical measure for IAM Roles Anywhere customers who use X.509 certificates to authenticate workloads to AWS resources.

IAM Roles Anywhere allows workloads running outside of AWS to obtain temporary AWS credentials using X.509 certificates. The service establishes trust between a customer's AWS environment and their public key infrastructure (PKI). With this update, ML-DSA-signed certificates can now be used as trust anchors, enabling the issuance of certificates bound to ML-DSA keys.

The new functionality is available in all AWS Regions where IAM Roles Anywhere is offered, including AWS GovCloud (US) and China Regions. This move reflects AWS's ongoing commitment to strengthening its cloud services against evolving security threats.