The urgency to prepare for a post-quantum world is growing. The cryptographic systems that underpin today’s digital infrastructure, including RSA, ECDSA, and Diffie-Hellman, will be rendered insecure by advances in quantum computing. The challenge is not only technological, but strategic: how do organizations begin to prepare, without knowing exactly when the threat will fully materialize?
This is where the concept of crypto-agility, long-term infrastructure planning, and cloud-based flexibility come into play. And few platforms are as strategically positioned to support that journey as Amazon Web Services (AWS).
A global cloud perspective on quantum risk
AWS has taken a proactive stance on the quantum threat. In May 2024, AWS published its official Post-Quantum Cryptography (PQC) Migration Plan, becoming one of the first global cloud providers to offer a concrete, phased approach for both cloud-native and hybrid organizations.
The plan recognizes the essential truth of quantum preparedness: the migration to post-quantum cryptography must begin long before the arrival of a cryptographically relevant quantum computer (CRQC). This journey is not a patch or a version upgrade, it’s a deep reassessment of how systems, applications, and data are secured.
AWS’s guidance aligns closely with the U.S. government’s NSM-10 directive and NIST’s standards roadmap, while also offering practical tools and best practices for businesses already operating in the cloud.
Five pillars of AWS’s Quantum-Resilient strategy
Here are the five major actions recommended by AWS, a foundation for any organization looking to future-proof their security posture in the cloud:
1. Create a Cryptographic Inventory
Begin by identifying where cryptographic protocols are used across your workloads — TLS, VPNs, authentication, APIs, databases, file encryption, etc.
This step is often the most underestimated. Cryptography is embedded in third-party services, libraries, legacy tools, and embedded devices. AWS suggests using CloudTrail, Config, Lambda, or custom scripts to automate part of this discovery process.
2. Determine Cryptographic Agility
Next, assess whether the cryptographic components in your stack can be easily replaced. Are algorithms hardcoded? Are protocols upgradable? Can new libraries be integrated with minimal refactoring?
Cryptographic agility is a design principle — one that must be intentionally adopted. In AWS environments, this includes auditing how services like IAM, KMS, CloudHSM, and ACM are being used.
3. Prioritize Migration
Not all systems need to be upgraded at once. AWS recommends using a data sensitivity + data lifespan + threat exposure model to prioritize which assets should migrate first.
For instance:
- Long-lived secrets and sensitive PII stored in S3 or databases
- Mission-critical APIs with regulatory or compliance exposure
- Communications involving third parties, suppliers, or mobile endpoints
4. Test Post-Quantum Algorithms in Non-Production
AWS has made available experimental integrations of post-quantum algorithms (Kyber, Dilithium, etc.) into services like:
- TLS using s2n-quic (with hybrid key exchanges)
- AWS KMS using XKS (External Key Store) with post-quantum options
- Amazon Linux, CloudFront, ACM with test environments
Organizations are encouraged to experiment in controlled environments to understand compatibility, performance trade-offs, and operational risks.
5. Stay Informed and Coordinate
The post-quantum landscape is still evolving. Standards will mature, hardware may change, and hybrid models will dominate for several years.
AWS emphasizes the need to track NIST’s standards (FIPS 203–205), engage with vendors, and coordinate with cross-functional teams, from security to DevOps to legal, throughout the transition.
Integration with the AWS Well-Architected Framework
AWS’s post-quantum migration plan fits naturally within its Well-Architected Framework, particularly the Security Pillar. This provides a structure for:
- Evaluating current cryptographic controls
- Ensuring secure key management with future-ready configurations
- Managing identity and access with evolving trust models
- Supporting compliance audits with verifiable cryptographic governance
For organizations already working with AWS-native tooling (like CloudFormation, Systems Manager, or Control Tower), PQC readiness can be baked into infrastructure-as-code, creating scalable and auditable solutions.
The road ahead: planning, not panic
There is no immediate quantum emergency, but that is precisely why this is the right moment to act. The transition will take years, especially in complex environments. And like other structural shifts in technology (IPv6, Y2K, cloud migration), early movers will have the advantage of stability and confidence when disruption arrives.
Organizations don’t need all the answers to get started. They need a structured approach, anchored in visibility, flexibility, and informed experimentation.
Key takeaways
- Quantum computers will eventually break RSA, DH, and ECC: the foundation of public-key cryptography.
- Migration to post-quantum cryptography will take years and must start with inventory and crypto-agility.
- AWS has released a five-step plan to guide organizations in preparing for this change, aligned with NIST and NSM-10.
- Cloud-native tooling and architecture reviews (e.g., AWS Well-Architected) provide practical, secure paths to begin transitioning today.