Automating Post-Quantum Cryptography Readiness Using AWS Config
AWS Security Blog, Thursday, May 14th, 2026
AWS introduces the PQC Readiness Scanner tool to automate assessment and migration of TLS endpoints to post-quantum cryptography.
The AWS Security Blog presents the PQC Readiness Scanner, an automated tool that helps organizations inventory and monitor their TLS endpoints (ALB, NLB, and API Gateway) for post-quantum cryptography (PQC) readiness.
The scanner uses AWS Config conformance packs to classify endpoints into three tiers based on TLS 1.3 support and PQC key exchange capability, helping prioritize migration efforts. As quantum computing advances, organizations must transition to quantum-resistant cryptography to protect data long-term, with the scanner providing continuous monitoring across AWS accounts to track PQC migration progress.
The solution is built using AWS Config rules and Lambda functions, deployable organization-wide through AWS Organizations, and includes specific checks for legacy TLS protocols that must be eliminated for full quantum-readiness.