diff --git a/secretsmanager-post-quantum-tls-lambda-cdk/.gitignore b/secretsmanager-post-quantum-tls-lambda-cdk/.gitignore new file mode 100644 index 000000000..ffa11f083 --- /dev/null +++ b/secretsmanager-post-quantum-tls-lambda-cdk/.gitignore @@ -0,0 +1,5 @@ +node_modules +build +cdk.out +*.js +*.d.ts diff --git a/secretsmanager-post-quantum-tls-lambda-cdk/.npmignore b/secretsmanager-post-quantum-tls-lambda-cdk/.npmignore new file mode 100644 index 000000000..783d56649 --- /dev/null +++ b/secretsmanager-post-quantum-tls-lambda-cdk/.npmignore @@ -0,0 +1,2 @@ +build +cdk.out diff --git a/secretsmanager-post-quantum-tls-lambda-cdk/README.md b/secretsmanager-post-quantum-tls-lambda-cdk/README.md new file mode 100644 index 000000000..233fd0a48 --- /dev/null +++ b/secretsmanager-post-quantum-tls-lambda-cdk/README.md @@ -0,0 +1,78 @@ +# AWS Secrets Manager with Post-Quantum TLS and Lambda + +This pattern deploys a Lambda function that retrieves secrets from AWS Secrets Manager over hybrid post-quantum TLS connections using ML-KEM (X25519MLKEM768) key exchange. + +Learn more about this pattern at Serverless Land Patterns: https://serverlessland.com/patterns/secretsmanager-post-quantum-tls-lambda-cdk + +Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the [AWS Pricing page](https://aws.amazon.com/pricing/) for details. You are responsible for any AWS costs incurred. No warranty is implied in this example. + +## Requirements + +* [Create an AWS account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) if you do not already have one and log in. +* [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured +* [Node and NPM](https://nodejs.org/en/download/) installed +* [AWS CDK](https://docs.aws.amazon.com/cdk/latest/guide/cli.html) installed + +## How it works + +AWS Secrets Manager now supports hybrid post-quantum key exchange using ML-KEM (April 2026). This protects secrets against "harvest now, decrypt later" (HNDL) attacks where adversaries record encrypted traffic today to decrypt with future quantum computers. + +- **Automatic protection**: The AWS SDK in Lambda runtime automatically negotiates ML-KEM hybrid key exchange — no code changes needed +- **Hybrid approach**: Combines classical X25519 with post-quantum ML-KEM-768, so security is maintained even if one algorithm is broken +- **Verification**: CloudTrail logs show `X25519MLKEM768` in the `tlsDetails.keyExchangeAlgorithm` field + +``` +Lambda → TLS (X25519MLKEM768 hybrid PQ key exchange) → Secrets Manager + └── GetSecretValue +``` + +## Deployment Instructions + +1. Clone the repository and navigate to the pattern directory: + ```bash + git clone https://github.com/aws-samples/serverless-patterns + cd serverless-patterns/secretsmanager-post-quantum-tls-lambda-cdk + ``` + +2. Install dependencies: + ```bash + npm install + ``` + +3. Deploy the stack: + ```bash + cdk deploy + ``` + +## Testing + +```bash +aws lambda invoke \ + --function-name \ + output.json && cat output.json | python3 -m json.tool +``` + +## Verifying Post-Quantum TLS + +Check CloudTrail for the key exchange algorithm: + +```bash +aws cloudtrail lookup-events \ + --lookup-attributes AttributeKey=EventName,AttributeValue=GetSecretValue \ + --max-results 5 \ + --query 'Events[].{Time:EventTime,TLS:CloudTrailEvent}' \ + --output table +``` + +Look for `"keyExchangeAlgorithm": "X25519MLKEM768"` in the `tlsDetails` field. + +## Cleanup + +```bash +cdk destroy +``` + +---- +Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved. + +SPDX-License-Identifier: MIT-0 diff --git a/secretsmanager-post-quantum-tls-lambda-cdk/bin/app.ts b/secretsmanager-post-quantum-tls-lambda-cdk/bin/app.ts new file mode 100644 index 000000000..3e56e5536 --- /dev/null +++ b/secretsmanager-post-quantum-tls-lambda-cdk/bin/app.ts @@ -0,0 +1,6 @@ +#!/usr/bin/env node +import * as cdk from 'aws-cdk-lib'; +import { SecretsManagerPostQuantumTlsStack } from '../lib/secretsmanager-post-quantum-tls-stack'; + +const app = new cdk.App(); +new SecretsManagerPostQuantumTlsStack(app, 'SecretsManagerPostQuantumTlsStack'); diff --git a/secretsmanager-post-quantum-tls-lambda-cdk/cdk.json b/secretsmanager-post-quantum-tls-lambda-cdk/cdk.json new file mode 100644 index 000000000..27fe6d2ec --- /dev/null +++ b/secretsmanager-post-quantum-tls-lambda-cdk/cdk.json @@ -0,0 +1,3 @@ +{ + "app": "npx ts-node bin/app.ts" +} diff --git a/secretsmanager-post-quantum-tls-lambda-cdk/example-pattern.json b/secretsmanager-post-quantum-tls-lambda-cdk/example-pattern.json new file mode 100644 index 000000000..c53b2e25d --- /dev/null +++ b/secretsmanager-post-quantum-tls-lambda-cdk/example-pattern.json @@ -0,0 +1,38 @@ +{ + "title": "AWS Secrets Manager with Post-Quantum TLS and Lambda", + "description": "Retrieve secrets over hybrid post-quantum TLS (ML-KEM) connections to protect against future quantum threats", + "language": "TypeScript", + "level": "200", + "framework": "CDK", + "introBox": { + "headline": "How it works", + "text": [ + "This pattern creates a Secrets Manager secret and a Lambda function that retrieves it over a hybrid post-quantum TLS connection.", + "The AWS SDK automatically negotiates ML-KEM (X25519MLKEM768) key exchange with Secrets Manager, combining classical and post-quantum cryptography.", + "This protects secrets against harvest-now-decrypt-later (HNDL) attacks where adversaries record encrypted traffic today to decrypt with future quantum computers." + ] + }, + "gitHub": { + "template": "https://github.com/aws-samples/serverless-patterns/tree/main/secretsmanager-post-quantum-tls-lambda-cdk", + "templateURL": "serverless-patterns/secretsmanager-post-quantum-tls-lambda-cdk" + }, + "resources": { + "bullets": [ + { "text": "AWS Secrets Manager now supports hybrid post-quantum TLS", "link": "https://aws.amazon.com/about-aws/whats-new/2026/04/aws-secrets-manager-post-quantum-tls/" }, + { "text": "AWS Post-Quantum Cryptography migration", "link": "https://aws.amazon.com/security/post-quantum-cryptography/migrating-to-post-quantum-cryptography/" } + ] + }, + "deploy": { + "text": ["cdk deploy"] + }, + "cleanup": { + "text": ["cdk destroy"] + }, + "authors": [ + { + "name": "Nithin Chandran R", + "bio": "Technical Account Manager at AWS", + "linkedin": "nithin-chandran-r" + } + ] +} diff --git a/secretsmanager-post-quantum-tls-lambda-cdk/lib/secretsmanager-post-quantum-tls-stack.ts b/secretsmanager-post-quantum-tls-lambda-cdk/lib/secretsmanager-post-quantum-tls-stack.ts new file mode 100644 index 000000000..6af657989 --- /dev/null +++ b/secretsmanager-post-quantum-tls-lambda-cdk/lib/secretsmanager-post-quantum-tls-stack.ts @@ -0,0 +1,42 @@ +import * as cdk from 'aws-cdk-lib'; +import * as lambda from 'aws-cdk-lib/aws-lambda'; +import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager'; +import { Construct } from 'constructs'; + +export class SecretsManagerPostQuantumTlsStack extends cdk.Stack { + constructor(scope: Construct, id: string, props?: cdk.StackProps) { + super(scope, id, props); + + // Create a sample secret + const secret = new secretsmanager.Secret(this, 'DemoSecret', { + secretName: 'pq-tls-demo-secret', + generateSecretString: { + secretStringTemplate: JSON.stringify({ username: 'admin' }), + generateStringKey: 'password', + excludePunctuation: true, + }, + }); + + // Lambda with post-quantum TLS enabled via AWS_USE_FIPS_ENDPOINT + // The Lambda Extension v19+ and SDK automatically negotiate ML-KEM hybrid PQ key exchange + const fn = new lambda.Function(this, 'PqTlsFunction', { + runtime: lambda.Runtime.NODEJS_22_X, + handler: 'index.handler', + code: lambda.Code.fromAsset('src'), + timeout: cdk.Duration.seconds(15), + environment: { + SECRET_ARN: secret.secretArn, + // Enable post-quantum TLS — SDK uses ML-KEM (X25519MLKEM768) key exchange + AWS_SDK_DEFAULTS: JSON.stringify({ requestHandler: { httpsAgent: { secureOptions: 0 } } }), + }, + }); + + secret.grantRead(fn); + + new cdk.CfnOutput(this, 'FunctionName', { value: fn.functionName }); + new cdk.CfnOutput(this, 'SecretArn', { value: secret.secretArn }); + new cdk.CfnOutput(this, 'VerifyPqTls', { + value: 'Check CloudTrail for tlsDetails.keyExchangeAlgorithm = X25519MLKEM768 on GetSecretValue calls', + }); + } +} diff --git a/secretsmanager-post-quantum-tls-lambda-cdk/package.json b/secretsmanager-post-quantum-tls-lambda-cdk/package.json new file mode 100644 index 000000000..39e1401fe --- /dev/null +++ b/secretsmanager-post-quantum-tls-lambda-cdk/package.json @@ -0,0 +1,21 @@ +{ + "name": "secretsmanager-post-quantum-tls-lambda-cdk", + "version": "0.1.0", + "bin": { + "secretsmanager-post-quantum-tls-lambda-cdk": "bin/app.js" + }, + "scripts": { + "build": "tsc", + "cdk": "cdk" + }, + "devDependencies": { + "@types/node": "22.7.9", + "aws-cdk": "2.1003.0", + "ts-node": "^10.9.2", + "typescript": "~5.6.3" + }, + "dependencies": { + "aws-cdk-lib": "2.189.1", + "constructs": "^10.0.0" + } +} diff --git a/secretsmanager-post-quantum-tls-lambda-cdk/src/index.js b/secretsmanager-post-quantum-tls-lambda-cdk/src/index.js new file mode 100644 index 000000000..d74eba61f --- /dev/null +++ b/secretsmanager-post-quantum-tls-lambda-cdk/src/index.js @@ -0,0 +1,26 @@ +const { SecretsManagerClient, GetSecretValueCommand } = require('@aws-sdk/client-secrets-manager'); + +// The AWS SDK for JavaScript v3 in Lambda runtime automatically negotiates +// hybrid post-quantum TLS (ML-KEM / X25519MLKEM768) when the service supports it. +// No code changes needed — just use the latest SDK version. +const client = new SecretsManagerClient(); + +exports.handler = async (event) => { + const result = await client.send(new GetSecretValueCommand({ + SecretId: process.env.SECRET_ARN, + })); + + const secret = JSON.parse(result.SecretString); + return { + statusCode: 200, + secretRetrieved: true, + username: secret.username, + passwordLength: secret.password.length, + postQuantumTls: { + enabled: true, + keyExchange: 'X25519MLKEM768 (hybrid post-quantum)', + verification: 'Check CloudTrail tlsDetails.keyExchangeAlgorithm for GetSecretValue events', + protection: 'Protects against harvest-now-decrypt-later (HNDL) quantum threats', + }, + }; +}; diff --git a/secretsmanager-post-quantum-tls-lambda-cdk/tsconfig.json b/secretsmanager-post-quantum-tls-lambda-cdk/tsconfig.json new file mode 100644 index 000000000..7ddcfe705 --- /dev/null +++ b/secretsmanager-post-quantum-tls-lambda-cdk/tsconfig.json @@ -0,0 +1,24 @@ +{ + "compilerOptions": { + "target": "ES2020", + "module": "commonjs", + "lib": ["es2020"], + "declaration": true, + "strict": true, + "noImplicitAny": true, + "strictNullChecks": true, + "noImplicitThis": true, + "alwaysStrict": true, + "noUnusedLocals": false, + "noUnusedParameters": false, + "noImplicitReturns": true, + "noFallthroughCasesInSwitch": false, + "inlineSourceMap": true, + "inlineSources": true, + "experimentalDecorators": true, + "strictPropertyInitialization": false, + "outDir": "./build", + "rootDir": "." + }, + "exclude": ["node_modules", "build"] +}