Security policies for AWS Transfer Family
Server security policies in AWS Transfer Family allow you to limit the set of cryptographic algorithms (message authentication codes (MACs), key exchanges (KEXs), and cipher suites) associated with your server. For a list of supported cryptographic algorithms, see Cryptographic algorithms. For a list of supported key algorithms for use with server host keys and service-managed user keys, see Supported algorithms for user and server keys.
Note
We support TLS 1.2.
The available security policies for the server are:
Topics
Note
-
TransferSecurityPolicy-2020-06is the default security policy attached to your server when creating a server using the console. -
TransferSecurityPolicy-2018-11is the default security policy attached to your server when creating a server using the API or CLI. -
TransferSecurityPolicy-FIPS-2020-06is the default security policy attached to your FIPS enabled server endpoints.
Cryptographic algorithms
The following is a list of supported cryptographic algorithms for each security policy.
| Security policy | 2023-05 | 2022-03 | 2020-06 | FIPS-2023-05 | FIPS-2020-06 | 2018-11 |
|---|---|---|---|---|---|---|
|
SSH ciphers |
||||||
|
aes128-ctr |
|
♦ |
♦ |
♦ |
||
|
aes128-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes192-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes256-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes256-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
chacha20-poly1305@openssh.com |
|
♦ |
|
♦ |
||
|
KEXs |
||||||
|
diffie-hellman-group14-sha256 |
|
♦ |
♦ |
♦ |
||
|
diffie-hellman-group16-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
diffie-hellman-group18-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
ecdh-sha2-nistp384 |
|
♦ |
♦ |
♦ |
||
|
ecdh-sha2-nistp521 |
|
♦ |
♦ |
♦ |
||
|
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
diffie-hellman-group14-sha1 |
|
|
|
♦ |
||
|
ecdh-sha2-nistp256 |
|
♦ |
♦ |
♦ |
||
|
curve25519-sha256@libssh.org |
♦ |
♦ |
|
|
♦ |
|
|
curve25519-sha256 |
♦ |
♦ |
|
|
♦ |
|
|
MACs |
||||||
|
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
hmac-sha2-256 |
♦ |
♦ |
♦ |
♦ |
||
|
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
hmac-sha2-512 |
♦ |
♦ |
♦ |
♦ |
||
|
hmac-sha1-etm@openssh.com |
|
|
|
♦ |
||
|
hmac-sha1 |
|
|
|
♦ |
||
|
umac-128-etm@openssh.com |
|
♦ |
|
♦ |
||
|
umac-128@openssh.com |
|
♦ |
|
♦ |
||
|
umac-64-etm@openssh.com |
|
|
|
♦ |
||
|
umac-64@openssh.com |
|
|
|
♦ |
||
|
TLS ciphers |
||||||
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
|
|
|
|
♦ |
|
TLS_RSA_WITH_AES_256_CBC_SHA256 |
|
|
|
|
|
♦ |
TransferSecurityPolicy-2023-05
The following shows the TransferSecurityPolicy-2023-05 security policy.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2022-03
The following shows the TransferSecurityPolicy-2022-03 security policy.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2022-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2020-06
The following shows the TransferSecurityPolicy-2020-06 security policy.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2020-06", "SshCiphers": [ "chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2018-11
The following shows the TransferSecurityPolicy-2018-11 security policy.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2018-11", "SshCiphers": [ "chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1" ], "SshMacs": [ "umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256" ] } }
TransferSecurityPolicy-FIPS-2023-05
The FIPS certification details for AWS Transfer Family can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
The following shows the TransferSecurityPolicy-FIPS-2023-05 security policy.
Note
The FIPS service endpoint and TransferSecurityPolicy-FIPS-2023-05 security policy is only available in some AWS Regions. For more information, see AWS Transfer Family endpoints and quotas in the AWS General Reference.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2020-06
The FIPS certification details for AWS Transfer Family can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
The following shows the TransferSecurityPolicy-FIPS-2020-06 security policy.
Note
The FIPS service endpoint and TransferSecurityPolicy-FIPS-2020-06 security policy are only available in some AWS Regions. For more information, see AWS Transfer Family endpoints and quotas in the AWS General Reference.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06", "SshCiphers": [ "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
Post Quantum security policies
This table lists the algorithms for the Transfer Family post quantum security policies. These polices are described in detail in Using hybrid post-quantum key exchange with AWS Transfer Family.
The policy listings follow the table.
| Security policy | TransferSecurityPolicy-PQ-SSH-Experimental-2023-04 | TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04 |
|---|---|---|
|
SSH ciphers |
||
|
aes128-ctr |
|
♦ |
|
aes128-gcm@openssh.com |
♦ |
♦ |
|
aes192-ctr |
♦ |
♦ |
|
aes256-ctr |
♦ |
♦ |
|
aes256-gcm@openssh.com |
♦ |
♦ |
|
KEXs |
||
| ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org |
♦ |
♦ |
| ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org |
♦ |
♦ |
| ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org |
♦ |
♦ |
| x25519-kyber-512r3-sha256-d00@amazon.com |
♦ |
|
|
diffie-hellman-group14-sha256 |
♦ | |
|
diffie-hellman-group16-sha512 |
♦ |
♦ |
|
diffie-hellman-group18-sha512 |
♦ |
♦ |
|
ecdh-sha2-nistp384 |
|
♦ |
|
ecdh-sha2-nistp521 |
|
♦ |
|
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
|
ecdh-sha2-nistp256 |
|
♦ |
|
curve25519-sha256@libssh.org |
♦ |
|
|
curve25519-sha256 |
♦ |
|
|
MACs |
||
|
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
|
hmac-sha2-256 |
♦ |
♦ |
|
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
|
hmac-sha2-512 |
♦ |
♦ |
|
TLS ciphers |
||
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
TransferSecurityPolicy-PQ-SSH-Experimental-2023-04
The following shows the TransferSecurityPolicy-PQ-SSH-Experimental-2023-04 security policy.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-Experimental-2023-04", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "x25519-kyber-512r3-sha256-d00@amazon.com", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04
The following shows the TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04 security policy.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
