AWS Transfer Family 服务器的安全策略 - AWS Transfer Family

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS Transfer Family 服务器的安全策略

中的服务器安全策略 AWS Transfer Family 允许您限制与服务器关联的一组加密算法(消息身份验证码 (MACs)、密钥交换 (KEXs)、密码套件、内容加密密码和哈希算法)。有关支持的密钥算法的列表,请参阅 加密算法。有关支持的服务器主机秘钥和服务托管用户秘钥算法列表,请参见 在 Transfer Family 中管理 SSH 和 PGP 密钥

注意

我们强烈建议将您的服务器更新为我们的最新安全政策。

  • TransferSecurityPolicy-2024-01是使用控制台、API 或 CLI 创建服务器时附加到服务器的默认安全策略。

  • 如果您使用默认安全策略创建 Transfer Family 服务器 CloudFormation 并接受默认安全策略,则会分配该服务器TransferSecurityPolicy-2018-11

如果您担心客户端兼容性,请明确说明在创建或更新服务器时您希望使用哪种安全策略,而不是使用默认策略,默认策略可能会发生变化。要更改服务器的安全策略,请参阅编辑安全策略

有关 Transfer Family 安全性的更多信息,请参阅以下博客文章:

加密算法

对于主机密钥,我们支持以下算法:

  • rsa-sha2-256

  • rsa-sha2-512

  • ecdsa-sha2-nistp256

  • ecdsa-sha2-nistp384

  • ecdsa-sha2-nistp521

  • ssh-ed25519

此外,以下安全策略允许ssh-rsa

  • TransferSecurityPolicy-2018-11

  • TransferSecurityPolicy-2020-06

  • TransferSecurityPolicy-FIPS-2020-06

  • TransferSecurityPolicy-FIPS-2023-05

  • TransferSecurityPolicy-FIPS-2024-01

  • TransferSecurityPolicy-pq-ssh-fips-Experimental-2023-04

注意

了解 RSA 密钥类型(始终是)和 RSA 主机密钥算法(可以是任何支持的算法ssh-rsa)之间的区别非常重要。

以下是各种安全策略支持的加密算法列表。

注意

在下表和策略中,请注意算法类型的以下用法。

  • SFTP 服务器仅使用SshCiphersSshKexs、和SshMacs部分中的算法。

  • FTPS 服务器仅使用该TlsCiphers部分中的算法。

  • 由于FTP服务器不使用加密,因此不使用任何这些算法。

  • AS2 服务器仅使用ContentEncryptionCiphersHashAlgorithms部分中的算法。这些部分定义了用于加密和签名文件内容的算法。

  • FIPS-2024-05 和 FIPS-2024-01 的安全策略是相同的,只是 FIPS-2024-05 不支持该ssh-rsa算法。

  • Transfer Family推出了新的限制政策,这些政策与现有政策非常相似:

    • TransferSecurityPolicy-Restricted-2018-11 和 TransferSecurityPolicy -2018-11 安全策略完全相同,唯一的不同是受限策略不支持密码。chacha20-poly1305@openssh.com

    • TransferSecurityPolicy-Restricted-2020-06 和 TransferSecurityPolicy -2020-06 安全策略是相同的,唯一的不同是受限策略不支持密码。chacha20-poly1305@openssh.com

    * 在下表中,chacha20-poly1305@openssh.com密码仅包含在非限制策略中,

安全策略 2024-01 SshAuditCompliant-2025-02 2023-05 2022-03

2020-06

2020-06 受限制

FIPS-2024-05

FIPS-2024-01

FIPS-2023-05 FIPS-2020-06

2018-11

2018-11 受限制

TransferSecurityPolicy-AS2 限量版-2025-07

SshCiphers

aes128-ctr

 

aes128-gcm@openssh.com

aes192-ctr

aes256-ctr

aes256-gcm@openssh.com

chacha20-poly1305@openssh.com

 

*

*

SshKexs

mlkem768x25519-sha256

mlkem768nistp256-sha256

mlkem1024nistp384-sha384

curve25519-sha256

 

 

curve25519-sha256@libssh.org

 

 

diffie-hellman-group14-sha1

 

 

 

diffie-hellman-group14-sha256

diffie-hellman-group16-sha512

diffie-hellman-group18-sha512

diffie-hellman-group-exchange-sha256

ecdh-sha2-nistp256

 

ecdh-sha2-nistp384

 

ecdh-sha2-nistp521

 

SshMacs

hmac-sha1

 

 

 

hmac-sha1-etm@openssh.com

 

 

 

hmac-sha2-256

hmac-sha2-256-etm@openssh.com

hmac-sha2-512

hmac-sha2-512-etm@openssh.com

umac-128-etm@openssh.com

 

 

umac-128@openssh.com

 

 

umac-64-etm@openssh.com

 

 

 

umac-64@openssh.com

 

 

 

ContentEncryptionCiphers

aes256-cbc

aes192-cbc

aes128-cbc

3des-cbc

HashAlgorithms

sha256

sha384

sha512

sha1

TlsCiphers

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_ SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_ SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_ SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_ SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_ SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_ SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_ SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_ SHA384

TLS_RSA_WITH_AES_128_CBC_ SHA256

 

 

 

 

 

TLS_RSA_WITH_AES_256_CBC_ SHA256

 

 

 

 

 

TransferSecurityPolicy-2024-01

以下显示了 TransferSecurityPolicy -2024-01 安全策略。

{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }

TransferSecurityPolicy-SshAuditCompliant -2025-02

以下显示了 TransferSecurityPolicy-SshAuditCompliant -2025-02 安全策略。

注意

此安全策略是围绕该工具提供的建议设计的,并且与该ssh-audit工具100%兼容。

{ "SecurityPolicy": { "Fips": false, "Protocols": [ "SFTP", "FTPS" ], "SecurityPolicyName": "TransferSecurityPolicy-SshAuditCompliant-2025-02", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER" } }

TransferSecurityPolicy-2023-05

以下显示了 TransferSecurityPolicy -2023-05 安全策略。

{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }

TransferSecurityPolicy-2022-03

以下显示了 TransferSecurityPolicy -2022-03 安全策略。

{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2022-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc", ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }

TransferSecurityPolicy-2020-06 和-Restricted-2020-06 TransferSecurityPolicy

以下显示了 TransferSecurityPolicy -2020-06 安全策略。

注意

TransferSecurityPolicy-Restricted-2020-06 和 TransferSecurityPolicy -2020-06 安全策略是相同的,唯一的不同是受限策略不支持密码。chacha20-poly1305@openssh.com

{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2020-06", "SshCiphers": [ "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2020-06 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc", ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }

TransferSecurityPolicy-2018-11 和-Restricted-2018-11 TransferSecurityPolicy

以下显示了 TransferSecurityPolicy -2018-11 的安全策略。

注意

TransferSecurityPolicy-Restricted-2018-11 和 TransferSecurityPolicy -2018-11 安全策略完全相同,唯一的不同是受限策略不支持密码。chacha20-poly1305@openssh.com

{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2018-11", "SshCiphers": [ "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2018-11 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1" ], "SshMacs": [ "umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc", ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256" ] } }

TransferSecurityPolicy-FIPS-2024-01/-FIPS-2024-05 TransferSecurityPolicy

以下显示了-FIPS-2024-0 TransferSecurityPolicy 1 和-FIPS-2024-05 安全策略。 TransferSecurityPolicy

注意

FIPS 服务终端节点以及 TransferSecurityPolicy-FIPS-2024-01 和-FIPS-2024-05 安全策略仅在 TransferSecurityPolicy某些地区可用。 AWS 有关更多信息,请参阅 AWS 一般参考 中的 AWS Transfer Family 端点和配额

这两种安全策略之间的唯一区别是-FIPS-2024-01支持该算法,而 TransferSecurityPolicy-FIPS-2024-05不支持该ssh-rsa算法。 TransferSecurityPolicy

{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }

TransferSecurityPolicy-FIPS-2023-05

FIPS 认证详情 AWS Transfer Family 可在以下网址找到 https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all

以下显示了 TransferSecurityPolicy-FIPS-2023-05 安全策略。

注意

FIPS 服务终端节点和 TransferSecurityPolicy-FIPS-2023-05 安全策略仅在某些地区可用。 AWS 有关更多信息,请参阅 AWS 一般参考 中的 AWS Transfer Family 端点和配额

{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }

TransferSecurityPolicy-FIPS-2020-06

FIPS 认证详情 AWS Transfer Family 可在以下网址找到 https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all

以下显示了 TransferSecurityPolicy-FIPS-2020-06 安全策略。

注意

FIPS 服务终端节点和 TransferSecurityPolicy-FIPS-2020-06 安全策略仅在某些地区可用。 AWS 有关更多信息,请参阅 AWS 一般参考 中的 AWS Transfer Family 端点和配额

{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06", "SshCiphers": [ "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc", ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1", ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }

TransferSecurityPolicy-AS2 限量版-2025-07

此安全策略专为需要通过排除传统加密算法来增强安全性的 AS2 文件传输而设计。它支持现代 AES 加密和 SHA-2 哈希算法,同时取消了对 3DES 和 SHA-1 等较弱算法的支持。

{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "AS2" ] } }

后量子安全策略

下表列出了 Transfer Family 后量子安全策略算法。有关此策略的详细描述,请参见使用与 AWS Transfer Family的混合后量子密钥交换

政策列表如下表所示。

注意

较早的后量子政策(TransferSecurityPolicy-pq-ssh-experimental-2023-04 和-pq-ssh-fips-experimental-2023-04)已被弃用。TransferSecurityPolicy我们建议您改用新政策。

安全策略 TransferSecurityPolicy-2025-03 TransferSecurityPolicy-FIPS-2025-03

SSH ciphers

aes128-ctr

aes128-gcm@openssh.com

aes192-ctr

aes256-ctr

aes256-gcm@openssh.com

KEXs

mlkem768x25519-sha256

mlkem768nistp256-sha256

mlkem1024nistp384-sha384

diffie-hellman-group14-sha256

diffie-hellman-group16-sha512

diffie-hellman-group18-sha512

ecdh-sha2-nistp384

ecdh-sha2-nistp521

ecdh-sha2-nistp256

diffie-hellman-group-exchange-sha256

curve25519-sha256@libssh.org

 

curve25519-sha256

 

MACs

hmac-sha2-256-etm@openssh.com

hmac-sha2-512-etm@openssh.com

ContentEncryptionCiphers

aes256-cbc

aes192-cbc

aes128-cbc

3des-cbc

HashAlgorithms

sha256

sha384

sha512

sha1

TLS ciphers

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_ SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_ SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_ SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_ SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_ SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_ SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_ SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_ SHA384

TransferSecurityPolicy-2025-03

以下显示了 TransferSecurityPolicy -2025-03 安全策略。

{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2025-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "SFTP", "FTPS" ] } }

TransferSecurityPolicy-FIPS-2025-03

以下显示了 TransferSecurityPolicy-FIPS-2025-03 安全策略。

{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2025-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "SFTP", "FTPS" ] } }

TransferSecurityPolicy-AS2 限量版-2025-07

以下显示了 TransferSecurityPolicy-AS2 限制型 2025-07 安全策略。

注意

此安全策略与 TransferSecurityPolicy -2025-03 相同,不同之处在于它不支持 3DES(in ContentEncryptionCiphers),也不支持 SHA1 (in)。 HashAlgorithms它包括2025-03年的所有算法,包括后量子加密算法(mlkem*)。 KEXs

{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "SFTP", "FTPS" ] } }