本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS Transfer Family 服务器的安全策略
中的服务器安全策略 AWS Transfer Family 允许您限制与服务器关联的一组加密算法(消息身份验证码 (MACs)、密钥交换 (KEXs)、密码套件、内容加密密码和哈希算法)。有关支持的密钥算法的列表,请参阅 加密算法。有关支持的服务器主机秘钥和服务托管用户秘钥算法列表,请参见 在 Transfer Family 中管理 SSH 和 PGP 密钥。
注意
我们强烈建议将您的服务器更新为我们的最新安全政策。
-
TransferSecurityPolicy-2024-01
是使用控制台、API 或 CLI 创建服务器时附加到服务器的默认安全策略。 -
如果您使用默认安全策略创建 Transfer Family 服务器 CloudFormation 并接受默认安全策略,则会分配该服务器
TransferSecurityPolicy-2018-11
。
如果您担心客户端兼容性,请明确说明在创建或更新服务器时您希望使用哪种安全策略,而不是使用默认策略,默认策略可能会发生变化。要更改服务器的安全策略,请参阅编辑安全策略。
有关 Transfer Family 安全性的更多信息,请参阅以下博客文章:
主题
加密算法
对于主机密钥,我们支持以下算法:
-
rsa-sha2-256
-
rsa-sha2-512
-
ecdsa-sha2-nistp256
-
ecdsa-sha2-nistp384
-
ecdsa-sha2-nistp521
-
ssh-ed25519
此外,以下安全策略允许ssh-rsa
:
-
TransferSecurityPolicy-2018-11
-
TransferSecurityPolicy-2020-06
-
TransferSecurityPolicy-FIPS-2020-06
-
TransferSecurityPolicy-FIPS-2023-05
-
TransferSecurityPolicy-FIPS-2024-01
-
TransferSecurityPolicy-pq-ssh-fips-Experimental-2023-04
注意
了解 RSA 密钥类型(始终是)和 RSA 主机密钥算法(可以是任何支持的算法ssh-rsa
)之间的区别非常重要。
以下是各种安全策略支持的加密算法列表。
注意
在下表和策略中,请注意算法类型的以下用法。
-
SFTP 服务器仅使用SshCiphersSshKexs、和SshMacs部分中的算法。
-
FTPS 服务器仅使用该TlsCiphers部分中的算法。
-
由于FTP服务器不使用加密,因此不使用任何这些算法。
-
AS2 服务器仅使用ContentEncryptionCiphers和HashAlgorithms部分中的算法。这些部分定义了用于加密和签名文件内容的算法。
-
FIPS-2024-05 和 FIPS-2024-01 的安全策略是相同的,只是 FIPS-2024-05 不支持该
ssh-rsa
算法。 -
Transfer Family推出了新的限制政策,这些政策与现有政策非常相似:
-
TransferSecurityPolicy-Restricted-2018-11 和 TransferSecurityPolicy -2018-11 安全策略完全相同,唯一的不同是受限策略不支持密码。
chacha20-poly1305@openssh.com
-
TransferSecurityPolicy-Restricted-2020-06 和 TransferSecurityPolicy -2020-06 安全策略是相同的,唯一的不同是受限策略不支持密码。
chacha20-poly1305@openssh.com
* 在下表中,
chacha20-poly1305@openssh.com
密码仅包含在非限制策略中, -
安全策略 | 2024-01 | SshAuditCompliant-2025-02 | 2023-05 | 2022-03 |
2020-06 2020-06 受限制 |
FIPS-2024-05 FIPS-2024-01 |
FIPS-2023-05 | FIPS-2020-06 |
2018-11 2018-11 受限制 |
TransferSecurityPolicy-AS2 限量版-2025-07 |
---|---|---|---|---|---|---|---|---|---|---|
SshCiphers |
||||||||||
aes128-ctr |
♦ |
♦ |
|
♦ |
♦ |
♦ |
♦ |
♦ |
||
aes128-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes192-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes256-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes256-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
chacha20-poly1305@openssh.com |
|
♦* |
♦* |
|||||||
SshKexs |
||||||||||
mlkem768x25519-sha256 |
♦ |
|||||||||
mlkem768nistp256-sha256 |
♦ |
|||||||||
mlkem1024nistp384-sha384 |
♦ |
|||||||||
curve25519-sha256 |
♦ |
♦ |
♦ |
♦ |
|
|
♦ |
♦ |
||
curve25519-sha256@libssh.org |
♦ |
♦ |
♦ |
♦ |
|
|
♦ |
♦ |
||
diffie-hellman-group14-sha1 |
|
|
|
♦ |
||||||
diffie-hellman-group14-sha256 |
|
♦ |
♦ |
♦ |
||||||
diffie-hellman-group16-sha512 | ♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
diffie-hellman-group18-sha512 | ♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
ecdh-sha2-nistp256 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
♦ |
|||
ecdh-sha2-nistp384 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
♦ |
|||
ecdh-sha2-nistp521 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
♦ |
|||
SshMacs |
||||||||||
hmac-sha1 |
|
|
|
♦ |
||||||
hmac-sha1-etm@openssh.com |
|
|
|
♦ |
||||||
hmac-sha2-256 |
♦ |
♦ |
♦ |
♦ |
||||||
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
hmac-sha2-512 |
♦ |
♦ |
♦ |
♦ |
||||||
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
umac-128-etm@openssh.com |
|
♦ |
|
♦ |
||||||
umac-128@openssh.com |
|
♦ |
|
♦ |
||||||
umac-64-etm@openssh.com |
|
|
|
♦ |
||||||
umac-64@openssh.com |
|
|
|
♦ |
||||||
ContentEncryptionCiphers |
||||||||||
aes256-cbc |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes192-cbc |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes128-cbc |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
3des-cbc |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
HashAlgorithms |
||||||||||
sha256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
sha384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
sha1 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TlsCiphers |
||||||||||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_ SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_ SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_ SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_ SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_ SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_ SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_ SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_ SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_RSA_WITH_AES_128_CBC_ SHA256 |
|
|
|
|
|
♦ |
||||
TLS_RSA_WITH_AES_256_CBC_ SHA256 |
|
|
|
|
|
♦ |
TransferSecurityPolicy-2024-01
以下显示了 TransferSecurityPolicy -2024-01 安全策略。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-SshAuditCompliant -2025-02
以下显示了 TransferSecurityPolicy-SshAuditCompliant -2025-02 安全策略。
注意
此安全策略是围绕该工具提供的建议设计的,并且与该ssh-audit
工具100%兼容。
{ "SecurityPolicy": { "Fips": false, "Protocols": [ "SFTP", "FTPS" ], "SecurityPolicyName": "TransferSecurityPolicy-SshAuditCompliant-2025-02", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER" } }
TransferSecurityPolicy-2023-05
以下显示了 TransferSecurityPolicy -2023-05 安全策略。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2022-03
以下显示了 TransferSecurityPolicy -2022-03 安全策略。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2022-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc", ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2020-06 和-Restricted-2020-06 TransferSecurityPolicy
以下显示了 TransferSecurityPolicy -2020-06 安全策略。
注意
TransferSecurityPolicy-Restricted-2020-06 和 TransferSecurityPolicy -2020-06 安全策略是相同的,唯一的不同是受限策略不支持密码。chacha20-poly1305@openssh.com
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2020-06", "SshCiphers": [ "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2020-06 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc", ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2018-11 和-Restricted-2018-11 TransferSecurityPolicy
以下显示了 TransferSecurityPolicy -2018-11 的安全策略。
注意
TransferSecurityPolicy-Restricted-2018-11 和 TransferSecurityPolicy -2018-11 安全策略完全相同,唯一的不同是受限策略不支持密码。chacha20-poly1305@openssh.com
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2018-11", "SshCiphers": [ "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2018-11 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1" ], "SshMacs": [ "umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc", ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256" ] } }
TransferSecurityPolicy-FIPS-2024-01/-FIPS-2024-05 TransferSecurityPolicy
以下显示了-FIPS-2024-0 TransferSecurityPolicy 1 和-FIPS-2024-05 安全策略。 TransferSecurityPolicy
注意
FIPS 服务终端节点以及 TransferSecurityPolicy-FIPS-2024-01 和-FIPS-2024-05 安全策略仅在 TransferSecurityPolicy某些地区可用。 AWS 有关更多信息,请参阅 AWS 一般参考 中的 AWS Transfer Family 端点和配额。
这两种安全策略之间的唯一区别是-FIPS-2024-01支持该算法,而 TransferSecurityPolicy-FIPS-2024-05不支持该ssh-rsa
算法。 TransferSecurityPolicy
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2023-05
FIPS 认证详情 AWS Transfer Family 可在以下网址找到 https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
以下显示了 TransferSecurityPolicy-FIPS-2023-05 安全策略。
注意
FIPS 服务终端节点和 TransferSecurityPolicy-FIPS-2023-05 安全策略仅在某些地区可用。 AWS 有关更多信息,请参阅 AWS 一般参考 中的 AWS Transfer Family 端点和配额。
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2020-06
FIPS 认证详情 AWS Transfer Family 可在以下网址找到 https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
以下显示了 TransferSecurityPolicy-FIPS-2020-06 安全策略。
注意
FIPS 服务终端节点和 TransferSecurityPolicy-FIPS-2020-06 安全策略仅在某些地区可用。 AWS 有关更多信息,请参阅 AWS 一般参考 中的 AWS Transfer Family 端点和配额。
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06", "SshCiphers": [ "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc", ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1", ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-AS2 限量版-2025-07
此安全策略专为需要通过排除传统加密算法来增强安全性的 AS2 文件传输而设计。它支持现代 AES 加密和 SHA-2 哈希算法,同时取消了对 3DES 和 SHA-1 等较弱算法的支持。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "AS2" ] } }
后量子安全策略
下表列出了 Transfer Family 后量子安全策略算法。有关此策略的详细描述,请参见使用与 AWS Transfer Family的混合后量子密钥交换。
政策列表如下表所示。
注意
较早的后量子政策(TransferSecurityPolicy-pq-ssh-experimental-2023-04 和-pq-ssh-fips-experimental-2023-04)已被弃用。TransferSecurityPolicy我们建议您改用新政策。
安全策略 | TransferSecurityPolicy-2025-03 | TransferSecurityPolicy-FIPS-2025-03 |
---|---|---|
SSH ciphers |
||
aes128-ctr |
♦ |
♦ |
aes128-gcm@openssh.com |
♦ |
♦ |
aes192-ctr |
♦ |
♦ |
aes256-ctr |
♦ |
♦ |
aes256-gcm@openssh.com |
♦ |
♦ |
KEXs |
||
mlkem768x25519-sha256 |
♦ |
♦ |
mlkem768nistp256-sha256 |
♦ |
♦ |
mlkem1024nistp384-sha384 |
♦ |
♦ |
diffie-hellman-group14-sha256 |
♦ | ♦ |
diffie-hellman-group16-sha512 |
♦ |
♦ |
diffie-hellman-group18-sha512 |
♦ |
♦ |
ecdh-sha2-nistp384 |
♦ |
♦ |
ecdh-sha2-nistp521 |
♦ |
♦ |
ecdh-sha2-nistp256 |
♦ |
♦ |
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
curve25519-sha256@libssh.org |
♦ |
|
curve25519-sha256 |
♦ |
|
MACs |
||
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
ContentEncryptionCiphers |
||
aes256-cbc |
♦ |
♦ |
aes192-cbc |
♦ |
♦ |
aes128-cbc |
♦ |
♦ |
3des-cbc |
♦ |
♦ |
HashAlgorithms |
||
sha256 |
♦ |
♦ |
sha384 |
♦ |
♦ |
sha512 |
♦ |
♦ |
sha1 |
♦ |
♦ |
TLS ciphers |
||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_ SHA256 |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_ SHA256 |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_ SHA384 |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_ SHA384 |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_128_CBC_ SHA256 |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_128_GCM_ SHA256 |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_ SHA384 |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_256_GCM_ SHA384 |
♦ |
♦ |
TransferSecurityPolicy-2025-03
以下显示了 TransferSecurityPolicy -2025-03 安全策略。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2025-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "SFTP", "FTPS" ] } }
TransferSecurityPolicy-FIPS-2025-03
以下显示了 TransferSecurityPolicy-FIPS-2025-03 安全策略。
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2025-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "SFTP", "FTPS" ] } }
TransferSecurityPolicy-AS2 限量版-2025-07
以下显示了 TransferSecurityPolicy-AS2 限制型 2025-07 安全策略。
注意
此安全策略与 TransferSecurityPolicy -2025-03 相同,不同之处在于它不支持 3DES(in ContentEncryptionCiphers),也不支持 SHA1 (in)。 HashAlgorithms它包括2025-03年的所有算法,包括后量子加密算法(mlkem*)。 KEXs
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "SFTP", "FTPS" ] } }