Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés.

# Políticas de seguridad para servidores AWS Transfer Family
<a name="security-policies"></a>

Las políticas de seguridad del servidor AWS Transfer Family le permiten limitar el conjunto de algoritmos criptográficos (códigos de autenticación de mensajes (MAC), intercambios de claves (KEX), conjuntos de cifrado, cifrados de contenido y algoritmos hash) asociados a su servidor.

AWS Transfer Family admite políticas de seguridad poscuántica que utilizan algoritmos híbridos de intercambio de claves, combinando métodos criptográficos tradicionales con algoritmos poscuánticos para proporcionar una mayor seguridad contra las futuras amenazas de la computación cuántica. Para obtener más información, consulte [Uso del intercambio híbrido de claves poscuánticas con AWS Transfer Family](post-quantum-security-policies.md).

Para consultar una lista de los algoritmos criptográficos admitidos, consulte [Algoritmos criptográficos](#cryptographic-algorithms). Para obtener una lista de los algoritmos clave admitidos para su uso con las claves del host del servidor y las claves de usuario administradas por el servicio, consulte [Administración de claves SSH y PGP en Transfer Family](key-management.md).

**nota**  
A partir de 2025, todas las nuevas políticas de AWS Transfer Family seguridad incluyen el soporte criptográfico poscuántico mediante algoritmos híbridos de intercambio de claves. Para obtener más información sobre la seguridad poscuántica, consulte. [Uso del intercambio híbrido de claves poscuánticas con AWS Transfer Family](post-quantum-security-policies.md)

**nota**  
Recomendamos encarecidamente actualizar sus servidores a nuestra política de seguridad más reciente.  
`TransferSecurityPolicy-2024-01`es la política de seguridad predeterminada que se adjunta al servidor al crear un servidor mediante la consola, la API o la CLI.
Si crea un servidor Transfer Family utilizando CloudFormation y acepta la política de seguridad predeterminada, se asigna el servidor`TransferSecurityPolicy-2018-11`.
Si le preocupa la compatibilidad de los clientes, indique afirmativamente qué política de seguridad desea utilizar al crear o actualizar un servidor en lugar de utilizar la política predeterminada, que está sujeta a cambios. Para cambiar la política de seguridad de un servidor, consulte[Editar la política de seguridad](edit-server-config.md#edit-cryptographic-algorithm).

**nota**  
Las políticas anteriores a las cuánticas (**TransferSecurityPolicy-PQ-SSH-Experimental-2023-04**y **TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04**) están en desuso. Le recomendamos que utilice las nuevas políticas en su lugar.

Para obtener más información sobre la seguridad de Transfer Family, consulta las siguientes entradas del blog:
+ [Seis consejos para mejorar la seguridad de su AWS Transfer Family servidor](https://aws.amazon.com/blogs/security/six-tips-to-improve-the-security-of-your-aws-transfer-family-server/)
+ [Cómo Transfer Family puede ayudarlo a crear una solución de transferencia de archivos gestionada segura y compatible](https://aws.amazon.com/blogs/security/how-transfer-family-can-help-you-build-a-secure-compliant-managed-file-transfer-solution/)

**Topics**
+ [Algoritmos criptográficos](#cryptographic-algorithms)
+ [Detalles de la política de seguridad](#security-policy-details)

## Algoritmos criptográficos
<a name="cryptographic-algorithms"></a>

Para las claves de host, admitimos los siguientes algoritmos:
+ `rsa-sha2-256`
+ `rsa-sha2-512`
+ `ecdsa-sha2-nistp256`
+ `ecdsa-sha2-nistp384`
+ `ecdsa-sha2-nistp521`
+ `ssh-ed25519`

Además, las siguientes políticas de seguridad permiten`ssh-rsa`:
+ TransferSecurityPolicy-2018-11
+ TransferSecurityPolicy-2020-06
+ TransferSecurityPolicy-FIPS-2020-06
+ TransferSecurityPolicy-FIPS-2023-05
+ TransferSecurityPolicy-FIPS-2024-01

**nota**  
Es importante entender la diferencia entre el tipo de clave RSA (que siempre es así) `ssh-rsa` y el algoritmo de clave de host de RSA, que puede ser cualquiera de los algoritmos compatibles.

La siguiente es una lista de los algoritmos criptográficos admitidos con cada política de seguridad.

**nota**  
En la tabla y las políticas siguientes, anote el siguiente uso de los tipos de algoritmos.  
Los servidores SFTP solo utilizan algoritmos en las **SshMacs**secciones **SshCiphers**SshKexs****, y.
Los servidores FTPS solo utilizan los algoritmos de la **TlsCiphers**sección.
Los servidores FTP, dado que no utilizan cifrado, no utilizan ninguno de estos algoritmos.
Los servidores AS2 solo utilizan algoritmos en las **HashAlgorithms**secciones **ContentEncryptionCiphers**y. Estas secciones definen los algoritmos que se utilizan para cifrar y firmar el contenido de los archivos.
Las políticas FIPS-2024-01 de seguridad FIPS-2024-05 y las de seguridad son idénticas, excepto que FIPS-2024-05 no admiten el `ssh-rsa` algoritmo.
Transfer Family ha introducido nuevas políticas restringidas que son muy paralelas a las políticas existentes:  
Las políticas TransferSecurityPolicy-2018-11 de seguridad TransferSecurityPolicy-Restricted-2018-11 y las de seguridad son idénticas, excepto que la política restringida no admite el `chacha20-poly1305@openssh.com` cifrado.
Las políticas TransferSecurityPolicy-2020-06 de seguridad TransferSecurityPolicy-Restricted-2020-06 y las políticas son idénticas, excepto que la política restringida no admite el `chacha20-poly1305@openssh.com` cifrado.
\* En la siguiente tabla, el `chacha20-poly1305@openssh.com` cifrado solo se incluye en la política no restringida, 


| Política de seguridad | [TransferSecurityPolicy-2025-03](#security-policy-transfer-2025-03) | [TransferSecurityPolicy-FIPS-2025-03](#security-policy-transfer-2025-03-fips) | [TransferSecurityPolicy-SshAuditCompliant-2025-02](#security-policy-transferSecurityPolicy-SshAuditCompliant-2025-02) | [TransferSecurityPolicy-AS2Restricted-2025-07](#security-policy-transfer-as2restricted-2025-07) | [TransferSecurityPolicy-2024-01](#security-policy-transfer-2024-01) |  **[TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05](#security-policy-transfer-fips-2024-01)**  | [TransferSecurityPolicy-2023-05](#security-policy-transfer-2023-05) | [TransferSecurityPolicy-FIPS-2023-05](#security-policy-transfer-fips-2023-05) | [TransferSecurityPolicy-2022-03](#security-policy-transfer-2022-03) |  **[TransferSecurityPolicy-2020-06 y TransferSecurityPolicy-Restricted-2020-06](#security-policy-transfer-2020-06)**  | [TransferSecurityPolicy-FIPS-2020-06](#security-policy-transfer-fips-2020-06) |  **[TransferSecurityPolicy-2018-11 y TransferSecurityPolicy-Restricted-2018-11](#security-policy-transfer-2018-11)**  | 
| --- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |
|  **SshCiphers**  | 
| --- |
| aes128-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |  | ♦ | ♦ | ♦ | 
| aes128-gcm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| aes192-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| aes256-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| aes256-gcm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| chacha20-poly1305@openssh.com |  |  |  |  |  |  |  |  |  | ♦\* |  | ♦\* | 
|  **SshKexs**  | 
| --- |
| mlkem768x25519-sha256 | ♦ | ♦ |  | ♦ |  |  |  |  |  |  |  |  | 
| mlkem768nistp256-sha256 | ♦ | ♦ |  | ♦ |  |  |  |  |  |  |  |  | 
| mlkem1024nistp384-sha384 | ♦ | ♦ |  | ♦ |  |  |  |  |  |  |  |  | 
| curva 25519-sha256 | ♦ |  | ♦ | ♦ | ♦ |  | ♦ |  | ♦ |  |  | ♦ | 
| curve25519-sha256@libssh.org | ♦ |  | ♦ | ♦ | ♦ |  | ♦ |  | ♦ |  |  | ♦ | 
| diffie-hellman-group14-sha1 |  |  |  |  |  |  |  |  |  |  |  | ♦ | 
| diffie-hellman-group14-sha256 |  |  |  |  |  |  |  |  |  | ♦ | ♦ | ♦ | 
| diffie-hellman-group16-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| diffie-hellman-grupo18-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| diffie-hellman-group-exchange-sha256 | ♦ | ♦ | ♦ | ♦ | ♦ |  | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| ecdh-sha2-nistp256 | ♦ | ♦ |  | ♦ | ♦ | ♦ |  |  |  | ♦ | ♦ | ♦ | 
| ecdh-sha2-nistp384 | ♦ | ♦ |  | ♦ | ♦ | ♦ |  |  |  | ♦ | ♦ | ♦ | 
| ecdh-sha2-nistp521 | ♦ | ♦ |  | ♦ | ♦ | ♦ |  |  |  | ♦ | ♦ | ♦ | 
|  **SshMacs**  | 
| --- |
| hmac-sha1 |  |  |  |  |  |  |  |  |  |  |  | ♦ | 
| hmac-sha1-etm@openssh.com |  |  |  |  |  |  |  |  |  |  |  | ♦ | 
| hmac-sha2-256 |  |  |  |  |  |  |  |  | ♦ | ♦ | ♦ | ♦ | 
| hmac-sha2-256-etm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| hmac-sha2-512 |  |  |  |  |  |  |  |  | ♦ | ♦ | ♦ | ♦ | 
| hmac-sha2-512-etm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| umac-128-etm@openssh.com |  |  |  |  |  |  |  |  |  | ♦ |  | ♦ | 
| umac-128@openssh.com |  |  |  |  |  |  |  |  |  | ♦ |  | ♦ | 
| umac-64-etm@openssh.com |  |  |  |  |  |  |  |  |  |  |  | ♦ | 
| umac-64@openssh.com |  |  |  |  |  |  |  |  |  |  |  | ♦ | 
|  **ContentEncryptionCiphers**  | 
| --- |
| aes256-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| aes192-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| aes128-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| 3des-cbc | ♦ | ♦ | ♦ |  | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
|  **HashAlgorithms**  | 
| --- |
| sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| sha384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| sha1 | ♦ | ♦ | ♦ |  | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
|  **TlsCiphers**  | 
| --- |
| TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 |  |  |  |  |  |  |  |  |  |  |  | ♦ | 
| TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256 |  |  |  |  |  |  |  |  |  |  |  | ♦ | 

## Detalles de la política de seguridad
<a name="security-policy-details"></a>

Las siguientes secciones contienen la representación en JSON de cada política de seguridad.

### TransferSecurityPolicy-2025-03
<a name="security-policy-transfer-2025-03"></a>

A continuación se muestra la política TransferSecurityPolicy-2025-03 de seguridad.

```
{
    "SecurityPolicy": {
        "Fips": false,
        "SecurityPolicyName": "TransferSecurityPolicy-2025-03",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes128-ctr",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "mlkem768x25519-sha256",
            "mlkem768nistp256-sha256",
            "mlkem1024nistp384-sha384",
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "curve25519-sha256",
            "curve25519-sha256@libssh.org",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc",
            "3des-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512",
            "sha1"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ],
        "Type": "SERVER",
        "Protocols": [
           "SFTP",
           "FTPS"
        ]
    }
}
```

### TransferSecurityPolicy-FIPS-2025-03
<a name="security-policy-transfer-2025-03-fips"></a>

A continuación se muestra la política TransferSecurityPolicy-FIPS-2025-03 de seguridad.

```
{
    "SecurityPolicy": {
        "Fips": true,
        "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2025-03",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes256-ctr",
            "aes192-ctr",
            "aes128-ctr"
        ],
        "SshKexs": [
            "mlkem768x25519-sha256",
            "mlkem768nistp256-sha256",
            "mlkem1024nistp384-sha384",
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "diffie-hellman-group-exchange-sha256",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512"
        ],
        "SshMacs": [
            "hmac-sha2-512-etm@openssh.com",
            "hmac-sha2-256-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc",
            "3des-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512",
            "sha1"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ],
        "Type": "SERVER",
        "Protocols": [
           "SFTP",
           "FTPS"
        ]
    }
}
```

### TransferSecurityPolicy-AS2Restricted-2025-07
<a name="security-policy-transfer-as2restricted-2025-07"></a>

Esta política de seguridad está diseñada para las transferencias de archivos AS2 que requieren una seguridad mejorada al excluir los algoritmos criptográficos heredados. Es compatible con los algoritmos de cifrado AES y SHA-2 hash modernos, al tiempo que elimina la compatibilidad con algoritmos más débiles, como 3DES y. SHA-1

**nota**  
Esta política de seguridad es idéntica a TransferSecurityPolicy-2025-03, excepto que no es compatible con 3DES (entrada ContentEncryptionCiphers) ni con SHA1 (entrada). HashAlgorithms Incluye todos los algoritmos de 2025 a 2003, incluidos los algoritmos criptográficos poscuánticos (mlkem\* KEXs).

```
{
    "SecurityPolicy": {
        "Fips": false,
        "SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes128-ctr",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "mlkem768x25519-sha256",
            "mlkem768nistp256-sha256",
            "mlkem1024nistp384-sha384",
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "curve25519-sha256",
            "curve25519-sha256@libssh.org",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ],
        "Type": "SERVER",
        "Protocols": [
           "SFTP",
           "FTPS"
        ]
    }
}
```

### TransferSecurityPolicy-SshAuditCompliant-2025-02
<a name="security-policy-transferSecurityPolicy-SshAuditCompliant-2025-02"></a>

A continuación se muestra la política TransferSecurityPolicy-SshAuditCompliant-2025-02 de seguridad.

**nota**  
Esta política de seguridad está diseñada en función de las recomendaciones de la `ssh-audit` herramienta y es 100% compatible con esa herramienta.

```
{
  "SecurityPolicy": {
    "Fips": false,
    "Protocols": [
      "SFTP",
      "FTPS"
    ],
    "SecurityPolicyName": "TransferSecurityPolicy-SshAuditCompliant-2025-02",
    "SshCiphers": [
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com",
      "aes128-ctr",
      "aes256-ctr",
      "aes192-ctr"
    ],
    "SshKexs": [
      "curve25519-sha256",
      "curve25519-sha256@libssh.org",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group-exchange-sha256"
    ],
    "SshMacs": [
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512-etm@openssh.com"
    ],
    "ContentEncryptionCiphers": [
      "aes256-cbc",
      "aes192-cbc",
      "aes128-cbc",
      "3des-cbc"
    ],
    "HashAlgorithms": [
      "sha256",
      "sha384",
      "sha512",
      "sha1"
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
    ],
    "Type": "SERVER"
  }
}
```

### TransferSecurityPolicy-2024-01
<a name="security-policy-transfer-2024-01"></a>

A continuación se muestra la política TransferSecurityPolicy-2024-01 de seguridad.

```
{
    "SecurityPolicy": {
        "Fips": false,
        "SecurityPolicyName": "TransferSecurityPolicy-2024-01",
        "SshCiphers": [
            "aes128-gcm@openssh.com",
            "aes256-gcm@openssh.com",
            "aes128-ctr",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "curve25519-sha256",
            "curve25519-sha256@libssh.org",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc",
            "3des-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512",
            "sha1"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}
```

### TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05
<a name="security-policy-transfer-fips-2024-01"></a>

A continuación se muestran las políticas TransferSecurityPolicy-FIPS-2024-05 de seguridad TransferSecurityPolicy-FIPS-2024-01 y.

**nota**  
Las políticas de TransferSecurityPolicy-FIPS-2024-05 seguridad TransferSecurityPolicy-FIPS-2024-01 y punto final del servicio FIPS solo están disponibles en algunas AWS regiones. Para obtener más información, consulte [Puntos de conexión y cuotas de AWS Transfer Family](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) en la *Referencia general de AWS*.  
La única diferencia entre estas dos políticas de seguridad es que son TransferSecurityPolicy-FIPS-2024-01 compatibles con el `ssh-rsa` algoritmo y TransferSecurityPolicy-FIPS-2024-05 no lo son.

```
{
    "SecurityPolicy": {
        "Fips": true,
        "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01",
        "SshCiphers": [
            "aes128-gcm@openssh.com",
            "aes256-gcm@openssh.com",
            "aes128-ctr",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc",
            "3des-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512",
            "sha1"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}
```

### TransferSecurityPolicy-2023-05
<a name="security-policy-transfer-2023-05"></a>

A continuación se muestra la política TransferSecurityPolicy-2023-05 de seguridad.

```
{
    "SecurityPolicy": {
        "Fips": false,
        "SecurityPolicyName": "TransferSecurityPolicy-2023-05",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "curve25519-sha256",
            "curve25519-sha256@libssh.org",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-512-etm@openssh.com",
            "hmac-sha2-256-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc",
            "3des-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512",
            "sha1"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}
```

### TransferSecurityPolicy-FIPS-2023-05
<a name="security-policy-transfer-fips-2023-05"></a>

Los detalles de la certificación FIPS se AWS Transfer Family pueden encontrar en [https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all)

A continuación se muestra la política TransferSecurityPolicy-FIPS-2023-05 de seguridad.

**nota**  
La política de TransferSecurityPolicy-FIPS-2023-05 seguridad y punto final del servicio FIPS solo está disponible en algunas AWS regiones. Para obtener más información, consulte [Puntos de conexión y cuotas de AWS Transfer Family](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) en la *Referencia general de AWS*.

```
{
    "SecurityPolicy": {
        "Fips": true,
        "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc",
            "3des-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512",
            "sha1"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}
```

### TransferSecurityPolicy-2022-03
<a name="security-policy-transfer-2022-03"></a>

A continuación se muestra la política TransferSecurityPolicy-2022-03 de seguridad.

```
{
  "SecurityPolicy": {
    "Fips": false,
    "SecurityPolicyName": "TransferSecurityPolicy-2022-03",
    "SshCiphers": [
      "aes256-gcm@openssh.com",
      "aes128-gcm@openssh.com",
      "aes256-ctr",
      "aes192-ctr"
    ],
    "SshKexs": [
      "curve25519-sha256",
      "curve25519-sha256@libssh.org",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group-exchange-sha256"
    ],
    "SshMacs": [
      "hmac-sha2-512-etm@openssh.com",
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512",
      "hmac-sha2-256"
    ],
    "ContentEncryptionCiphers": [
      "aes256-cbc",
      "aes192-cbc",
      "aes128-cbc",
      "3des-cbc"
    ],
    "HashAlgorithms": [
      "sha256",
      "sha384",
      "sha512",
      "sha1"
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
    ]
  }
}
```

### TransferSecurityPolicy-2020-06 y TransferSecurityPolicy-Restricted-2020-06
<a name="security-policy-transfer-2020-06"></a>

A continuación se muestra la política TransferSecurityPolicy-2020-06 de seguridad.

**nota**  
Las políticas TransferSecurityPolicy-2020-06 de seguridad TransferSecurityPolicy-Restricted-2020-06 y las políticas son idénticas, excepto que la política restringida no admite el `chacha20-poly1305@openssh.com` cifrado.

```
{
  "SecurityPolicy": {
    "Fips": false,
    "SecurityPolicyName": "TransferSecurityPolicy-2020-06",
    "SshCiphers": [
      "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2020-06
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com"
    ],
    "SshKexs": [
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group14-sha256"
    ],
    "SshMacs": [
      "umac-128-etm@openssh.com",
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512-etm@openssh.com",
      "umac-128@openssh.com",
      "hmac-sha2-256",
      "hmac-sha2-512"
    ],
    "ContentEncryptionCiphers": [
      "aes256-cbc",
      "aes192-cbc",
      "aes128-cbc",
      "3des-cbc"
    ],
    "HashAlgorithms": [
      "sha256",
      "sha384",
      "sha512",
      "sha1"
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
    ]
  }
}
```

### TransferSecurityPolicy-FIPS-2020-06
<a name="security-policy-transfer-fips-2020-06"></a>

Los detalles de la certificación FIPS se AWS Transfer Family pueden encontrar en [https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all)

A continuación se muestra la política TransferSecurityPolicy-FIPS-2020-06 de seguridad.

**nota**  
La política de TransferSecurityPolicy-FIPS-2020-06 seguridad y punto final del servicio FIPS solo están disponibles en algunas AWS regiones. Para obtener más información, consulte [Puntos de conexión y cuotas de AWS Transfer Family](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) en la *Referencia general de AWS*.

```
{
  "SecurityPolicy": {
    "Fips": true,
    "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06",
    "SshCiphers": [
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com"
    ],
    "SshKexs": [
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group14-sha256"
    ],
    "SshMacs": [
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512-etm@openssh.com",
      "hmac-sha2-256",
      "hmac-sha2-512"
    ],
    "ContentEncryptionCiphers": [
      "aes256-cbc",
      "aes192-cbc",
      "aes128-cbc",
      "3des-cbc"
    ],
    "HashAlgorithms": [
      "sha256",
      "sha384",
      "sha512",
      "sha1"
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
    ]
  }
}
```

### TransferSecurityPolicy-2018-11 y TransferSecurityPolicy-Restricted-2018-11
<a name="security-policy-transfer-2018-11"></a>

A continuación se muestra la política TransferSecurityPolicy-2018-11 de seguridad.

**nota**  
Las políticas TransferSecurityPolicy-2018-11 de seguridad TransferSecurityPolicy-Restricted-2018-11 y las políticas son idénticas, excepto que la política restringida no admite el `chacha20-poly1305@openssh.com` cifrado.

```
{
  "SecurityPolicy": {
    "Fips": false,
    "SecurityPolicyName": "TransferSecurityPolicy-2018-11",
    "SshCiphers": [
      "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2018-11
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com"
    ],
    "SshKexs": [
      "curve25519-sha256",
      "curve25519-sha256@libssh.org",
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group14-sha256",
      "diffie-hellman-group14-sha1"
    ],
    "SshMacs": [
      "umac-64-etm@openssh.com",
      "umac-128-etm@openssh.com",
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512-etm@openssh.com",
      "hmac-sha1-etm@openssh.com",
      "umac-64@openssh.com",
      "umac-128@openssh.com",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-sha1"
    ],
    "ContentEncryptionCiphers": [
      "aes256-cbc",
      "aes192-cbc",
      "aes128-cbc",
      "3des-cbc"
    ],
    "HashAlgorithms": [
      "sha256",
      "sha384",
      "sha512",
      "sha1"
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
      "TLS_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_RSA_WITH_AES_256_CBC_SHA256"
    ]
  }
}
```