Les traductions sont fournies par des outils de traduction automatique. En cas de conflit entre le contenu d'une traduction et celui de la version originale en anglais, la version anglaise prévaudra.
Politiques de sécurité pour les AWS Transfer Family serveurs
Les politiques de sécurité du serveur vous AWS Transfer Family permettent de limiter l'ensemble des algorithmes cryptographiques (codes d'authentification des messages (MAC), échanges de clés (KEXs), suites de chiffrement, chiffrements de contenu et algorithmes de hachage) associés à votre serveur.
AWS Transfer Family prend en charge les politiques de sécurité post-quantique qui utilisent des algorithmes d'échange de clés hybrides, combinant des méthodes cryptographiques traditionnelles avec des algorithmes post-quantiques pour renforcer la sécurité contre les futures menaces informatiques quantiques. Pour de plus amples informations, veuillez consulter Utilisation de l'échange de clés post-quantique hybride avec AWS Transfer Family.
Pour obtenir la liste des algorithmes cryptographiques pris en charge, consultezAlgorithmes cryptographiques. Pour obtenir la liste des algorithmes clés pris en charge à utiliser avec les clés d'hôte du serveur et les clés utilisateur gérées par les services, consultez. Gestion des clés SSH et PGP dans Transfer Family
Note
À compter de 2025, toutes les nouvelles politiques AWS Transfer Family de sécurité incluent un support cryptographique post-quantique utilisant des algorithmes d'échange de clés hybrides. Pour plus d'informations sur la sécurité post-quantique, consultezUtilisation de l'échange de clés post-quantique hybride avec AWS Transfer Family.
Note
Nous vous recommandons vivement de mettre vos serveurs à jour conformément à notre politique de sécurité la plus récente.
-
TransferSecurityPolicy-2024-01est la politique de sécurité par défaut attachée à votre serveur lorsque vous créez un serveur à l'aide de la console, de l'API ou de la CLI. -
Si vous créez un serveur Transfer Family en utilisant CloudFormation et acceptez la politique de sécurité par défaut, le serveur est assigné
TransferSecurityPolicy-2018-11.
Si la compatibilité des clients vous préoccupe, veuillez indiquer clairement la politique de sécurité que vous souhaitez utiliser lors de la création ou de la mise à jour d'un serveur plutôt que d'utiliser la politique par défaut, qui est sujette à modification. Pour modifier la politique de sécurité d'un serveur, consultezModifier la politique de sécurité.
Note
Les politiques post-quantiques antérieures (TransferSecurityPolicy-PQ-SSH-Experimental-2023-04et TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04) sont obsolètes. Nous vous recommandons plutôt d'utiliser les nouvelles politiques.
Pour plus d'informations sur la sécurité dans Transfer Family, consultez les articles de blog suivants :
Algorithmes cryptographiques
Pour les clés d'hôte, nous prenons en charge les algorithmes suivants :
-
rsa-sha2-256 -
rsa-sha2-512 -
ecdsa-sha2-nistp256 -
ecdsa-sha2-nistp384 -
ecdsa-sha2-nistp521 -
ssh-ed25519
En outre, les politiques de sécurité suivantes permettent ssh-rsa :
-
TransferSecurityPolicy-2018-11
-
TransferSecurityPolicy-2020-06
-
TransferSecurityPolicy-FIPS-2020-06
-
TransferSecurityPolicy-FIPS-2023-05
-
TransferSecurityPolicy-FIPS-2024-01
Note
Il est important de comprendre la distinction entre le type de clé RSA (qui est toujours le cas) ssh-rsa et l'algorithme de clé d'hôte RSA, qui peut être n'importe lequel des algorithmes pris en charge.
Voici une liste des algorithmes cryptographiques pris en charge pour chaque politique de sécurité.
Note
Dans le tableau et les politiques suivants, notez l'utilisation suivante des types d'algorithmes.
-
Les serveurs SFTP utilisent uniquement des algorithmes dans les SshMacssections SshCiphersSshKexs, et.
-
Les serveurs FTPS utilisent uniquement les algorithmes de TlsCipherscette section.
-
Les serveurs FTP, puisqu'ils n'utilisent pas de chiffrement, n'utilisent aucun de ces algorithmes.
-
Les serveurs AS2 utilisent uniquement des algorithmes dans les HashAlgorithmssections ContentEncryptionCipherset. Ces sections définissent les algorithmes utilisés pour chiffrer et signer le contenu des fichiers.
-
Les politiques FIPS-2024-01 de sécurité FIPS-2024-05 et sont identiques, sauf que FIPS-2024-05 cela ne prend pas en charge l'
ssh-rsaalgorithme. -
Transfer Family a introduit de nouvelles politiques restreintes qui sont étroitement parallèles aux politiques existantes :
-
Les politiques TransferSecurityPolicy-2018-11 de sécurité TransferSecurityPolicy-Restricted-2018-11 et sont identiques, sauf que la politique restreinte ne prend pas en charge le
chacha20-poly1305@openssh.comchiffrement. -
Les politiques TransferSecurityPolicy-2020-06 de sécurité TransferSecurityPolicy-Restricted-2020-06 et sont identiques, sauf que la politique restreinte ne prend pas en charge le
chacha20-poly1305@openssh.comchiffrement.
* Dans le tableau suivant, le
chacha20-poly1305@openssh.comchiffrement est inclus uniquement dans la politique non restreinte, -
| Politique de sécurité |
TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05 |
TransferSecurityPolicy-2020-06 et TransferSecurityPolicy-Restricted-2020-06 |
TransferSecurityPolicy-2018-11 et TransferSecurityPolicy-Restricted-2018-11 |
|||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
SshCiphers |
||||||||||||
aes128-CTR |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|||
aes128-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes192-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes256-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes256-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
chacha20-poly1305@openssh.com |
♦* |
♦* |
||||||||||
|
SshKexs |
||||||||||||
mlkem768x25519-sha256 |
♦ |
♦ |
♦ |
|||||||||
mlkem768nistp256-sha256 |
♦ |
♦ |
♦ |
|||||||||
mlkem1024nistp384-sha384 |
♦ |
♦ |
♦ |
|||||||||
curve25519-sha256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|||||
curve25519-sha256@libssh.org |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|||||
diffie-hellman-group14-sha1 |
♦ |
|||||||||||
diffie-hellman-group14-sha256 |
♦ |
♦ |
♦ |
|||||||||
diffie-hellman-group16-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
diffie-hellman-group18-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
ecdh-sha2-nistp255 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
||||
ecdh-sha2-nistp384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
||||
ecdh-sha2-nistp521 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
||||
|
SshMacs |
||||||||||||
hmac-sha1 |
♦ |
|||||||||||
hmac-sha1-etm@openssh.com |
♦ |
|||||||||||
hmac-sha2-256 |
♦ |
♦ |
♦ |
♦ |
||||||||
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
hmac-sha2-512 |
♦ |
♦ |
♦ |
♦ |
||||||||
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
umac-128-etm@openssh.com |
♦ |
♦ |
||||||||||
umac-128@openssh.com |
♦ |
♦ |
||||||||||
umac-64-etm@openssh.com |
♦ |
|||||||||||
umac-64@openssh.com |
♦ |
|||||||||||
|
ContentEncryptionCiphers |
||||||||||||
aes256-cbc |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes192-cbc |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes128-cbc |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
3des-CBC |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
|
HashAlgorithms |
||||||||||||
sha256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
sha384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
sha1 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
|
TlsCiphers |
||||||||||||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
|||||||||||
TLS_RSA_WITH_AES_256_CBC_SHA256 |
♦ |
|||||||||||
Détails de la politique de sécurité
Les sections suivantes contiennent la représentation JSON de chaque politique de sécurité.
TransferSecurityPolicy-2025-03
Voici la politique de TransferSecurityPolicy-2025-03 sécurité.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2025-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "SFTP", "FTPS" ] } }
TransferSecurityPolicy-FIPS-2025-03
Voici la politique de TransferSecurityPolicy-FIPS-2025-03 sécurité.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2025-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "SFTP", "FTPS" ] } }
TransferSecurityPolicy-AS2Restricted-2025-07
Cette politique de sécurité est conçue pour les transferts de fichiers AS2 qui nécessitent une sécurité renforcée en excluant les algorithmes cryptographiques existants. Il prend en charge le cryptage AES moderne et les algorithmes de SHA-2 hachage tout en supprimant la prise en charge des algorithmes plus faibles tels que 3DES et. SHA-1
Note
Cette politique de sécurité est identique à TransferSecurityPolicy-2025-03, sauf qu'elle ne prend pas en charge 3DES (in ContentEncryptionCiphers) ni SHA1 (in HashAlgorithms). Il inclut tous les algorithmes de 2025-03, y compris les algorithmes cryptographiques post-quantiques (mlkem* KEXs).
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "SFTP", "FTPS" ] } }
TransferSecurityPolicy-SshAuditCompliant-2025-02
Voici la politique de TransferSecurityPolicy-SshAuditCompliant-2025-02 sécurité.
Note
Cette politique de sécurité est conçue autour des recommandations fournies par l'ssh-auditoutil et est 100 % conforme à cet outil.
{ "SecurityPolicy": { "Fips": false, "Protocols": [ "SFTP", "FTPS" ], "SecurityPolicyName": "TransferSecurityPolicy-SshAuditCompliant-2025-02", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER" } }
TransferSecurityPolicy-2024-01
Voici la politique de TransferSecurityPolicy-2024-01 sécurité.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05
Vous trouverez ci-dessous les politiques TransferSecurityPolicy-FIPS-2024-05 de sécurité TransferSecurityPolicy-FIPS-2024-01 et.
Note
Le point de terminaison TransferSecurityPolicy-FIPS-2024-01 et les politiques de TransferSecurityPolicy-FIPS-2024-05 sécurité du service FIPS ne sont disponibles que dans certaines AWS régions. Pour plus d’informations, consultez Points de terminaison et quotas AWS Transfer Family dans le document Références générales AWS.
La seule différence entre ces deux politiques de sécurité est qu'elles TransferSecurityPolicy-FIPS-2024-01 supportent l'ssh-rsaalgorithme et TransferSecurityPolicy-FIPS-2024-05 ne le supportent pas.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2023-05
Voici la politique de TransferSecurityPolicy-2023-05 sécurité.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2023-05
Les détails de la certification FIPS sont AWS Transfer Family disponibles à l'adresse https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
Voici la politique de TransferSecurityPolicy-FIPS-2023-05 sécurité.
Note
La politique de TransferSecurityPolicy-FIPS-2023-05 sécurité et de point de terminaison du service FIPS n'est disponible que dans certaines AWS régions. Pour plus d’informations, consultez Points de terminaison et quotas AWS Transfer Family dans le document Références générales AWS.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2022-03
Voici la politique de TransferSecurityPolicy-2022-03 sécurité.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2022-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2020-06 et TransferSecurityPolicy-Restricted-2020-06
Voici la politique de TransferSecurityPolicy-2020-06 sécurité.
Note
Les politiques TransferSecurityPolicy-2020-06 de sécurité TransferSecurityPolicy-Restricted-2020-06 et sont identiques, sauf que la politique restreinte ne prend pas en charge le chacha20-poly1305@openssh.com chiffrement.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2020-06", "SshCiphers": [ "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2020-06 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2020-06
Les détails de la certification FIPS sont AWS Transfer Family disponibles à l'adresse https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
Voici la politique de TransferSecurityPolicy-FIPS-2020-06 sécurité.
Note
Le point de terminaison et la politique TransferSecurityPolicy-FIPS-2020-06 de sécurité du service FIPS ne sont disponibles que dans certaines AWS régions. Pour plus d’informations, consultez Points de terminaison et quotas AWS Transfer Family dans le document Références générales AWS.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06", "SshCiphers": [ "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2018-11 et TransferSecurityPolicy-Restricted-2018-11
Voici la politique de TransferSecurityPolicy-2018-11 sécurité.
Note
Les politiques TransferSecurityPolicy-2018-11 de sécurité TransferSecurityPolicy-Restricted-2018-11 et sont identiques, sauf que la politique restreinte ne prend pas en charge le chacha20-poly1305@openssh.com chiffrement.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2018-11", "SshCiphers": [ "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2018-11 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1" ], "SshMacs": [ "umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256" ] } }
