Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
Kebijakan keamanan untuk AWS Transfer Family server
Kebijakan keamanan server AWS Transfer Family memungkinkan Anda untuk membatasi set algoritma kriptografi (kode otentikasi pesan (), pertukaran kunci (MACs), cipher suite, cipher enkripsi konten, dan algoritma hashKEXs) yang terkait dengan server Anda.
AWS Transfer Family mendukung kebijakan keamanan pasca-kuantum yang menggunakan algoritma pertukaran kunci hibrida, menggabungkan metode kriptografi tradisional dengan algoritma pasca-kuantum untuk memberikan keamanan yang ditingkatkan terhadap ancaman komputasi kuantum masa depan. Detail disediakan diMenggunakan pertukaran kunci pasca-kuantum hibrida dengan AWS Transfer Family.
Untuk daftar algoritma kriptografi yang didukung, lihat. Algoritma kriptografi Untuk daftar algoritme kunci yang didukung untuk digunakan dengan kunci host server dan kunci pengguna yang dikelola layanan, lihat. Mengelola kunci SSH dan PGP di Transfer Family
catatan
Kami sangat menyarankan untuk memperbarui server Anda ke kebijakan keamanan terbaru kami.
-
TransferSecurityPolicy-2024-01adalah kebijakan keamanan default yang dilampirkan ke server Anda saat membuat server menggunakan konsol, API, atau CLI. -
Jika Anda membuat server Transfer Family menggunakan CloudFormation dan menerima kebijakan keamanan default, server akan ditetapkan
TransferSecurityPolicy-2018-11.
Jika Anda khawatir tentang kompatibilitas klien, harap sebutkan kebijakan keamanan mana yang ingin Anda gunakan saat membuat atau memperbarui server daripada menggunakan kebijakan default, yang dapat berubah sewaktu-waktu. Untuk mengubah kebijakan keamanan server, lihatEdit kebijakan keamanan.
Untuk informasi selengkapnya tentang keamanan di Transfer Family, lihat postingan blog berikut ini:
Topik
Algoritma kriptografi
Untuk kunci host, kami mendukung algoritma berikut:
-
rsa-sha2-256 -
rsa-sha2-512 -
ecdsa-sha2-nistp256 -
ecdsa-sha2-nistp384 -
ecdsa-sha2-nistp521 -
ssh-ed25519
Selain itu, kebijakan keamanan berikut memungkinkanssh-rsa:
-
TransferSecurityPolicy-2018-11
-
TransferSecurityPolicy-2020-06
-
TransferSecurityPolicy-FIP-2020-06
-
TransferSecurityPolicy-FIP-2023-05
-
TransferSecurityPolicy-FIP-2024-01
-
TransferSecurityPolicy-PQ-SSH-FIP-Percobaan-2023-04
catatan
Penting untuk memahami perbedaan antara tipe kunci RSA — yang selalu ssh-rsa — dan algoritma kunci host RSA, yang dapat berupa salah satu algoritma yang didukung.
Berikut ini adalah daftar algoritma kriptografi yang didukung untuk setiap kebijakan keamanan.
catatan
Dalam tabel dan kebijakan berikut, perhatikan penggunaan jenis algoritma berikut.
-
Server SFTP hanya menggunakan algoritma di SshCiphers, SshKexs, dan bagian. SshMacs
-
Server FTPS hanya menggunakan algoritma di bagian ini. TlsCiphers
-
Server FTP, karena mereka tidak menggunakan enkripsi, tidak menggunakan algoritme ini.
-
AS2 server hanya menggunakan algoritma di HashAlgorithmsbagian ContentEncryptionCiphersdan. Bagian ini mendefinisikan algoritma yang digunakan untuk mengenkripsi dan menandatangani konten file.
-
Kebijakan keamanan FIPS-2024-05 dan FIPS-2024-01 identik, kecuali bahwa FIPS-2024-05 tidak mendukung algoritme.
ssh-rsa -
Transfer Family telah memperkenalkan kebijakan terbatas baru yang paralel erat dengan kebijakan yang ada:
-
Kebijakan keamanan TransferSecurityPolicy -Restricted-2018-11 dan TransferSecurityPolicy -2018-11 identik, kecuali bahwa kebijakan terbatas tidak mendukung sandi.
chacha20-poly1305@openssh.com -
Kebijakan keamanan TransferSecurityPolicy -Restricted-2020-06 dan TransferSecurityPolicy -2020-06 identik, kecuali bahwa kebijakan terbatas tidak mendukung sandi.
chacha20-poly1305@openssh.com
* Dalam tabel berikut,
chacha20-poly1305@openssh.comsandi disertakan dalam kebijakan yang tidak dibatasi saja, -
| Kebijakan keamanan | 2024-01 | SshAuditCompliant-2025-02 | 2023-05 | 2022-03 |
2020-06 2020-06 dibatasi |
FIP-2024-05 FIP-2024-01 |
FIP-2023-05 | FIP-2020-06 |
2018-11 2018-11 dibatasi |
TransferSecurityPolicy- AS2 Terbatas-2025-07 |
|---|---|---|---|---|---|---|---|---|---|---|
|
SshCiphers |
||||||||||
|
aes128-ctr |
♦ |
♦ |
|
♦ |
♦ |
♦ |
♦ |
♦ |
||
|
aes128-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes192-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes256-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes256-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
chacha20-poly1305@openssh.com |
|
♦* |
♦* |
|||||||
|
SshKexs |
||||||||||
|
mlkem768x25519-sha256 |
♦ |
|||||||||
|
mlkem768nistp256-sha256 |
♦ |
|||||||||
|
mlkem1024nistp384-sha384 |
♦ |
|||||||||
|
kurva25519-sha256 |
♦ |
♦ |
♦ |
♦ |
|
|
♦ |
♦ |
||
|
curve25519-sha256@libssh.org |
♦ |
♦ |
♦ |
♦ |
|
|
♦ |
♦ |
||
|
diffie-hellman-group14-sha1 |
|
|
|
♦ |
||||||
|
diffie-hellman-group14-sha256 |
|
♦ |
♦ |
♦ |
||||||
| diffie-hellman-group16-sha512 | ♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
| diffie-hellman-group18-sha512 | ♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
|
ecdh-sha2-nistp256 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
♦ |
|||
|
ecdh-sha2-nistp384 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
♦ |
|||
|
ecdh-sha2-nistp521 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
♦ |
|||
|
SshMacs |
||||||||||
|
hmac-sha1 |
|
|
|
♦ |
||||||
|
hmac-sha1-etm@openssh.com |
|
|
|
♦ |
||||||
|
hmac-sha2-256 |
♦ |
♦ |
♦ |
♦ |
||||||
|
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
hmac-sha2-512 |
♦ |
♦ |
♦ |
♦ |
||||||
|
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
umac-128-etm@openssh.com |
|
♦ |
|
♦ |
||||||
|
umac-128@openssh.com |
|
♦ |
|
♦ |
||||||
|
umac-64-etm@openssh.com |
|
|
|
♦ |
||||||
|
umac-64@openssh.com |
|
|
|
♦ |
||||||
|
ContentEncryptionCiphers |
||||||||||
|
aes256-cbc |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes192-cbc |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes128-cbc |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
3des-cbc |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
|
HashAlgorithms |
||||||||||
|
sha256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
sha384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
sha1 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
|
TlsCiphers |
||||||||||
|
TLS_ECDHE_ECDSA_DENGAN_AES_128_CBC_ SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_ SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
|
TLS_ECDHE_ECDSA_DENGAN_AES_256_CBC_ SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_ SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_ SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_ SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_ SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_ SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
|
TLS_RSA_WITH_AES_128_CBC_ SHA256 |
|
|
|
|
|
♦ |
||||
|
TLS_RSA_WITH_AES_256_CBC_ SHA256 |
|
|
|
|
|
♦ |
||||
TransferSecurityPolicy-2024-01
Berikut ini menunjukkan kebijakan keamanan TransferSecurityPolicy -2024-01.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy- SshAuditCompliant -2025-02
Berikut ini menunjukkan TransferSecurityPolicy - SshAuditCompliant -2025-02 kebijakan keamanan.
catatan
Kebijakan keamanan ini dirancang berdasarkan rekomendasi yang disediakan oleh ssh-audit alat, dan 100% sesuai dengan alat itu.
{ "SecurityPolicy": { "Fips": false, "Protocols": [ "SFTP", "FTPS" ], "SecurityPolicyName": "TransferSecurityPolicy-SshAuditCompliant-2025-02", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER" } }
TransferSecurityPolicy-2023-05
Berikut ini menunjukkan kebijakan keamanan TransferSecurityPolicy -2023-05.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc", "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2022-03
Berikut ini menunjukkan kebijakan keamanan TransferSecurityPolicy -2022-03.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2022-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc", ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2020-06 dan -Terbatas-2020-06 TransferSecurityPolicy
Berikut ini menunjukkan kebijakan keamanan TransferSecurityPolicy -2020-06.
catatan
Kebijakan keamanan TransferSecurityPolicy -Restricted-2020-06 dan TransferSecurityPolicy -2020-06 identik, kecuali bahwa kebijakan terbatas tidak mendukung sandi. chacha20-poly1305@openssh.com
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2020-06", "SshCiphers": [ "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2020-06 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc", ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2018-11 dan -Terbatas-2018-11 TransferSecurityPolicy
Berikut ini menunjukkan kebijakan keamanan TransferSecurityPolicy -2018-11.
catatan
Kebijakan keamanan TransferSecurityPolicy -Restricted-2018-11 dan TransferSecurityPolicy -2018-11 identik, kecuali bahwa kebijakan terbatas tidak mendukung sandi. chacha20-poly1305@openssh.com
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2018-11", "SshCiphers": [ "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2018-11 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1" ], "SshMacs": [ "umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc", ], "HashAlgorithms": [ "sha256", "sha384", "sha512", "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256" ] } }
TransferSecurityPolicy-FIP-2024-01/-FIP-2024-05 TransferSecurityPolicy
Berikut ini menunjukkan kebijakan keamanan -FIPS-2024-01 dan TransferSecurityPolicy -FIPS-2024-05. TransferSecurityPolicy
catatan
Titik akhir layanan FIPS dan kebijakan keamanan TransferSecurityPolicy -FIPS-2024-01 dan TransferSecurityPolicy -FIPS-2024-05 hanya tersedia di beberapa Wilayah. AWS Untuk informasi selengkapnya, lihat AWS Transfer Family titik akhir dan kuota di. Referensi Umum AWS
Satu-satunya perbedaan antara kedua kebijakan keamanan ini adalah TransferSecurityPolicy -FIPS-2024-01 mendukung ssh-rsa algoritme, dan -FIPS-2024-05 tidak. TransferSecurityPolicy
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIP-2023-05
Detail sertifikasi FIPS untuk AWS Transfer Family dapat ditemukan di https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
Berikut ini menunjukkan kebijakan keamanan TransferSecurityPolicy -FIPS-2023-05.
catatan
Titik akhir layanan FIPS dan kebijakan keamanan TransferSecurityPolicy -FIPS-2023-05 hanya tersedia di beberapa Wilayah. AWS Untuk informasi selengkapnya, lihat AWS Transfer Family titik akhir dan kuota di. Referensi Umum AWS
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIP-2020-06
Detail sertifikasi FIPS untuk AWS Transfer Family dapat ditemukan di https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
Berikut ini menunjukkan kebijakan keamanan TransferSecurityPolicy -FIPS-2020-06.
catatan
Titik akhir layanan FIPS dan kebijakan keamanan TransferSecurityPolicy -FIPS-2020-06 hanya tersedia di beberapa Wilayah. AWS Untuk informasi selengkapnya, lihat AWS Transfer Family titik akhir dan kuota di. Referensi Umum AWS
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06", "SshCiphers": [ "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc", ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1", ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy- AS2 Terbatas-2025-07
Kebijakan keamanan ini dirancang untuk transfer AS2 file yang memerlukan peningkatan keamanan dengan mengecualikan algoritma kriptografi lama. Ini mendukung enkripsi AES modern dan algoritma hash SHA-2 sambil menghapus dukungan untuk algoritma yang lebih lemah seperti 3DES dan SHA-1.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "AS2" ] } }
Pasca kebijakan keamanan Quantum
Tabel ini mencantumkan algoritme untuk kebijakan keamanan kuantum pasca Transfer Family. Kebijakan ini dijelaskan secara rinci dalamMenggunakan pertukaran kunci pasca-kuantum hibrida dengan AWS Transfer Family.
Daftar kebijakan mengikuti tabel.
catatan
Kebijakan pasca kuantum sebelumnya (TransferSecurityPolicy-PQ-SSH-eksperimental-2023-04 dan -PQ-SSH-FIPS-Experimental-2023-04 tidak digunakan lagi. TransferSecurityPolicy Kami menyarankan Anda menggunakan kebijakan baru sebagai gantinya.
| Kebijakan keamanan | TransferSecurityPolicy-2025-03 | TransferSecurityPolicy-FIP-2025-03 |
|---|---|---|
| SSH ciphers |
||
|
aes128-ctr |
♦ |
♦ |
|
aes128-gcm@openssh.com |
♦ |
♦ |
|
aes192-ctr |
♦ |
♦ |
|
aes256-ctr |
♦ |
♦ |
|
aes256-gcm@openssh.com |
♦ |
♦ |
|
KEXs |
||
| mlkem768x25519-sha256 |
♦ |
♦ |
| mlkem768nistp256-sha256 |
♦ |
♦ |
| mlkem1024nistp384-sha384 |
♦ |
♦ |
|
diffie-hellman-group14-sha256 |
♦ | ♦ |
|
diffie-hellman-group16-sha512 |
♦ |
♦ |
|
diffie-hellman-group18-sha512 |
♦ |
♦ |
|
ecdh-sha2-nistp384 |
♦ |
♦ |
|
ecdh-sha2-nistp521 |
♦ |
♦ |
|
ecdh-sha2-nistp256 |
♦ |
♦ |
|
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
|
curve25519-sha256@libssh.org |
♦ |
|
|
kurva25519-sha256 |
♦ |
|
|
MACs |
||
|
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
|
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
|
ContentEncryptionCiphers |
||
|
aes256-cbc |
♦ |
♦ |
|
aes192-cbc |
♦ |
♦ |
|
aes128-cbc |
♦ |
♦ |
|
3des-cbc |
♦ |
♦ |
|
HashAlgorithms |
||
|
sha256 |
♦ |
♦ |
|
sha384 |
♦ |
♦ |
|
sha512 |
♦ |
♦ |
|
sha1 |
♦ |
♦ |
| TLS ciphers |
||
|
TLS_ECDHE_ECDSA_DENGAN_AES_128_CBC_ SHA256 |
♦ |
♦ |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_ SHA256 |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_DENGAN_AES_256_CBC_ SHA384 |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_ SHA384 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_ SHA256 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_ SHA256 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_ SHA384 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_ SHA384 |
♦ |
♦ |
TransferSecurityPolicy-2025-03
Berikut ini menunjukkan kebijakan keamanan TransferSecurityPolicy -2025-03.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2025-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "SFTP", "FTPS" ] } }
TransferSecurityPolicy-FIP-2025-03
Berikut ini menunjukkan kebijakan keamanan TransferSecurityPolicy -FIPS-2025-03.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2025-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" "3des-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" "sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "SFTP", "FTPS" ] } }
TransferSecurityPolicy- AS2 Terbatas-2025-07
Berikut ini menunjukkan kebijakan keamanan TransferSecurityPolicy - AS2 Terbatas-2025-07.
catatan
Kebijakan keamanan ini identik dengan TransferSecurityPolicy -2025-03, kecuali tidak mendukung 3DES (in ContentEncryptionCiphers) dan tidak mendukung SHA1 (in). HashAlgorithms Ini mencakup semua algoritma dari 2025-03, termasuk algoritma kriptografi pasca-kuantum (mlkem*). KEXs
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "mlkem768x25519-sha256", "mlkem768nistp256-sha256", "mlkem1024nistp384-sha384", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "ContentEncryptionCiphers": [ "aes256-cbc", "aes192-cbc", "aes128-cbc" ], "HashAlgorithms": [ "sha256", "sha384", "sha512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ], "Type": "SERVER", "Protocols": [ "SFTP", "FTPS" ] } }
