Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
# Kebijakan keamanan untuk AWS Transfer Family server
Kebijakan keamanan server AWS Transfer Family memungkinkan Anda untuk membatasi set algoritma kriptografi (kode otentikasi pesan (MAC), pertukaran kunci (KEX), cipher suite, cipher enkripsi konten, dan algoritma hash) yang terkait dengan server Anda.
AWS Transfer Family mendukung kebijakan keamanan pasca-kuantum yang menggunakan algoritma pertukaran kunci hibrida, menggabungkan metode kriptografi tradisional dengan algoritma pasca-kuantum untuk memberikan keamanan yang ditingkatkan terhadap ancaman komputasi kuantum masa depan. Untuk informasi selengkapnya, lihat [Menggunakan pertukaran kunci pasca-kuantum hibrida dengan AWS Transfer Family](post-quantum-security-policies.md).
Untuk daftar algoritma kriptografi yang didukung, lihat. [Algoritma kriptografi](#cryptographic-algorithms) Untuk daftar algoritme kunci yang didukung untuk digunakan dengan kunci host server dan kunci pengguna yang dikelola layanan, lihat. [Mengelola kunci SSH dan PGP di Transfer Family](key-management.md)
**catatan**
Mulai tahun 2025, semua kebijakan AWS Transfer Family keamanan baru mencakup dukungan kriptografi pasca-kuantum menggunakan algoritma pertukaran kunci hibrida. Untuk informasi lebih lanjut tentang keamanan pasca-kuantum, lihat[Menggunakan pertukaran kunci pasca-kuantum hibrida dengan AWS Transfer Family](post-quantum-security-policies.md).
**catatan**
Kami sangat menyarankan untuk memperbarui server Anda ke kebijakan keamanan terbaru kami.
`TransferSecurityPolicy-2024-01`adalah kebijakan keamanan default yang dilampirkan ke server Anda saat membuat server menggunakan konsol, API, atau CLI.
Jika Anda membuat server Transfer Family menggunakan CloudFormation dan menerima kebijakan keamanan default, server akan ditetapkan`TransferSecurityPolicy-2018-11`.
Jika Anda khawatir tentang kompatibilitas klien, harap sebutkan kebijakan keamanan mana yang ingin Anda gunakan saat membuat atau memperbarui server daripada menggunakan kebijakan default, yang dapat berubah sewaktu-waktu. Untuk mengubah kebijakan keamanan server, lihat[Edit kebijakan keamanan](edit-server-config.md#edit-cryptographic-algorithm).
**catatan**
Kebijakan kuantum pasca sebelumnya (**TransferSecurityPolicy-PQ-SSH-Experimental-2023-04**dan **TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04**) tidak digunakan lagi. Kami menyarankan Anda menggunakan kebijakan baru sebagai gantinya.
Untuk informasi selengkapnya tentang keamanan di Transfer Family, lihat postingan blog berikut ini:
+ [Enam tips untuk meningkatkan keamanan AWS Transfer Family server Anda](https://aws.amazon.com/blogs/security/six-tips-to-improve-the-security-of-your-aws-transfer-family-server/)
+ [Bagaimana Transfer Family dapat membantu Anda membangun solusi transfer file terkelola yang aman dan sesuai](https://aws.amazon.com/blogs/security/how-transfer-family-can-help-you-build-a-secure-compliant-managed-file-transfer-solution/)
**Topics**
+ [Algoritma kriptografi](#cryptographic-algorithms)
+ [Detail kebijakan keamanan](#security-policy-details)
## Algoritma kriptografi
Untuk kunci host, kami mendukung algoritma berikut:
+ `rsa-sha2-256`
+ `rsa-sha2-512`
+ `ecdsa-sha2-nistp256`
+ `ecdsa-sha2-nistp384`
+ `ecdsa-sha2-nistp521`
+ `ssh-ed25519`
Selain itu, kebijakan keamanan berikut memungkinkan`ssh-rsa`:
+ TransferSecurityPolicy-2018-11
+ TransferSecurityPolicy-2020-06
+ TransferSecurityPolicy-FIPS-2020-06
+ TransferSecurityPolicy-FIPS-2023-05
+ TransferSecurityPolicy-FIPS-2024-01
**catatan**
Penting untuk memahami perbedaan antara tipe kunci RSA — yang selalu `ssh-rsa` — dan algoritma kunci host RSA, yang dapat berupa salah satu algoritma yang didukung.
Berikut ini adalah daftar algoritma kriptografi yang didukung untuk setiap kebijakan keamanan.
**catatan**
Dalam tabel dan kebijakan berikut, perhatikan penggunaan jenis algoritma berikut.
Server SFTP hanya menggunakan algoritma di **SshCiphers**, **SshKexs**, dan bagian. **SshMacs**
Server FTPS hanya menggunakan algoritme di bagian ini. **TlsCiphers**
Server FTP, karena mereka tidak menggunakan enkripsi, tidak menggunakan algoritme ini.
Server AS2 hanya menggunakan algoritma di bagian **ContentEncryptionCiphers**dan **HashAlgorithms**. Bagian ini mendefinisikan algoritma yang digunakan untuk mengenkripsi dan menandatangani konten file.
Kebijakan FIPS-2024-05 dan FIPS-2024-01 keamanan identik, kecuali yang FIPS-2024-05 tidak mendukung `ssh-rsa` algoritma.
Transfer Family telah memperkenalkan kebijakan terbatas baru yang paralel erat dengan kebijakan yang ada:
Kebijakan TransferSecurityPolicy-Restricted-2018-11 dan TransferSecurityPolicy-2018-11 keamanan identik, kecuali bahwa kebijakan terbatas tidak mendukung `chacha20-poly1305@openssh.com` cipher.
Kebijakan TransferSecurityPolicy-Restricted-2020-06 dan TransferSecurityPolicy-2020-06 keamanan identik, kecuali bahwa kebijakan terbatas tidak mendukung `chacha20-poly1305@openssh.com` cipher.
\* Dalam tabel berikut, `chacha20-poly1305@openssh.com` sandi disertakan dalam kebijakan yang tidak dibatasi saja,
| Kebijakan keamanan | [TransferSecurityPolicy-2025-03](#security-policy-transfer-2025-03) | [TransferSecurityPolicy-FIPS-2025-03](#security-policy-transfer-2025-03-fips) | [TransferSecurityPolicy-SshAuditCompliant-2025-02](#security-policy-transferSecurityPolicy-SshAuditCompliant-2025-02) | [TransferSecurityPolicy-AS2Restricted-2025-07](#security-policy-transfer-as2restricted-2025-07) | [TransferSecurityPolicy-2024-01](#security-policy-transfer-2024-01) | **[TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05](#security-policy-transfer-fips-2024-01)** | [TransferSecurityPolicy-2023-05](#security-policy-transfer-2023-05) | [TransferSecurityPolicy-FIPS-2023-05](#security-policy-transfer-fips-2023-05) | [TransferSecurityPolicy-2022-03](#security-policy-transfer-2022-03) | **[TransferSecurityPolicy-2020-06 dan TransferSecurityPolicy-Restricted-2020-06](#security-policy-transfer-2020-06)** | [TransferSecurityPolicy-FIPS-2020-06](#security-policy-transfer-fips-2020-06) | **[TransferSecurityPolicy-2018-11 dan TransferSecurityPolicy-Restricted-2018-11](#security-policy-transfer-2018-11)** |
| --- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |
| **SshCiphers** |
| --- |
| aes128-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ |
| aes128-gcm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes192-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes256-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes256-gcm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| chacha20-poly1305@openssh.com | | | | | | | | | | ♦\* | | ♦\* |
| **SshKexs** |
| --- |
| mlkem768x25519-sha256 | ♦ | ♦ | | ♦ | | | | | | | | |
| mlkem768nistp256-sha256 | ♦ | ♦ | | ♦ | | | | | | | | |
| mlkem1024nistp384-sha384 | ♦ | ♦ | | ♦ | | | | | | | | |
| kurva25519-sha256 | ♦ | | ♦ | ♦ | ♦ | | ♦ | | ♦ | | | ♦ |
| curve25519-sha256@libssh.org | ♦ | | ♦ | ♦ | ♦ | | ♦ | | ♦ | | | ♦ |
| diffie-hellman-group14-sha1 | | | | | | | | | | | | ♦ |
| diffie-hellman-group14-sha256 | | | | | | | | | | ♦ | ♦ | ♦ |
| diffie-hellman-group16-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| diffie-hellman-group18-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| diffie-hellman-group-exchange-sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| ecdh-sha2-nistp256 | ♦ | ♦ | | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ |
| ecdh-sha2-nistp384 | ♦ | ♦ | | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ |
| ecdh-sha2-nistp521 | ♦ | ♦ | | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ |
| **SshMacs** |
| --- |
| hmac-sha1 | | | | | | | | | | | | ♦ |
| hmac-sha1-etm@openssh.com | | | | | | | | | | | | ♦ |
| hmac-sha2-256 | | | | | | | | | ♦ | ♦ | ♦ | ♦ |
| hmac-sha2-256-etm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| hmac-sha2-512 | | | | | | | | | ♦ | ♦ | ♦ | ♦ |
| hmac-sha2-512-etm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| umac-128-etm@openssh.com | | | | | | | | | | ♦ | | ♦ |
| umac-128@openssh.com | | | | | | | | | | ♦ | | ♦ |
| umac-64-etm@openssh.com | | | | | | | | | | | | ♦ |
| umac-64@openssh.com | | | | | | | | | | | | ♦ |
| **ContentEncryptionCiphers** |
| --- |
| aes256-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes192-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes128-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| 3des-cbc | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| **HashAlgorithms** |
| --- |
| sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| sha384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| sha1 | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| **TlsCiphers** |
| --- |
| TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | | | | | | | | | | | | ♦ |
| TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256 | | | | | | | | | | | | ♦ |
## Detail kebijakan keamanan
Bagian berikut berisi representasi JSON dari setiap kebijakan keamanan.
### TransferSecurityPolicy-2025-03
Berikut ini menunjukkan kebijakan TransferSecurityPolicy-2025-03 keamanan.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2025-03",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"mlkem768x25519-sha256",
"mlkem768nistp256-sha256",
"mlkem1024nistp384-sha384",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER",
"Protocols": [
"SFTP",
"FTPS"
]
}
}
```
### TransferSecurityPolicy-FIPS-2025-03
Berikut ini menunjukkan kebijakan TransferSecurityPolicy-FIPS-2025-03 keamanan.
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2025-03",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr",
"aes128-ctr"
],
"SshKexs": [
"mlkem768x25519-sha256",
"mlkem768nistp256-sha256",
"mlkem1024nistp384-sha384",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512"
],
"SshMacs": [
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER",
"Protocols": [
"SFTP",
"FTPS"
]
}
}
```
### TransferSecurityPolicy-AS2Restricted-2025-07
Kebijakan keamanan ini dirancang untuk transfer file AS2 yang memerlukan peningkatan keamanan dengan mengecualikan algoritma kriptografi lama. Ini mendukung enkripsi AES modern dan algoritma SHA-2 hash sambil menghapus dukungan untuk algoritma yang lebih lemah seperti 3DES dan. SHA-1
**catatan**
Kebijakan keamanan ini identik dengan TransferSecurityPolicy-2025-03, kecuali tidak mendukung 3DES (in ContentEncryptionCiphers) dan tidak mendukung SHA1 (in HashAlgorithms). Ini mencakup semua algoritma dari 2025-03, termasuk algoritma kriptografi pasca-kuantum (mlkem\* KEXs).
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"mlkem768x25519-sha256",
"mlkem768nistp256-sha256",
"mlkem1024nistp384-sha384",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER",
"Protocols": [
"SFTP",
"FTPS"
]
}
}
```
### TransferSecurityPolicy-SshAuditCompliant-2025-02
Berikut ini menunjukkan kebijakan TransferSecurityPolicy-SshAuditCompliant-2025-02 keamanan.
**catatan**
Kebijakan keamanan ini dirancang berdasarkan rekomendasi yang diberikan oleh `ssh-audit` alat, dan 100% sesuai dengan alat itu.
```
{
"SecurityPolicy": {
"Fips": false,
"Protocols": [
"SFTP",
"FTPS"
],
"SecurityPolicyName": "TransferSecurityPolicy-SshAuditCompliant-2025-02",
"SshCiphers": [
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group18-sha512",
"diffie-hellman-group16-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER"
}
}
```
### TransferSecurityPolicy-2024-01
Berikut ini menunjukkan kebijakan TransferSecurityPolicy-2024-01 keamanan.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2024-01",
"SshCiphers": [
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group18-sha512",
"diffie-hellman-group16-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05
Berikut ini menunjukkan TransferSecurityPolicy-FIPS-2024-01 dan kebijakan TransferSecurityPolicy-FIPS-2024-05 keamanan.
**catatan**
Titik akhir layanan FIPS TransferSecurityPolicy-FIPS-2024-01 dan kebijakan TransferSecurityPolicy-FIPS-2024-05 keamanan hanya tersedia di beberapa AWS Wilayah. Untuk informasi selengkapnya, lihat [AWS Transfer Family titik akhir dan kuota](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) di. *Referensi Umum AWS*
Satu-satunya perbedaan antara kedua kebijakan keamanan ini adalah yang TransferSecurityPolicy-FIPS-2024-01 mendukung `ssh-rsa` algoritma, dan TransferSecurityPolicy-FIPS-2024-05 tidak.
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01",
"SshCiphers": [
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group18-sha512",
"diffie-hellman-group16-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-2023-05
Berikut ini menunjukkan kebijakan TransferSecurityPolicy-2023-05 keamanan.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2023-05",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-FIPS-2023-05
Detail sertifikasi FIPS untuk AWS Transfer Family dapat ditemukan di [https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all)
Berikut ini menunjukkan kebijakan TransferSecurityPolicy-FIPS-2023-05 keamanan.
**catatan**
Titik akhir layanan FIPS dan kebijakan TransferSecurityPolicy-FIPS-2023-05 keamanan hanya tersedia di beberapa AWS Wilayah. Untuk informasi selengkapnya, lihat [AWS Transfer Family titik akhir dan kuota](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) di. *Referensi Umum AWS*
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-2022-03
Berikut ini menunjukkan kebijakan TransferSecurityPolicy-2022-03 keamanan.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2022-03",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512",
"hmac-sha2-256"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-2020-06 dan TransferSecurityPolicy-Restricted-2020-06
Berikut ini menunjukkan kebijakan TransferSecurityPolicy-2020-06 keamanan.
**catatan**
Kebijakan TransferSecurityPolicy-Restricted-2020-06 dan TransferSecurityPolicy-2020-06 keamanan identik, kecuali bahwa kebijakan terbatas tidak mendukung `chacha20-poly1305@openssh.com` cipher.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2020-06",
"SshCiphers": [
"chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2020-06
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group14-sha256"
],
"SshMacs": [
"umac-128-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"umac-128@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-FIPS-2020-06
Detail sertifikasi FIPS untuk AWS Transfer Family dapat ditemukan di [https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all)
Berikut ini menunjukkan kebijakan TransferSecurityPolicy-FIPS-2020-06 keamanan.
**catatan**
Titik akhir layanan FIPS dan kebijakan TransferSecurityPolicy-FIPS-2020-06 keamanan hanya tersedia di beberapa AWS Wilayah. Untuk informasi lebih lanjut, lihat [AWS Transfer Family titik akhir dan kuota](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) di. *Referensi Umum AWS*
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06",
"SshCiphers": [
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group14-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-2018-11 dan TransferSecurityPolicy-Restricted-2018-11
Berikut ini menunjukkan kebijakan TransferSecurityPolicy-2018-11 keamanan.
**catatan**
Kebijakan TransferSecurityPolicy-Restricted-2018-11 dan TransferSecurityPolicy-2018-11 keamanan identik, kecuali bahwa kebijakan terbatas tidak mendukung `chacha20-poly1305@openssh.com` cipher.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2018-11",
"SshCiphers": [
"chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2018-11
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group14-sha256",
"diffie-hellman-group14-sha1"
],
"SshMacs": [
"umac-64-etm@openssh.com",
"umac-128-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"hmac-sha1-etm@openssh.com",
"umac-64@openssh.com",
"umac-128@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-sha1"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256"
]
}
}
```