Políticas de segurança para AWS Transfer Family servidores - AWS Transfer Family
Algoritmos criptográficosTransferSecurityPolicy-2024-01TransferSecurityPolicy- SshAuditCompliant -2025-02TransferSecurityPolicy-2023-05TransferSecurityPolicy-2022-03TransferSecurityPolicy-2020-06 e -Restrito -2020-06 TransferSecurityPolicyTransferSecurityPolicy-2018-11 e -Restrito -2018-11 TransferSecurityPolicyTransferSecurityPolicy-FIPS-2024-01/ -FIPS-2024-05 TransferSecurityPolicyTransferSecurityPolicy-FIPS-2023-05TransferSecurityPolicy-FIPS-2020-06TransferSecurityPolicy- AS2 Restrito - 2025-07Políticas de segurança Post Quantum

As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.

Políticas de segurança para AWS Transfer Family servidores

As políticas de segurança do servidor AWS Transfer Family permitem que você limite o conjunto de algoritmos criptográficos (códigos de autenticação de mensagens (MACs), trocas de chaves (KEXs), conjuntos de cifras, cifras de criptografia de conteúdo e algoritmos de hash) associados ao seu servidor.

AWS Transfer Family suporta políticas de segurança pós-quântica que usam algoritmos híbridos de troca de chaves, combinando métodos criptográficos tradicionais com algoritmos pós-quânticos para fornecer segurança aprimorada contra futuras ameaças da computação quântica. Os detalhes são fornecidos emUsar a troca de chaves pós-quântica híbrida com AWS Transfer Family.

Para ver uma lista dos algoritmos de chave suportados, consulte Algoritmos criptográficos. Para obter uma lista de algoritmos de chave compatíveis para uso com chaves de host de servidor e chaves de usuário gerenciadas por serviços, consulte Gerenciando chaves SSH e PGP no Transfer Family.

nota

É altamente recomendável atualizar seus servidores de acordo com nossa política de segurança mais recente.

  • TransferSecurityPolicy-2024-01é a política de segurança padrão anexada ao seu servidor ao criar um servidor usando o console, a API ou a CLI.

  • Se você criar um servidor Transfer Family usando CloudFormation e aceitar a política de segurança padrão, o servidor será atribuídoTransferSecurityPolicy-2018-11.

Se você estiver preocupado com a compatibilidade do cliente, indique afirmativamente qual política de segurança você deseja usar ao criar ou atualizar um servidor em vez de usar a política padrão, que está sujeita a alterações. Para alterar a política de segurança de um servidor, consulteEdite a política de segurança.

Para obter mais informações sobre segurança no Transfer Family, consulte as seguintes postagens no blog:

Algoritmos criptográficos

Para chaves de host, oferecemos suporte aos seguintes algoritmos:

  • rsa-sha2-256

  • rsa-sha2-512

  • ecdsa-sha2-nistp256

  • ecdsa-sha2-nistp384

  • ecdsa-sha2-nistp521

  • ssh-ed25519

Além disso, as seguintes políticas de segurança permitemssh-rsa:

  • TransferSecurityPolicy-2018-11

  • TransferSecurityPolicy-2020-06

  • TransferSecurityPolicy-FIPS-2020-06

  • TransferSecurityPolicy-FIPS-2023-05

  • TransferSecurityPolicy-FIPS-2024-01

  • TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04

nota

É importante entender a distinção entre o tipo de chave RSA, que é sempre, ssh-rsa e o algoritmo de chave de host RSA, que pode ser qualquer um dos algoritmos compatíveis.

Veja a seguir uma lista dos algoritmos criptográficos compatíveis com cada política de segurança.

nota

Na tabela e nas políticas a seguir, observe o seguinte uso dos tipos de algoritmo.

  • Os servidores SFTP usam apenas algoritmos nas SshMacsseções SshCiphersSshKexs, e.

  • Os servidores FTPS usam apenas algoritmos na TlsCiphersseção.

  • Os servidores FTP, como não usam criptografia, não usam nenhum desses algoritmos.

  • AS2 os servidores usam apenas algoritmos nas HashAlgorithmsseções ContentEncryptionCipherse. Essas seções definem algoritmos usados para criptografar e assinar o conteúdo do arquivo.

  • As políticas de segurança FIPS-2024-05 e FIPS-2024-01 são idênticas, exceto que o FIPS-2024-05 não suporta o algoritmo. ssh-rsa

  • A Transfer Family introduziu novas políticas restritas que são muito paralelas às políticas existentes:

    • As políticas de segurança TransferSecurityPolicy -Restricted-2018-11 e TransferSecurityPolicy -2018-11 são idênticas, exceto que a política restrita não suporta a cifra. chacha20-poly1305@openssh.com

    • As políticas de segurança TransferSecurityPolicy -Restricted-2020-06 e TransferSecurityPolicy -2020-06 são idênticas, exceto que a política restrita não suporta a cifra. chacha20-poly1305@openssh.com

    * Na tabela a seguir, a chacha20-poly1305@openssh.com cifra está incluída somente na política não restrita,

Política de segurança 2024-01 SshAuditCompliant-2025-02 2023-05 2022-03

2020-06

2020-06 restrito

FIPS-2024-05

FIPS-2024-01

 FIPS-2023-05 FIPS-2020-06

2018-11

2018-11 restrito

 TransferSecurityPolicy- AS2 Restrito - 2025-07

SshCiphers

aes128-ctr

 

aes128-gcm@openssh.com

aes192-ctr

aes256-ctr

aes256-gcm@openssh.com

chacha20-poly1305@openssh.com

 

*

*

SshKexs

mlkem768x25519-sha256

mlkem768nistp256-sha256

mlkem1024nistp384-sha384

curve25519-sha256

 

 

curve25519-sha256@libssh.org

 

 

diffie-hellman-group14-sha1

 

 

 

diffie-hellman-group14-sha256

diffie-hellman-group16-sha512

diffie-hellman-group18-sha512

diffie-hellman-group-exchange-sha256

ecdh-sha2-nistp256

 

ecdh-sha2-nistp384

 

ecdh-sha2-nistp521

 

SshMacs

hmac-sha1

 

 

 

hmac-sha1-etm@openssh.com

 

 

 

hmac-sha2-256

hmac-sha2-256-etm@openssh.com

hmac-sha2-512

hmac-sha2-512-etm@openssh.com

umac-128-etm@openssh.com

 

 

umac-128-etm@openssh.com

 

 

umac-64-etm@openssh.com

 

 

 

umac-64@openssh.com

 

 

 

ContentEncryptionCiphers

aes256-cbc

aes192-cbc

aes128-cbc

3des-cbc

HashAlgorithms

sha256

sha384

sha512

sha1

TlsCiphers

TLS_ECDHE_ECDSA_COM_AES_128_CBC_ SHA256

TLS_ECDHE_ECDSA_COM_AES_128_GCM_ SHA256

TLS_ECDHE_ECDSA_COM_AES_256_CBC_ SHA384

TLS_ECDHE_ECDSA_COM_AES_256_GCM_ SHA384

TLS_ECDHE_RSA_COM_AES_128_CBC_ SHA256

TLS_ECDHE_RSA_COM_AES_128_GCM_ SHA256

TLS_ECDHE_RSA_COM_AES_256_CBC_ SHA384

TLS_ECDHE_RSA_COM_AES_256_GCM_ SHA384

TLS_RSA_COM_AES_128_CBC_ SHA256

 

 

 

 

 

TLS_RSA_COM_AES_256_CBC_ SHA256

 

 

 

 

 

TransferSecurityPolicy-2024-01

O seguinte mostra a política de TransferSecurityPolicy segurança -2024-01.

{
    "SecurityPolicy": {
        "Fips": false,
        "SecurityPolicyName": "TransferSecurityPolicy-2024-01",
        "SshCiphers": [
            "aes128-gcm@openssh.com",
            "aes256-gcm@openssh.com",
            "aes128-ctr",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "curve25519-sha256",
            "curve25519-sha256@libssh.org",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc",
            "3des-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512",
            "sha1"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}

TransferSecurityPolicy- SshAuditCompliant -2025-02

O seguinte mostra a política de segurança TransferSecurityPolicy - SshAuditCompliant -2025-02.

nota

Essa política de segurança foi projetada com base nas recomendações fornecidas pela ssh-audit ferramenta e é 100% compatível com essa ferramenta.

{
  "SecurityPolicy": {
    "Fips": false,
    "Protocols": [
      "SFTP",
      "FTPS"
    ],
    "SecurityPolicyName": "TransferSecurityPolicy-SshAuditCompliant-2025-02",
    "SshCiphers": [
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com",
      "aes128-ctr",
      "aes256-ctr",
      "aes192-ctr"
    ],
    "SshKexs": [
      "curve25519-sha256",
      "curve25519-sha256@libssh.org",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group-exchange-sha256"
    ],
    "SshMacs": [
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512-etm@openssh.com"
    ],
    "ContentEncryptionCiphers": [
      "aes256-cbc",
      "aes192-cbc",
      "aes128-cbc",
      "3des-cbc"
    ],
    "HashAlgorithms": [
      "sha256",
      "sha384",
      "sha512",
      "sha1"
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
    ],
    "Type": "SERVER"
  }
}

TransferSecurityPolicy-2023-05

O seguinte mostra a política de segurança TransferSecurityPolicy -2023-05.

{
    "SecurityPolicy": {
        "Fips": false,
        "SecurityPolicyName": "TransferSecurityPolicy-2023-05",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "curve25519-sha256",
            "curve25519-sha256@libssh.org",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-512-etm@openssh.com",
            "hmac-sha2-256-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc",
            "3des-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512",
            "sha1"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}

TransferSecurityPolicy-2022-03

A seguir, mostramos a política TransferSecurityPolicy de segurança -2022-03.

{
  "SecurityPolicy": {
    "Fips": false,
    "SecurityPolicyName": "TransferSecurityPolicy-2022-03",
    "SshCiphers": [
      "aes256-gcm@openssh.com",
      "aes128-gcm@openssh.com",
      "aes256-ctr",
      "aes192-ctr"
    ],
    "SshKexs": [
      "curve25519-sha256",
      "curve25519-sha256@libssh.org",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group-exchange-sha256"
    ],
    "SshMacs": [
      "hmac-sha2-512-etm@openssh.com",
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512",
      "hmac-sha2-256"
    ],
    "ContentEncryptionCiphers": [
      "aes256-cbc",
      "aes192-cbc",
      "aes128-cbc"
      "3des-cbc",
    ],
    "HashAlgorithms": [
      "sha256",
      "sha384",
      "sha512"
      "sha1"
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
    ]
  }
}

TransferSecurityPolicy-2020-06 e -Restrito -2020-06 TransferSecurityPolicy

A seguir, mostramos a política TransferSecurityPolicy de segurança -2020-06.

nota

As políticas de segurança TransferSecurityPolicy -Restricted-2020-06 e TransferSecurityPolicy -2020-06 são idênticas, exceto que a política restrita não suporta a cifra. chacha20-poly1305@openssh.com

{
  "SecurityPolicy": {
    "Fips": false,
    "SecurityPolicyName": "TransferSecurityPolicy-2020-06",
    "SshCiphers": [
      "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2020-06
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com"
    ],
    "SshKexs": [
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group14-sha256"
    ],
    "SshMacs": [
      "umac-128-etm@openssh.com",
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512-etm@openssh.com",
      "umac-128@openssh.com",
      "hmac-sha2-256",
      "hmac-sha2-512"
    ],
    "ContentEncryptionCiphers": [
      "aes256-cbc",
      "aes192-cbc",
      "aes128-cbc"
            "3des-cbc",
    ],
    "HashAlgorithms": [
      "sha256",
      "sha384",
      "sha512"
      "sha1"
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
    ]
  }
}

TransferSecurityPolicy-2018-11 e -Restrito -2018-11 TransferSecurityPolicy

A seguir, mostramos a política TransferSecurityPolicy de segurança -2018-11.

nota

As políticas de segurança TransferSecurityPolicy -Restricted-2018-11 e TransferSecurityPolicy -2018-11 são idênticas, exceto que a política restrita não suporta a cifra. chacha20-poly1305@openssh.com

{
  "SecurityPolicy": {
    "Fips": false,
    "SecurityPolicyName": "TransferSecurityPolicy-2018-11",
    "SshCiphers": [
      "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2018-11
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com"
    ],
    "SshKexs": [
      "curve25519-sha256",
      "curve25519-sha256@libssh.org",
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group14-sha256",
      "diffie-hellman-group14-sha1"
    ],
    "SshMacs": [
      "umac-64-etm@openssh.com",
      "umac-128-etm@openssh.com",
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512-etm@openssh.com",
      "hmac-sha1-etm@openssh.com",
      "umac-64@openssh.com",
      "umac-128@openssh.com",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-sha1"
    ],
    "ContentEncryptionCiphers": [
      "aes256-cbc",
      "aes192-cbc",
      "aes128-cbc"
            "3des-cbc",
    ],
    "HashAlgorithms": [
      "sha256",
      "sha384",
      "sha512",
      "sha1"
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
      "TLS_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_RSA_WITH_AES_256_CBC_SHA256"
    ]
  }
}

TransferSecurityPolicy-FIPS-2024-01/ -FIPS-2024-05 TransferSecurityPolicy

Veja a seguir as políticas de segurança TransferSecurityPolicy -FIPS-2024-01 e -FIPS-2024-05. TransferSecurityPolicy

nota

O endpoint do serviço FIPS e as políticas de segurança TransferSecurityPolicy -FIPS-2024-01 e TransferSecurityPolicy -FIPS-2024-05 estão disponíveis somente em algumas regiões. AWS Para obter mais informações, consulte endpoints e cotas do AWS Transfer Family na Referência geral da AWS.

A única diferença entre essas duas políticas de segurança é que TransferSecurityPolicy -FIPS-2024-01 suporta o ssh-rsa algoritmo e -FIPS-2024-05 não. TransferSecurityPolicy

{
    "SecurityPolicy": {
        "Fips": true,
        "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01",
        "SshCiphers": [
            "aes128-gcm@openssh.com",
            "aes256-gcm@openssh.com",
            "aes128-ctr",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc"
            "3des-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512"
            "sha1"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}

TransferSecurityPolicy-FIPS-2023-05

Os detalhes da certificação FIPS AWS Transfer Family podem ser encontrados em https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all

O seguinte mostra a política de segurança TransferSecurityPolicy -FIPS-2023-05.

nota

O endpoint do serviço FIPS e a política de segurança TransferSecurityPolicy -FIPS-2023-05 só estão disponíveis em algumas regiões. AWS Para obter mais informações, consulte endpoints e cotas do AWS Transfer Family na Referência geral da AWS.

{
    "SecurityPolicy": {
        "Fips": true,
        "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc"
            "3des-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512"
            "sha1"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}

TransferSecurityPolicy-FIPS-2020-06

Os detalhes da certificação FIPS AWS Transfer Family podem ser encontrados em https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all

O seguinte mostra a política de segurança TransferSecurityPolicy -FIPS-2020-06.

nota

O endpoint do serviço FIPS e a política de segurança TransferSecurityPolicy -FIPS-2020-06 estão disponíveis somente em algumas regiões. AWS Para obter mais informações, consulte endpoints e cotas do AWS Transfer Family na Referência geral da AWS.

{
  "SecurityPolicy": {
    "Fips": true,
    "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06",
    "SshCiphers": [
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com"
    ],
    "SshKexs": [
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group14-sha256"
    ],
    "SshMacs": [
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512-etm@openssh.com",
      "hmac-sha2-256",
      "hmac-sha2-512"
    ],
    "ContentEncryptionCiphers": [
      "aes256-cbc",
      "aes192-cbc",
      "aes128-cbc"
            "3des-cbc",
    ],
    "HashAlgorithms": [
      "sha256",
      "sha384",
      "sha512"
            "sha1",
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
    ]
  }
}

TransferSecurityPolicy- AS2 Restrito - 2025-07

Essa política de segurança foi projetada para transferências de AS2 arquivos que exigem segurança aprimorada, excluindo algoritmos criptográficos antigos. Ele suporta criptografia AES moderna e algoritmos de hash SHA-2, ao mesmo tempo em que remove o suporte para algoritmos mais fracos, como 3DES e SHA-1.

{
    "SecurityPolicy": {
        "Fips": false,
        "SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes128-ctr",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "mlkem768x25519-sha256",
            "mlkem768nistp256-sha256",
            "mlkem1024nistp384-sha384",
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "curve25519-sha256",
            "curve25519-sha256@libssh.org",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ],
        "Type": "SERVER",
        "Protocols": [
            "AS2"
        ]
    }
}

Políticas de segurança Post Quantum

Esta tabela lista os algoritmos das políticas de segurança pós-quântica do Transfer Family. Essas políticas são descritas em detalhes em Usar a troca de chaves pós-quântica híbrida com AWS Transfer Family.

As listas de políticas seguem a tabela.

nota

As políticas pós-quânticas anteriores (TransferSecurityPolicy-PQ-SSH-Experimental-2023-04 e -PQ-SSH-FIPS-Experimental-2023-04) estão obsoletas. TransferSecurityPolicy Em vez disso, recomendamos que você use as novas políticas.

Política de segurança TransferSecurityPolicy-2025-03 TransferSecurityPolicy-FIPS-2025-03

SSH ciphers

aes128-ctr

aes128-gcm@openssh.com

aes192-ctr

aes256-ctr

aes256-gcm@openssh.com

KEXs
mlkem768x25519-sha256

mlkem768nistp256-sha256

mlkem1024nistp384-sha384

diffie-hellman-group14-sha256

diffie-hellman-group16-sha512

diffie-hellman-group18-sha512

ecdh-sha2-nistp384

ecdh-sha2-nistp521

ecdh-sha2-nistp256

diffie-hellman-group-exchange-sha256

curve25519-sha256@libssh.org

 

curve25519-sha256

 

MACs

hmac-sha2-256-etm@openssh.com

hmac-sha2-512-etm@openssh.com

ContentEncryptionCiphers

aes256-cbc

aes192-cbc

aes128-cbc

3des-cbc

HashAlgorithms

sha256

sha384

sha512

sha1

TLS ciphers

TLS_ECDHE_ECDSA_COM_AES_128_CBC_ SHA256

TLS_ECDHE_ECDSA_COM_AES_128_GCM_ SHA256

TLS_ECDHE_ECDSA_COM_AES_256_CBC_ SHA384

TLS_ECDHE_ECDSA_COM_AES_256_GCM_ SHA384

TLS_ECDHE_RSA_COM_AES_128_CBC_ SHA256

TLS_ECDHE_RSA_COM_AES_128_GCM_ SHA256

TLS_ECDHE_RSA_COM_AES_256_CBC_ SHA384

TLS_ECDHE_RSA_COM_AES_256_GCM_ SHA384

TransferSecurityPolicy-2025-03

O seguinte mostra a política de segurança TransferSecurityPolicy -2025-03.

{
    "SecurityPolicy": {
        "Fips": false,
        "SecurityPolicyName": "TransferSecurityPolicy-2025-03",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes128-ctr",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "mlkem768x25519-sha256",
            "mlkem768nistp256-sha256",
            "mlkem1024nistp384-sha384",
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "curve25519-sha256",
            "curve25519-sha256@libssh.org",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc"
            "3des-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512"
            "sha1"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ],
        "Type": "SERVER",
        "Protocols": [
           "SFTP",
           "FTPS"
        ]
    }
}

TransferSecurityPolicy-FIPS-2025-03

O seguinte mostra a política de segurança TransferSecurityPolicy -FIPS-2025-03.

{
    "SecurityPolicy": {
        "Fips": true,
        "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2025-03",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes256-ctr",
            "aes192-ctr",
            "aes128-ctr"
        ],
        "SshKexs": [
            "mlkem768x25519-sha256",
            "mlkem768nistp256-sha256",
            "mlkem1024nistp384-sha384",
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "diffie-hellman-group-exchange-sha256",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512"
        ],
        "SshMacs": [
            "hmac-sha2-512-etm@openssh.com",
            "hmac-sha2-256-etm@openssh.com"            
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc"
            "3des-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512"
            "sha1"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ],
        "Type": "SERVER",
        "Protocols": [
           "SFTP",
           "FTPS"
        ]
    }
}

TransferSecurityPolicy- AS2 Restrito - 2025-07

O seguinte mostra a política de segurança TransferSecurityPolicy - AS2 Restricted-2025-07.

nota

Essa política de segurança é idêntica à TransferSecurityPolicy -2025-03, exceto que ela não suporta 3DES (in ContentEncryptionCiphers) e não suporta (in). SHA1 HashAlgorithms Inclui todos os algoritmos de 2025-03, incluindo algoritmos criptográficos pós-quânticos (mlkem*). KEXs

{
    "SecurityPolicy": {
        "Fips": false,
        "SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes128-ctr",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "mlkem768x25519-sha256",
            "mlkem768nistp256-sha256",
            "mlkem1024nistp384-sha384",
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "curve25519-sha256",
            "curve25519-sha256@libssh.org",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "ContentEncryptionCiphers": [
            "aes256-cbc",
            "aes192-cbc",
            "aes128-cbc"
        ],
        "HashAlgorithms": [
            "sha256",
            "sha384",
            "sha512"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ],
        "Type": "SERVER",
        "Protocols": [
           "SFTP",
           "FTPS"
        ]
    }
}