As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.
# Políticas de segurança para AWS Transfer Family servidores
As políticas de segurança do servidor AWS Transfer Family permitem que você limite o conjunto de algoritmos criptográficos (códigos de autenticação de mensagens (MACs), trocas de chaves (KEXs), conjuntos de cifras, cifras de criptografia de conteúdo e algoritmos de hash) associados ao seu servidor.
AWS Transfer Family suporta políticas de segurança pós-quântica que usam algoritmos híbridos de troca de chaves, combinando métodos criptográficos tradicionais com algoritmos pós-quânticos para fornecer segurança aprimorada contra futuras ameaças da computação quântica. Para obter mais informações, consulte [Usando a troca híbrida de chaves pós-quânticas com AWS Transfer Family](post-quantum-security-policies.md).
Para ver uma lista dos algoritmos de chave suportados, consulte [Algoritmos criptográficos](#cryptographic-algorithms). Para obter uma lista de algoritmos de chave compatíveis para uso com chaves de host de servidor e chaves de usuário gerenciadas por serviços, consulte [Gerenciando chaves SSH e PGP no Transfer Family](key-management.md).
**nota**
A partir de 2025, todas as novas políticas AWS Transfer Family de segurança incluem suporte criptográfico pós-quântico usando algoritmos híbridos de troca de chaves. Para obter mais informações sobre segurança pós-quântica, consulte[Usando a troca híbrida de chaves pós-quânticas com AWS Transfer Family](post-quantum-security-policies.md).
**nota**
É altamente recomendável atualizar seus servidores de acordo com nossa política de segurança mais recente.
`TransferSecurityPolicy-2024-01`é a política de segurança padrão anexada ao seu servidor ao criar um servidor usando o console, a API ou a CLI.
Se você criar um servidor Transfer Family usando CloudFormation e aceitar a política de segurança padrão, o servidor será atribuído`TransferSecurityPolicy-2018-11`.
Se você estiver preocupado com a compatibilidade do cliente, indique afirmativamente qual política de segurança você deseja usar ao criar ou atualizar um servidor, em vez de usar a política padrão, que está sujeita a alterações. Para alterar a política de segurança de um servidor, consulte[Edite a política de segurança](edit-server-config.md#edit-cryptographic-algorithm).
**nota**
As políticas pós-quânticas anteriores (**TransferSecurityPolicy-PQ-SSH-Experimental-2023-04**e **TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04**) estão obsoletas. Em vez disso, recomendamos que você use as novas políticas.
Para obter mais informações sobre segurança no Transfer Family, consulte as seguintes postagens no blog:
+ [Seis dicas para melhorar a segurança do seu AWS Transfer Family servidor](https://aws.amazon.com/blogs/security/six-tips-to-improve-the-security-of-your-aws-transfer-family-server/)
+ [Como a Transfer Family pode ajudar você a criar uma solução de transferência gerenciada de arquivos segura e compatível](https://aws.amazon.com/blogs/security/how-transfer-family-can-help-you-build-a-secure-compliant-managed-file-transfer-solution/)
**Topics**
+ [Algoritmos criptográficos](#cryptographic-algorithms)
+ [Detalhes da política de segurança](#security-policy-details)
## Algoritmos criptográficos
Para chaves de host, oferecemos suporte aos seguintes algoritmos:
+ `rsa-sha2-256`
+ `rsa-sha2-512`
+ `ecdsa-sha2-nistp256`
+ `ecdsa-sha2-nistp384`
+ `ecdsa-sha2-nistp521`
+ `ssh-ed25519`
Além disso, as seguintes políticas de segurança permitem`ssh-rsa`:
+ TransferSecurityPolicy-2018-11
+ TransferSecurityPolicy-2020-06
+ TransferSecurityPolicy-FIPS-2020-06
+ TransferSecurityPolicy-FIPS-2023-05
+ TransferSecurityPolicy-FIPS-2024-01
**nota**
É importante entender a distinção entre o tipo de chave RSA, que é sempre, `ssh-rsa` e o algoritmo de chave de host RSA, que pode ser qualquer um dos algoritmos compatíveis.
Veja a seguir uma lista dos algoritmos criptográficos compatíveis com cada política de segurança.
**nota**
Na tabela e nas políticas a seguir, observe o seguinte uso dos tipos de algoritmo.
Os servidores SFTP usam apenas algoritmos nas **SshMacs**seções **SshCiphers**SshKexs****, e.
Os servidores FTPS usam apenas algoritmos na **TlsCiphers**seção.
Os servidores FTP, como não usam criptografia, não usam nenhum desses algoritmos.
Os servidores AS2 usam apenas algoritmos nas **HashAlgorithms**seções **ContentEncryptionCiphers**e. Essas seções definem algoritmos usados para criptografar e assinar o conteúdo do arquivo.
As políticas FIPS-2024-01 de segurança FIPS-2024-05 e são idênticas, exceto que FIPS-2024-05 não suportam o `ssh-rsa` algoritmo.
A Transfer Family introduziu novas políticas restritas que são muito paralelas às políticas existentes:
As políticas TransferSecurityPolicy-2018-11 de segurança TransferSecurityPolicy-Restricted-2018-11 e são idênticas, exceto que a política restrita não suporta a `chacha20-poly1305@openssh.com` cifra.
As políticas TransferSecurityPolicy-2020-06 de segurança TransferSecurityPolicy-Restricted-2020-06 e são idênticas, exceto que a política restrita não suporta a `chacha20-poly1305@openssh.com` cifra.
\* Na tabela a seguir, a `chacha20-poly1305@openssh.com` cifra está incluída somente na política não restrita,
| Política de segurança | [TransferSecurityPolicy-2025-03](#security-policy-transfer-2025-03) | [TransferSecurityPolicy-FIPS-2025-03](#security-policy-transfer-2025-03-fips) | [TransferSecurityPolicy-SshAuditCompliant-2025-02](#security-policy-transferSecurityPolicy-SshAuditCompliant-2025-02) | [TransferSecurityPolicy-AS2Restricted-2025-07](#security-policy-transfer-as2restricted-2025-07) | [TransferSecurityPolicy-2024-01](#security-policy-transfer-2024-01) | **[TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05](#security-policy-transfer-fips-2024-01)** | [TransferSecurityPolicy-2023-05](#security-policy-transfer-2023-05) | [TransferSecurityPolicy-FIPS-2023-05](#security-policy-transfer-fips-2023-05) | [TransferSecurityPolicy-2022-03](#security-policy-transfer-2022-03) | **[TransferSecurityPolicy-2020-06 and TransferSecurityPolicy-Restricted-2020-06](#security-policy-transfer-2020-06)** | [TransferSecurityPolicy-FIPS-2020-06](#security-policy-transfer-fips-2020-06) | **[TransferSecurityPolicy-2018-11 and TransferSecurityPolicy-Restricted-2018-11](#security-policy-transfer-2018-11)** |
| --- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |
| **SshCiphers** |
| --- |
| aes128-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ |
| aes128-gcm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes192-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes256-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes256-gcm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| chacha20-poly1305@openssh.com | | | | | | | | | | ♦\* | | ♦\* |
| **SshKexs** |
| --- |
| mlkem768x25519-sha256 | ♦ | ♦ | | ♦ | | | | | | | | |
| mlkem768nistp256-sha256 | ♦ | ♦ | | ♦ | | | | | | | | |
| mlkem1024nistp384-sha384 | ♦ | ♦ | | ♦ | | | | | | | | |
| curve25519-sha256 | ♦ | | ♦ | ♦ | ♦ | | ♦ | | ♦ | | | ♦ |
| curve25519-sha256@libssh.org | ♦ | | ♦ | ♦ | ♦ | | ♦ | | ♦ | | | ♦ |
| diffie-hellman-group14-sha1 | | | | | | | | | | | | ♦ |
| diffie-hellman-group14-sha256 | | | | | | | | | | ♦ | ♦ | ♦ |
| diffie-hellman-group16-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| diffie-hellman-group18-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| diffie-hellman-group-exchange-sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| ecdh-sha2-nistp256 | ♦ | ♦ | | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ |
| ecdh-sha2-nistp384 | ♦ | ♦ | | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ |
| ecdh-sha2-nistp521 | ♦ | ♦ | | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ |
| **SshMacs** |
| --- |
| hmac-sha1 | | | | | | | | | | | | ♦ |
| hmac-sha1-etm@openssh.com | | | | | | | | | | | | ♦ |
| hmac-sha2-256 | | | | | | | | | ♦ | ♦ | ♦ | ♦ |
| hmac-sha2-256-etm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| hmac-sha2-512 | | | | | | | | | ♦ | ♦ | ♦ | ♦ |
| hmac-sha2-512-etm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| umac-128-etm@openssh.com | | | | | | | | | | ♦ | | ♦ |
| umac-128-etm@openssh.com | | | | | | | | | | ♦ | | ♦ |
| umac-64-etm@openssh.com | | | | | | | | | | | | ♦ |
| umac-64@openssh.com | | | | | | | | | | | | ♦ |
| **ContentEncryptionCiphers** |
| --- |
| aes256-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes192-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes128-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| 3des-cbc | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| **HashAlgorithms** |
| --- |
| sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| sha384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| sha1 | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| **TlsCiphers** |
| --- |
| TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | | | | | | | | | | | | ♦ |
| TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256 | | | | | | | | | | | | ♦ |
## Detalhes da política de segurança
As seções a seguir contêm a representação JSON de cada política de segurança.
### TransferSecurityPolicy-2025-03
O seguinte mostra a política TransferSecurityPolicy-2025-03 de segurança.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2025-03",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"mlkem768x25519-sha256",
"mlkem768nistp256-sha256",
"mlkem1024nistp384-sha384",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER",
"Protocols": [
"SFTP",
"FTPS"
]
}
}
```
### TransferSecurityPolicy-FIPS-2025-03
O seguinte mostra a política TransferSecurityPolicy-FIPS-2025-03 de segurança.
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2025-03",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr",
"aes128-ctr"
],
"SshKexs": [
"mlkem768x25519-sha256",
"mlkem768nistp256-sha256",
"mlkem1024nistp384-sha384",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512"
],
"SshMacs": [
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER",
"Protocols": [
"SFTP",
"FTPS"
]
}
}
```
### TransferSecurityPolicy-AS2Restricted-2025-07
Essa política de segurança foi projetada para transferências de arquivos AS2 que exigem segurança aprimorada, excluindo algoritmos criptográficos legados. Ele oferece suporte a algoritmos de SHA-2 hash e criptografia AES modernos, ao mesmo tempo em que remove o suporte para algoritmos mais fracos, como 3DES e. SHA-1
**nota**
Essa política de segurança é idêntica TransferSecurityPolicy-2025-03, exceto que ela não oferece suporte a 3DES (in ContentEncryptionCiphers) e não oferece suporte a SHA1 (in HashAlgorithms). Inclui todos os algoritmos de 2025-03, incluindo algoritmos criptográficos pós-quânticos (mlkem\* KEXs).
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"mlkem768x25519-sha256",
"mlkem768nistp256-sha256",
"mlkem1024nistp384-sha384",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER",
"Protocols": [
"SFTP",
"FTPS"
]
}
}
```
### TransferSecurityPolicy-SshAuditCompliant-2025-02
O seguinte mostra a política TransferSecurityPolicy-SshAuditCompliant-2025-02 de segurança.
**nota**
Essa política de segurança foi projetada com base nas recomendações fornecidas pela `ssh-audit` ferramenta e é 100% compatível com essa ferramenta.
```
{
"SecurityPolicy": {
"Fips": false,
"Protocols": [
"SFTP",
"FTPS"
],
"SecurityPolicyName": "TransferSecurityPolicy-SshAuditCompliant-2025-02",
"SshCiphers": [
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group18-sha512",
"diffie-hellman-group16-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER"
}
}
```
### TransferSecurityPolicy-2024-01
O seguinte mostra a política TransferSecurityPolicy-2024-01 de segurança.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2024-01",
"SshCiphers": [
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group18-sha512",
"diffie-hellman-group16-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05
A seguir, mostramos as políticas TransferSecurityPolicy-FIPS-2024-05 de segurança TransferSecurityPolicy-FIPS-2024-01 e.
**nota**
O endpoint TransferSecurityPolicy-FIPS-2024-01 e as políticas de TransferSecurityPolicy-FIPS-2024-05 segurança do serviço FIPS estão disponíveis somente em algumas AWS regiões. Para obter mais informações, consulte [endpoints e cotas do AWS Transfer Family](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) na *Referência geral da AWS*.
A única diferença entre essas duas políticas de segurança é que elas oferecem TransferSecurityPolicy-FIPS-2024-01 suporte ao `ssh-rsa` algoritmo e TransferSecurityPolicy-FIPS-2024-05 não.
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01",
"SshCiphers": [
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group18-sha512",
"diffie-hellman-group16-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-2023-05
O seguinte mostra a política TransferSecurityPolicy-2023-05 de segurança.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2023-05",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-FIPS-2023-05
Os detalhes da certificação FIPS AWS Transfer Family podem ser encontrados em [https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all)
O seguinte mostra a política TransferSecurityPolicy-FIPS-2023-05 de segurança.
**nota**
O endpoint do serviço FIPS e a política TransferSecurityPolicy-FIPS-2023-05 de segurança só estão disponíveis em algumas AWS regiões. Para obter mais informações, consulte [endpoints e cotas do AWS Transfer Family](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) na *Referência geral da AWS*.
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-2022-03
O seguinte mostra a política TransferSecurityPolicy-2022-03 de segurança.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2022-03",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512",
"hmac-sha2-256"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-2020-06 and TransferSecurityPolicy-Restricted-2020-06
O seguinte mostra a política TransferSecurityPolicy-2020-06 de segurança.
**nota**
As políticas TransferSecurityPolicy-2020-06 de segurança TransferSecurityPolicy-Restricted-2020-06 e são idênticas, exceto que a política restrita não suporta a `chacha20-poly1305@openssh.com` cifra.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2020-06",
"SshCiphers": [
"chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2020-06
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group14-sha256"
],
"SshMacs": [
"umac-128-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"umac-128@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-FIPS-2020-06
Os detalhes da certificação FIPS AWS Transfer Family podem ser encontrados em [https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all)
O seguinte mostra a política TransferSecurityPolicy-FIPS-2020-06 de segurança.
**nota**
O endpoint do serviço FIPS e a política TransferSecurityPolicy-FIPS-2020-06 de segurança só estão disponíveis em algumas AWS regiões. Para obter mais informações, consulte [endpoints e cotas do AWS Transfer Family](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) na *Referência geral da AWS*.
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06",
"SshCiphers": [
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group14-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-2018-11 and TransferSecurityPolicy-Restricted-2018-11
O seguinte mostra a política TransferSecurityPolicy-2018-11 de segurança.
**nota**
As políticas TransferSecurityPolicy-2018-11 de segurança TransferSecurityPolicy-Restricted-2018-11 e são idênticas, exceto que a política restrita não suporta a `chacha20-poly1305@openssh.com` cifra.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2018-11",
"SshCiphers": [
"chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2018-11
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group14-sha256",
"diffie-hellman-group14-sha1"
],
"SshMacs": [
"umac-64-etm@openssh.com",
"umac-128-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"hmac-sha1-etm@openssh.com",
"umac-64@openssh.com",
"umac-128@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-sha1"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256"
]
}
}
```