本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# AWS Transfer Family 服务器的安全策略
中的服务器安全策略 AWS Transfer Family 允许您限制与服务器关联的一组加密算法(消息身份验证码 (MACs)、密钥交换 (KEXs)、密码套件、内容加密密码和哈希算法)。
AWS Transfer Family 支持使用混合密钥交换算法的后量子安全策略,将传统加密方法与后量子算法相结合,以提供针对未来量子计算威胁的增强安全性。详情请参见[使用混合后量子密钥交换 AWS Transfer Family](post-quantum-security-policies.md)。
有关支持的密钥算法的列表,请参阅 [加密算法](#cryptographic-algorithms)。有关支持的服务器主机秘钥和服务托管用户秘钥算法列表,请参见 [在 Transfer Family 中管理 SSH 和 PGP 密钥](key-management.md)。
**注意**
我们强烈建议将您的服务器更新为我们的最新安全政策。
`TransferSecurityPolicy-2024-01`是使用控制台、API 或 CLI 创建服务器时附加到服务器的默认安全策略。
如果您使用默认安全策略创建 Transfer Family 服务器 CloudFormation 并接受默认安全策略,则会分配该服务器`TransferSecurityPolicy-2018-11`。
如果您担心客户端兼容性,请明确说明在创建或更新服务器时您希望使用哪种安全策略,而不是使用默认策略,默认策略可能会发生变化。要更改服务器的安全策略,请参阅[编辑安全策略](edit-server-config.md#edit-cryptographic-algorithm)。
有关 Transfer Family 安全性的更多信息,请参阅以下博客文章:
+ [提高 AWS Transfer Family 服务器安全性的六个技巧](https://aws.amazon.com/blogs/security/six-tips-to-improve-the-security-of-your-aws-transfer-family-server/)
+ [Transfer Family 如何帮助您构建安全、合规的托管文件传输解决方案](https://aws.amazon.com/blogs/security/how-transfer-family-can-help-you-build-a-secure-compliant-managed-file-transfer-solution/)
**Topics**
+ [加密算法](#cryptographic-algorithms)
+ [TransferSecurityPolicy-2024-01](#security-policy-transfer-2024-01)
+ [TransferSecurityPolicy-SshAuditCompliant -2025-02](#security-policy-transferSecurityPolicy-SshAuditCompliant-2025-02)
+ [TransferSecurityPolicy-2023-05](#security-policy-transfer-2023-05)
+ [TransferSecurityPolicy-2022-03](#security-policy-transfer-2022-03)
+ [TransferSecurityPolicy-2020-06 和-Restricted-2020-06 TransferSecurityPolicy](#security-policy-transfer-2020-06)
+ [TransferSecurityPolicy-2018-11 和-Restricted-2018-11 TransferSecurityPolicy](#security-policy-transfer-2018-11)
+ [TransferSecurityPolicy-FIPS-2024-01/-FIPS-2024-05 TransferSecurityPolicy](#security-policy-transfer-fips-2024-01)
+ [TransferSecurityPolicy-FIPS-2023-05](#security-policy-transfer-fips-2023-05)
+ [TransferSecurityPolicy-FIPS-2020-06](#security-policy-transfer-fips-2020-06)
+ [TransferSecurityPolicy-AS2 限量版-2025-07](#as2-restricted-policy)
+ [后量子安全策略](#pq-policies)
## 加密算法
对于主机密钥,我们支持以下算法:
+ `rsa-sha2-256`
+ `rsa-sha2-512`
+ `ecdsa-sha2-nistp256`
+ `ecdsa-sha2-nistp384`
+ `ecdsa-sha2-nistp521`
+ `ssh-ed25519`
此外,以下安全策略允许`ssh-rsa`:
+ TransferSecurityPolicy-2018-11
+ TransferSecurityPolicy-2020-06
+ TransferSecurityPolicy-FIPS-2020-06
+ TransferSecurityPolicy-FIPS-2023-05
+ TransferSecurityPolicy-FIPS-2024-01
+ TransferSecurityPolicy-pq-ssh-fips-Experimental-2023-04
**注意**
了解 RSA 密钥类型(始终是)和 RSA 主机密钥算法(可以是任何支持的算法`ssh-rsa`)之间的区别非常重要。
以下是各种安全策略支持的加密算法列表。
**注意**
在下表和策略中,请注意算法类型的以下用法。
SFTP 服务器仅使用**SshCiphers**SshKexs****、和**SshMacs**部分中的算法。
FTPS 服务器仅使用该**TlsCiphers**部分中的算法。
由于FTP服务器不使用加密,因此不使用任何这些算法。
AS2 服务器仅使用**ContentEncryptionCiphers**和**HashAlgorithms**部分中的算法。这些部分定义了用于加密和签名文件内容的算法。
FIPS-2024-05 和 FIPS-2024-01 的安全策略是相同的,只是 FIPS-2024-05 不支持该`ssh-rsa`算法。
Transfer Family推出了新的限制性政策,这些政策与现有政策非常相似:
TransferSecurityPolicy-Restricted-2018-11 和 TransferSecurityPolicy -2018-11 安全策略完全相同,唯一的不同是受限策略不支持密码。`chacha20-poly1305@openssh.com`
TransferSecurityPolicy-Restricted-2020-06 和 TransferSecurityPolicy -2020-06 安全策略相同,唯一的不同是受限策略不支持密码。`chacha20-poly1305@openssh.com`
\$1 在下表中,`chacha20-poly1305@openssh.com`密码仅包含在非限制策略中,
| 安全策略 | 2024-01 | SshAuditCompliant-2025-02 | 2023-05 | 2022-03 | **2020-06** **2020-06 受限制** | **FIPS-2024-05** **FIPS-2024-01** | FIPS-2023-05 | FIPS-2020-06 | **2018-11** **2018-11 受限制** | TransferSecurityPolicy-AS2 限量版-2025-07 |
| --- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |
| **SshCiphers** |
| --- |
| aes128-ctr | ♦ | ♦ | | | ♦ | ♦ | | ♦ | ♦ | ♦ |
| aes128-gcm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes192-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes256-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes256-gcm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| chacha20-poly1305@openssh.com | | | | | ♦\$1 | | | | ♦\$1 | |
| **SshKexs** |
| --- |
| mlkem768x25519-sha256 | | | | | | | | | | ♦ |
| mlkem768nistp256-sha256 | | | | | | | | | | ♦ |
| mlkem1024nistp384-sha384 | | | | | | | | | | ♦ |
| curve25519-sha256 | ♦ | ♦ | ♦ | ♦ | | | | | ♦ | ♦ |
| curve25519-sha256@libssh.org | ♦ | ♦ | ♦ | ♦ | | | | | ♦ | ♦ |
| diffie-hellman-group14-sha1 | | | | | | | | | ♦ | |
| diffie-hellman-group14-sha256 | | | | | ♦ | | | ♦ | ♦ | |
| diffie-hellman-group16-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| diffie-hellman-group18-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| diffie-hellman-group-exchange-sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ |
| ecdh-sha2-nistp256 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ | ♦ |
| ecdh-sha2-nistp384 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ | ♦ |
| ecdh-sha2-nistp521 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ | ♦ |
| **SshMacs** |
| --- |
| hmac-sha1 | | | | | | | | | ♦ | |
| hmac-sha1-etm@openssh.com | | | | | | | | | ♦ | |
| hmac-sha2-256 | | | | ♦ | ♦ | | | ♦ | ♦ | |
| hmac-sha2-256-etm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| hmac-sha2-512 | | | | ♦ | ♦ | | | ♦ | ♦ | |
| hmac-sha2-512-etm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| umac-128-etm@openssh.com | | | | | ♦ | | | | ♦ | |
| umac-128@openssh.com | | | | | ♦ | | | | ♦ | |
| umac-64-etm@openssh.com | | | | | | | | | ♦ | |
| umac-64@openssh.com | | | | | | | | | ♦ | |
| **ContentEncryptionCiphers** |
| --- |
| aes256-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes192-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes128-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| 3des-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
| **HashAlgorithms** |
| --- |
| sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| sha384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| sha1 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
| **TlsCiphers** |
| --- |
| TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256 | | | | | | | | | ♦ | |
| TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA256 | | | | | | | | | ♦ | |
## TransferSecurityPolicy-2024-01
以下显示了 TransferSecurityPolicy -2024-01 安全策略。
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2024-01",
"SshCiphers": [
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group18-sha512",
"diffie-hellman-group16-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
## TransferSecurityPolicy-SshAuditCompliant -2025-02
以下显示了 TransferSecurityPolicy-SshAuditCompliant -2025-02 安全策略。
**注意**
此安全策略是围绕该工具提供的建议设计的,并且与该`ssh-audit`工具100%兼容。
```
{
"SecurityPolicy": {
"Fips": false,
"Protocols": [
"SFTP",
"FTPS"
],
"SecurityPolicyName": "TransferSecurityPolicy-SshAuditCompliant-2025-02",
"SshCiphers": [
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group18-sha512",
"diffie-hellman-group16-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER"
}
}
```
## TransferSecurityPolicy-2023-05
以下显示了 TransferSecurityPolicy -2023-05 安全策略。
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2023-05",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
## TransferSecurityPolicy-2022-03
以下显示了 TransferSecurityPolicy -2022-03 安全策略。
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2022-03",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512",
"hmac-sha2-256"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc"
"3des-cbc",
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512"
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
## TransferSecurityPolicy-2020-06 和-Restricted-2020-06 TransferSecurityPolicy
以下显示了 TransferSecurityPolicy -2020-06 安全策略。
**注意**
TransferSecurityPolicy-Restricted-2020-06 和 TransferSecurityPolicy -2020-06 安全策略相同,唯一的不同是受限策略不支持密码。`chacha20-poly1305@openssh.com`
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2020-06",
"SshCiphers": [
"chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2020-06
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group14-sha256"
],
"SshMacs": [
"umac-128-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"umac-128@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc"
"3des-cbc",
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512"
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
## TransferSecurityPolicy-2018-11 和-Restricted-2018-11 TransferSecurityPolicy
以下显示了 TransferSecurityPolicy -2018-11 的安全策略。
**注意**
TransferSecurityPolicy-Restricted-2018-11 和 TransferSecurityPolicy -2018-11 安全策略完全相同,唯一的不同是受限策略不支持密码。`chacha20-poly1305@openssh.com`
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2018-11",
"SshCiphers": [
"chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2018-11
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group14-sha256",
"diffie-hellman-group14-sha1"
],
"SshMacs": [
"umac-64-etm@openssh.com",
"umac-128-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"hmac-sha1-etm@openssh.com",
"umac-64@openssh.com",
"umac-128@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-sha1"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc"
"3des-cbc",
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256"
]
}
}
```
## TransferSecurityPolicy-FIPS-2024-01/-FIPS-2024-05 TransferSecurityPolicy
以下显示了-FIPS-2024-0 TransferSecurityPolicy 1 和-FIPS-2024-05 安全策略。 TransferSecurityPolicy
**注意**
FIPS 服务终端节点以及 TransferSecurityPolicy-FIPS-2024-01 和-FIPS-2024-05 安全策略仅在 TransferSecurityPolicy某些地区可用。 AWS 有关更多信息,请参阅 *AWS 一般参考* 中的 [AWS Transfer Family 端点和配额](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html)。
这两种安全策略之间的唯一区别是-FIPS-2024-01支持该算法,而 TransferSecurityPolicy-FIPS-2024-05不支持该`ssh-rsa`算法。 TransferSecurityPolicy
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01",
"SshCiphers": [
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group18-sha512",
"diffie-hellman-group16-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc"
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512"
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
## TransferSecurityPolicy-FIPS-2023-05
FIPS 认证详情 AWS Transfer Family 可在以下网址找到 [https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all)
下图显示了 TransferSecurityPolicy-FIPS-2023-05 安全策略。
**注意**
FIPS 服务终端节点和 TransferSecurityPolicy-FIPS-2023-05 安全策略仅在某些地区可用。 AWS 有关更多信息,请参阅 *AWS 一般参考* 中的 [AWS Transfer Family 端点和配额](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html)。
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc"
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512"
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
## TransferSecurityPolicy-FIPS-2020-06
FIPS 认证详情 AWS Transfer Family 可在以下网址找到 [https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all)
以下显示了 TransferSecurityPolicy-FIPS-2020-06 安全策略。
**注意**
FIPS 服务终端节点和 TransferSecurityPolicy-FIPS-2020-06 安全策略仅在某些地区可用。 AWS 有关更多信息,请参阅 *AWS 一般参考* 中的 [AWS Transfer Family 端点和配额](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html)。
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06",
"SshCiphers": [
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group14-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc"
"3des-cbc",
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512"
"sha1",
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
## TransferSecurityPolicy-AS2 限量版-2025-07
此安全策略专为需要通过排除传统加密算法来增强安全性的 AS2 文件传输而设计。它支持现代 AES 加密和 SHA-2 哈希算法,同时取消了对 3DES 和 SHA-1 等较弱算法的支持。
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"mlkem768x25519-sha256",
"mlkem768nistp256-sha256",
"mlkem1024nistp384-sha384",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER",
"Protocols": [
"AS2"
]
}
}
```
## 后量子安全策略
下表列出了 Transfer Family 后量子安全策略算法。有关此策略的详细描述,请参见[使用混合后量子密钥交换 AWS Transfer Family](post-quantum-security-policies.md)。
政策列表如下表所示。
**注意**
**较早的后量子政策(**TransferSecurityPolicy-pq-ssh-experimental-2023-04 和-pq-ssh-fips-experimental-2023-04)已被弃**用。TransferSecurityPolicy**我们建议您改用新政策。
| 安全策略 | TransferSecurityPolicy-2025-03 | TransferSecurityPolicy-FIPS-2025-03 |
| --- |--- |--- |
| **SSH ciphers** |
| --- |
| aes128-ctr | ♦ | ♦ |
| aes128-gcm@openssh.com | ♦ | ♦ |
| aes192-ctr | ♦ | ♦ |
| aes256-ctr | ♦ | ♦ |
| aes256-gcm@openssh.com | ♦ | ♦ |
| **KEXs** |
| --- |
| mlkem768x25519-sha256 | ♦ | ♦ |
| mlkem768nistp256-sha256 | ♦ | ♦ |
| mlkem1024nistp384-sha384 | ♦ | ♦ |
| diffie-hellman-group14-sha256 | ♦ | ♦ |
| diffie-hellman-group16-sha512 | ♦ | ♦ |
| diffie-hellman-group18-sha512 | ♦ | ♦ |
| ecdh-sha2-nistp384 | ♦ | ♦ |
| ecdh-sha2-nistp521 | ♦ | ♦ |
| ecdh-sha2-nistp256 | ♦ | ♦ |
| diffie-hellman-group-exchange-sha256 | ♦ | ♦ |
| curve25519-sha256@libssh.org | ♦ | |
| curve25519-sha256 | ♦ | |
| **MACs** |
| --- |
| hmac-sha2-256-etm@openssh.com | ♦ | ♦ |
| hmac-sha2-512-etm@openssh.com | ♦ | ♦ |
| **ContentEncryptionCiphers** |
| --- |
| aes256-cbc | ♦ | ♦ |
| aes192-cbc | ♦ | ♦ |
| aes128-cbc | ♦ | ♦ |
| 3des-cbc | ♦ | ♦ |
| **HashAlgorithms** |
| --- |
| sha256 | ♦ | ♦ |
| sha384 | ♦ | ♦ |
| sha512 | ♦ | ♦ |
| sha1 | ♦ | ♦ |
| **TLS ciphers** |
| --- |
| TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256 | ♦ | ♦ |
| TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256 | ♦ | ♦ |
| TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384 | ♦ | ♦ |
| TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384 | ♦ | ♦ |
| TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256 | ♦ | ♦ |
| TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256 | ♦ | ♦ |
| TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384 | ♦ | ♦ |
| TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384 | ♦ | ♦ |
### TransferSecurityPolicy-2025-03
以下显示了 TransferSecurityPolicy -2025-03 安全策略。
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2025-03",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"mlkem768x25519-sha256",
"mlkem768nistp256-sha256",
"mlkem1024nistp384-sha384",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc"
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512"
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER",
"Protocols": [
"SFTP",
"FTPS"
]
}
}
```
### TransferSecurityPolicy-FIPS-2025-03
以下显示了 TransferSecurityPolicy-FIPS-2025-03 安全策略。
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2025-03",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr",
"aes128-ctr"
],
"SshKexs": [
"mlkem768x25519-sha256",
"mlkem768nistp256-sha256",
"mlkem1024nistp384-sha384",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512"
],
"SshMacs": [
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc"
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512"
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER",
"Protocols": [
"SFTP",
"FTPS"
]
}
}
```
### TransferSecurityPolicy-AS2 限量版-2025-07
以下显示了 TransferSecurityPolicy-AS2 限制型 2025-07 安全策略。
**注意**
此安全策略与 TransferSecurityPolicy -2025-03 相同,不同之处在于它不支持 3DES(in ContentEncryptionCiphers),也不支持 SHA1 (in)。 HashAlgorithms它包括2025-03年的所有算法,包括后量子加密算法(mlkem\$1)。 KEXs
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"mlkem768x25519-sha256",
"mlkem768nistp256-sha256",
"mlkem1024nistp384-sha384",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER",
"Protocols": [
"SFTP",
"FTPS"
]
}
}
```