Security policies for AWS Transfer Family servers
Server security policies in AWS Transfer Family allow you to limit the set of cryptographic algorithms (message authentication codes (MACs), key exchanges (KEXs), and cipher suites) associated with your server. For a list of supported cryptographic algorithms, seeCryptographic algorithms.For a list of supported key algorithms for use with server host keys and service-managed user keys, seeSupported algorithms for user and server keys.
Note
We strongly recommend updating your servers to our latest security policy. Our latest security policy is the default. Any customer who creates a Transfer Family server using CloudFormation and accepts the default security policy will be automatically assigned the latest policy. If you are concerned about client compatibility, please affirmatively state which security policy you wish to use when creating or updating a server rather than using the default policy, which is subject to change.
To change the security policy for a server, seeEdit the security policy.
For more information on security in Transfer Family, see the blog post,How Transfer Family can help you build a secure, compliant managed file transfer solution
Topics
- Cryptographic algorithms
- TransferSecurityPolicy-2024-01
- TransferSecurityPolicy-2023-05
- TransferSecurityPolicy-2022-03
- TransferSecurityPolicy-2020-06 and TransferSecurityPolicy-Restricted-2020-06
- TransferSecurityPolicy-2018-11 and TransferSecurityPolicy-Restricted-2018-11
- TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05
- TransferSecurityPolicy-FIPS-2023-05
- TransferSecurityPolicy-FIPS-2020-06
- Post Quantum security policies
Note
TransferSecurityPolicy-2024-01
is the default security policy
attached to your server when creating a server using the console, API, or CLI.
Cryptographic algorithms
For host keys, we support the following algorithms:
-
rsa-sha2-256
-
rsa-sha2-512
-
ecdsa-sha2-nistp256
-
ecdsa-sha2-nistp384
-
ecdsa-sha2-nistp521
-
ssh-ed25519
Additionally, the following security policies allowssh-rsa
:
-
TransferSecurityPolicy-2018-11
-
TransferSecurityPolicy-2020-06
-
TransferSecurityPolicy-FIPS-2020-06
-
TransferSecurityPolicy-FIPS-2023-05
-
TransferSecurityPolicy-FIPS-2024-01
-
TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04
Note
It is important to understand the distinction between the RSA key
type—which is alwaysssh-rsa
—and the RSA host key
algorithm, which can be any of the supported algorithms.
The following is a list of supported cryptographic algorithms for each security policy.
Note
In the following table and policies, note the following use of algorithm types.
-
SFTP servers only use algorithms in theSshCiphers,SshKexs,and SshMacssections.
-
FTPS servers only use algorithms in theTlsCipherssection.
-
FTP servers, since they don't use encryption, do not use any of these algorithms.
-
The FIPS-2024-05 and FIPS-2024-01 security policies are identical, except that FIPS-2024-05 doesn't support the
ssh-rsa
algorithm. -
Transfer Family has introduced new restricted policies that closely parallel existing policies:
-
The TransferSecurityPolicy-Restricted-2018-11 and TransferSecurityPolicy-2018-11 security policies are identical, except that the restricted policy doesn't support the
chacha20-poly1305@openssh
cipher. -
The TransferSecurityPolicy-Restricted-2020-06 and TransferSecurityPolicy-2020-06 security policies are identical, except that the restricted policy doesn't support the
chacha20-poly1305@openssh
cipher.
*In the following table, the
chacha20-poly1305@openssh
cipher is included in the non-restricted policy only, -
Security policy | 2024-01 | 2023-05 | 2022-03 |
2020-06 2020-06 restricted |
FIPS-2024-05 FIPS-2024-01 |
FIPS-2023-05 | FIPS-2020-06 |
2018-11 2018-11 restricted |
---|---|---|---|---|---|---|---|---|
SshCiphers |
||||||||
aes128-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
|||
aes128-gcm@openssh |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes192-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes256-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes256-gcm@openssh |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
chacha20-poly1305@openssh |
♦* |
♦* |
||||||
SshKexs |
||||||||
curve25519-sha256 |
♦ |
♦ |
♦ |
♦ |
||||
♦ |
♦ |
♦ |
♦ |
|||||
diffie-hellman-group14-sha1 |
♦ |
|||||||
diffie-hellman-group14-sha256 |
♦ |
♦ |
♦ |
|||||
diffie-hellman-group16-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
diffie-hellman-group18-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
[email protected] | ♦ | ♦ | ||||||
[email protected] | ♦ | ♦ | ||||||
[email protected] | ♦ | ♦ | ||||||
ecdh-sha2-nistp256 |
♦ |
♦ |
♦ |
♦ |
♦ |
|||
ecdh-sha2-nistp384 |
♦ |
♦ |
♦ |
♦ |
♦ |
|||
ecdh-sha2-nistp521 |
♦ |
♦ |
♦ |
♦ |
♦ |
|||
x25519-kyber-512r3-sha256-d00@amazon | ♦ | |||||||
SshMacs |
||||||||
hmac-sha1 |
♦ |
|||||||
hmac-sha1-etm@openssh |
♦ |
|||||||
hmac-sha2-256 |
♦ |
♦ |
♦ |
♦ |
||||
hmac-sha2-256-etm@openssh |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
hmac-sha2-512 |
♦ |
♦ |
♦ |
♦ |
||||
hmac-sha2-512-etm@openssh |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
umac-128-etm@openssh |
♦ |
♦ |
||||||
umac-128@openssh |
♦ |
♦ |
||||||
umac-64-etm@openssh |
♦ |
|||||||
umac-64@openssh |
♦ |
|||||||
TlsCiphers |
||||||||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
|||||||
TLS_RSA_WITH_AES_256_CBC_SHA256 |
♦ |
TransferSecurityPolicy-2024-01
The following shows the TransferSecurityPolicy-2024-01 security policy.
{ "SecurityPolicy":{ "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2024-01", "SshCiphers": [ "aes128-gcm@openssh", "aes256-gcm@openssh", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "[email protected]", "x25519-kyber-512r3-sha256-d00@amazon", "[email protected]", "[email protected]", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "[email protected]", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh", "hmac-sha2-512-etm@openssh" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2023-05
The following shows the TransferSecurityPolicy-2023-05 security policy.
{ "SecurityPolicy":{ "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2023-05", "SshCiphers": [ "aes256-gcm@openssh", "aes128-gcm@openssh", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "[email protected]", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh", "hmac-sha2-256-etm@openssh" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2022-03
The following shows the TransferSecurityPolicy-2022-03 security policy.
{ "SecurityPolicy":{ "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2022-03", "SshCiphers": [ "aes256-gcm@openssh", "aes128-gcm@openssh", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "[email protected]", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh", "hmac-sha2-256-etm@openssh", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2020-06 and TransferSecurityPolicy-Restricted-2020-06
The following shows the TransferSecurityPolicy-2020-06 security policy.
Note
The TransferSecurityPolicy-Restricted-2020-06 and TransferSecurityPolicy-2020-06
security policies are identical, except that the restricted policy doesn't support
thechacha20-poly1305@openssh
cipher.
{ "SecurityPolicy":{ "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2020-06", "SshCiphers": [ "chacha20-poly1305@openssh", //Not included in TransferSecurityPolicy-Restricted-2020-06 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh", "aes256-gcm@openssh" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "umac-128-etm@openssh", "hmac-sha2-256-etm@openssh", "hmac-sha2-512-etm@openssh", "umac-128@openssh", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2018-11 and TransferSecurityPolicy-Restricted-2018-11
The following shows the TransferSecurityPolicy-2018-11 security policy.
Note
The TransferSecurityPolicy-Restricted-2018-11 and TransferSecurityPolicy-2018-11
security policies are identical, except that the restricted policy doesn't support
thechacha20-poly1305@openssh
cipher.
{ "SecurityPolicy":{ "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2018-11", "SshCiphers": [ "chacha20-poly1305@openssh", //Not included in TransferSecurityPolicy-Restricted-2018-11 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh", "aes256-gcm@openssh" ], "SshKexs": [ "curve25519-sha256", "[email protected]", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1" ], "SshMacs": [ "umac-64-etm@openssh", "umac-128-etm@openssh", "hmac-sha2-256-etm@openssh", "hmac-sha2-512-etm@openssh", "hmac-sha1-etm@openssh", "umac-64@openssh", "umac-128@openssh", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256" ] } }
TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05
The following shows the TransferSecurityPolicy-FIPS-2024-01 and TransferSecurityPolicy-FIPS-2024-05 security policies.
Note
The FIPS service endpoint and TransferSecurityPolicy-FIPS-2024-01 and TransferSecurityPolicy-FIPS-2024-05 security policies are only available in some AWS Regions. For more information, seeAWS Transfer Family endpoints and quotasin theAWS General Reference.
The only difference between these two security policies is that
TransferSecurityPolicy-FIPS-2024-01 supports thessh-rsa
algorithm, and
TransferSecurityPolicy-FIPS-2024-05 doesn't.
{ "SecurityPolicy":{ "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01", "SshCiphers": [ "aes128-gcm@openssh", "aes256-gcm@openssh", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "[email protected]", "[email protected]", "[email protected]", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh", "hmac-sha2-512-etm@openssh" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2023-05
The FIPS certification details for AWS Transfer Family can be found athttps://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
The following shows the TransferSecurityPolicy-FIPS-2023-05 security policy.
Note
The FIPS service endpoint and TransferSecurityPolicy-FIPS-2023-05 security policy is only available in some AWS Regions. For more information, seeAWS Transfer Family endpoints and quotasin theAWS General Reference.
{ "SecurityPolicy":{ "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05", "SshCiphers": [ "aes256-gcm@openssh", "aes128-gcm@openssh", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh", "hmac-sha2-512-etm@openssh" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2020-06
The FIPS certification details for AWS Transfer Family can be found athttps://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
The following shows the TransferSecurityPolicy-FIPS-2020-06 security policy.
Note
The FIPS service endpoint and TransferSecurityPolicy-FIPS-2020-06 security policy are only available in some AWS Regions. For more information, seeAWS Transfer Family endpoints and quotasin theAWS General Reference.
{ "SecurityPolicy":{ "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06", "SshCiphers": [ "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh", "aes256-gcm@openssh" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh", "hmac-sha2-512-etm@openssh", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
Post Quantum security policies
This table lists the algorithms for the Transfer Family post quantum security policies. These polices are described in detail inUsing hybrid post-quantum key exchange with AWS Transfer Family.
The policy listings follow the table.
Security policy | TransferSecurityPolicy-PQ-SSH-Experimental-2023-04 | TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04 |
---|---|---|
SSH ciphers |
||
aes128-ctr |
♦ |
|
aes128-gcm@openssh |
♦ |
♦ |
aes192-ctr |
♦ |
♦ |
aes256-ctr |
♦ |
♦ |
aes256-gcm@openssh |
♦ |
♦ |
KEXs |
||
[email protected] |
♦ |
♦ |
[email protected] |
♦ |
♦ |
[email protected] |
♦ |
♦ |
x25519-kyber-512r3-sha256-d00@amazon |
♦ |
|
diffie-hellman-group14-sha256 |
♦ | |
diffie-hellman-group16-sha512 |
♦ |
♦ |
diffie-hellman-group18-sha512 |
♦ |
♦ |
ecdh-sha2-nistp384 |
♦ |
|
ecdh-sha2-nistp521 |
♦ |
|
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
ecdh-sha2-nistp256 |
♦ |
|
♦ |
||
curve25519-sha256 |
♦ |
|
MACs |
||
hmac-sha2-256-etm@openssh |
♦ |
♦ |
hmac-sha2-256 |
♦ |
♦ |
hmac-sha2-512-etm@openssh |
♦ |
♦ |
hmac-sha2-512 |
♦ |
♦ |
TLS ciphers |
||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
TransferSecurityPolicy-PQ-SSH-Experimental-2023-04
The following shows the TransferSecurityPolicy-PQ-SSH-Experimental-2023-04 security policy.
{ "SecurityPolicy":{ "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-Experimental-2023-04", "SshCiphers": [ "aes256-gcm@openssh", "aes128-gcm@openssh", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "[email protected]", "x25519-kyber-512r3-sha256-d00@amazon", "[email protected]", "[email protected]", "curve25519-sha256", "[email protected]", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh", "hmac-sha2-256-etm@openssh", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04
The following shows the TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04 security policy.
{ "SecurityPolicy":{ "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04", "SshCiphers": [ "aes256-gcm@openssh", "aes128-gcm@openssh", "aes256-ctr", "aes192-ctr", "aes128-ctr" ], "SshKexs": [ "[email protected]", "[email protected]", "[email protected]", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh", "hmac-sha2-256-etm@openssh", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }