Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
# Politiche di sicurezza per i server AWS Transfer Family
Le politiche di sicurezza del server AWS Transfer Family consentono di limitare l'insieme di algoritmi crittografici (codici di autenticazione dei messaggi (), scambi di chiavi (MACs), suite di crittografia, cifrari di crittografia dei contenuti e algoritmi hashKEXs) associati al server.
AWS Transfer Family supporta politiche di sicurezza post-quantistiche che utilizzano algoritmi di scambio di chiavi ibridi, combinando metodi crittografici tradizionali con algoritmi post-quantistici per fornire una maggiore sicurezza contro le future minacce informatiche quantistiche. Per ulteriori informazioni, consulta [Utilizzo dello scambio di chiavi post-quantistiche ibrido con AWS Transfer Family](post-quantum-security-policies.md).
Per un elenco degli algoritmi crittografici supportati, vedere. [Algoritmi crittografici](#cryptographic-algorithms) Per un elenco degli algoritmi a chiave supportati da utilizzare con le chiavi dell'host del server e le chiavi utente gestite dal servizio, vedere. [Gestione delle chiavi SSH e PGP in Transfer Family](key-management.md)
**Nota**
A partire dal 2025, tutte le nuove politiche di AWS Transfer Family sicurezza includono il supporto crittografico post-quantistico che utilizza algoritmi di scambio di chiavi ibridi. Per ulteriori informazioni sulla sicurezza post-quantistica, vedere. [Utilizzo dello scambio di chiavi post-quantistiche ibrido con AWS Transfer Family](post-quantum-security-policies.md)
**Nota**
Consigliamo vivamente di aggiornare i server alla nostra politica di sicurezza più recente.
`TransferSecurityPolicy-2024-01`è la politica di sicurezza predefinita allegata al server quando si crea un server utilizzando la console, l'API o la CLI.
Se si crea un server Transfer Family utilizzando CloudFormation e si accetta la politica di sicurezza predefinita, il server viene assegnato`TransferSecurityPolicy-2018-11`.
Se sei preoccupato per la compatibilità dei client, indica affermativamente quale politica di sicurezza desideri utilizzare durante la creazione o l'aggiornamento di un server anziché utilizzare la politica predefinita, che è soggetta a modifiche. Per modificare la politica di sicurezza di un server, consulta. [Modifica la politica di sicurezza](edit-server-config.md#edit-cryptographic-algorithm)
**Nota**
**Le precedenti politiche post-quantistiche (**TransferSecurityPolicy-PQ-SSH-Experimental-2023-04 e -PQ-SSH-FIPS-Experimental-2023-04**) sono obsolete. TransferSecurityPolicy** Ti consigliamo invece di utilizzare le nuove politiche.
Per ulteriori informazioni sulla sicurezza in Transfer Family, consulta i seguenti post del blog:
+ [Sei suggerimenti per migliorare la sicurezza del tuo AWS Transfer Family server](https://aws.amazon.com/blogs/security/six-tips-to-improve-the-security-of-your-aws-transfer-family-server/)
+ [In che modo Transfer Family può aiutarti a creare una soluzione di trasferimento di file gestita sicura e conforme](https://aws.amazon.com/blogs/security/how-transfer-family-can-help-you-build-a-secure-compliant-managed-file-transfer-solution/)
**Topics**
+ [Algoritmi crittografici](#cryptographic-algorithms)
+ [Dettagli della politica di sicurezza](#security-policy-details)
## Algoritmi crittografici
Per le chiavi host, supportiamo i seguenti algoritmi:
+ `rsa-sha2-256`
+ `rsa-sha2-512`
+ `ecdsa-sha2-nistp256`
+ `ecdsa-sha2-nistp384`
+ `ecdsa-sha2-nistp521`
+ `ssh-ed25519`
Inoltre, le seguenti politiche di sicurezza consentono`ssh-rsa`:
+ TransferSecurityPolicy-2018-11
+ TransferSecurityPolicy-2020-06
+ TransferSecurityPolicy-FIPS-2020-06
+ TransferSecurityPolicy-FIPS-2023-05
+ TransferSecurityPolicy-FIPS-2024-01
**Nota**
È importante comprendere la distinzione tra il tipo di chiave RSA, che è sempre, `ssh-rsa` e l'algoritmo della chiave host RSA, che può essere uno qualsiasi degli algoritmi supportati.
Di seguito è riportato un elenco di algoritmi crittografici supportati per ogni policy di sicurezza.
**Nota**
Nella tabella e nelle politiche seguenti, si noti il seguente utilizzo dei tipi di algoritmo.
I server SFTP utilizzano solo algoritmi nelle sezioni **SshCiphers**SshKexs****, e **SshMacs**.
I server FTPS utilizzano solo gli algoritmi presenti nella sezione. **TlsCiphers**
I server FTP, poiché non utilizzano la crittografia, non utilizzano nessuno di questi algoritmi.
AS2 i server utilizzano solo algoritmi nelle sezioni and. **ContentEncryptionCiphers**HashAlgorithms**** Queste sezioni definiscono gli algoritmi utilizzati per crittografare e firmare il contenuto dei file.
Le politiche di sicurezza FIPS-2024-05 e FIPS-2024-01 sono identiche, tranne per il fatto che FIPS-2024-05 non supporta l'algoritmo. `ssh-rsa`
Transfer Family ha introdotto nuove politiche limitate che sono strettamente parallele alle politiche esistenti:
Le politiche di sicurezza TransferSecurityPolicy -Restricted-2018-11 e TransferSecurityPolicy -2018-11 sono identiche, tranne per il fatto che la politica con restrizioni non supporta il codice. `chacha20-poly1305@openssh.com`
Le politiche di sicurezza TransferSecurityPolicy -Restricted-2020-06 e -2020-06 sono identiche, tranne per il fatto che la politica con restrizioni non supporta la TransferSecurityPolicy crittografia. `chacha20-poly1305@openssh.com`
\$1 Nella tabella seguente, il codice è incluso solo nella politica senza restrizioni, `chacha20-poly1305@openssh.com`
| Policy di sicurezza | [TransferSecurityPolicy-2025-03](#security-policy-transfer-2025-03) | [TransferSecurityPolicy-FIPS-2025-03](#security-policy-transfer-2025-03-fips) | [TransferSecurityPolicySshAuditCompliant- -2025-02](#security-policy-transferSecurityPolicy-SshAuditCompliant-2025-02) | [TransferSecurityPolicy- AS2 Limitato-2025-07](#security-policy-transfer-as2restricted-2025-07) | [TransferSecurityPolicy-2024-01](#security-policy-transfer-2024-01) | **[TransferSecurityPolicyTransferSecurityPolicy-FIPS-2024-01/ -FIPS-2024-05](#security-policy-transfer-fips-2024-01)** | [TransferSecurityPolicy-2023-05](#security-policy-transfer-2023-05) | [TransferSecurityPolicy-FIPS-2023-05](#security-policy-transfer-fips-2023-05) | [TransferSecurityPolicy-2022-03](#security-policy-transfer-2022-03) | **[TransferSecurityPolicy TransferSecurityPolicy-2020-06 e -Restricted-2020-06](#security-policy-transfer-2020-06)** | [TransferSecurityPolicy-FIPS-2020-06](#security-policy-transfer-fips-2020-06) | **[TransferSecurityPolicy TransferSecurityPolicy-2018-11 e -Restricted-2018-11](#security-policy-transfer-2018-11)** |
| --- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |
| **SshCiphers** |
| --- |
| aes128-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ |
| aes128-gcm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes192-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes256-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes256-gcm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| chacha20-poly1305@openssh.com | | | | | | | | | | ♦\$1 | | ♦\$1 |
| **SshKexs** |
| --- |
| mlkem768x25519-sha256 | ♦ | ♦ | | ♦ | | | | | | | | |
| mlkem768nistp256-sha256 | ♦ | ♦ | | ♦ | | | | | | | | |
| mlkem1024nistp384-sha384 | ♦ | ♦ | | ♦ | | | | | | | | |
| curva 25519-sha256 | ♦ | | ♦ | ♦ | ♦ | | ♦ | | ♦ | | | ♦ |
| curve25519-sha256@libssh.org | ♦ | | ♦ | ♦ | ♦ | | ♦ | | ♦ | | | ♦ |
| diffie-hellman-group14 - sha1 | | | | | | | | | | | | ♦ |
| diffie-hellman-group14-sha256 | | | | | | | | | | ♦ | ♦ | ♦ |
| diffie-hellman-group16-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| diffie-hellman-group18-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| diffie-hellman-group-exchange-sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| ecdh-sha2-nistp256 | ♦ | ♦ | | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ |
| ecdh-sha2-nistp384 | ♦ | ♦ | | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ |
| ecdh-sha2-nistp521 | ♦ | ♦ | | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ |
| **SshMacs** |
| --- |
| hmac-sha1 | | | | | | | | | | | | ♦ |
| hmac-sha1-etm@openssh.com | | | | | | | | | | | | ♦ |
| hmac-sha2-256 | | | | | | | | | ♦ | ♦ | ♦ | ♦ |
| hmac-sha2-256-etm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| hmac-sha2-512 | | | | | | | | | ♦ | ♦ | ♦ | ♦ |
| hmac-sha2-512-etm@openssh.com | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| umac-128-etm@openssh.com | | | | | | | | | | ♦ | | ♦ |
| umac-128@openssh.com | | | | | | | | | | ♦ | | ♦ |
| umac-64-etm@openssh.com | | | | | | | | | | | | ♦ |
| umac-64@openssh.com | | | | | | | | | | | | ♦ |
| **ContentEncryptionCiphers** |
| --- |
| aes256-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes192-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| aes128-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| 3des-cbc | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| **HashAlgorithms** |
| --- |
| sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| sha384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| sha1 | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| **TlsCiphers** |
| --- |
| TLS\$1ECDHE\$1ECDSA\$1CON\$1AES\$1128\$1CBC\$1 SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1ECDSA\$1CON\$1AES\$1128\$1GCM\$1 SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1ECDSA\$1CON\$1AES\$1256\$1CBC\$1 SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1ECDSA\$1CON\$1AES\$1256\$1GCM\$1 SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1RSA\$1CON\$1AES\$1128\$1CBC\$1 SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1RSA\$1CON\$1AES\$1128\$1GCM\$1 SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1RSA\$1CON\$1AES\$1256\$1CBC\$1 SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1ECDHE\$1RSA\$1CON\$1AES\$1256\$1GCM\$1 SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS\$1RSA\$1CON\$1AES\$1128\$1CBC\$1 SHA256 | | | | | | | | | | | | ♦ |
| TLS\$1RSA\$1CON\$1AES\$1256\$1CBC\$1 SHA256 | | | | | | | | | | | | ♦ |
## Dettagli della politica di sicurezza
Le seguenti sezioni contengono la rappresentazione JSON di ogni policy di sicurezza.
### TransferSecurityPolicy-2025-03
Di seguito viene illustrata la politica di sicurezza -2025-03 TransferSecurityPolicy.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2025-03",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"mlkem768x25519-sha256",
"mlkem768nistp256-sha256",
"mlkem1024nistp384-sha384",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER",
"Protocols": [
"SFTP",
"FTPS"
]
}
}
```
### TransferSecurityPolicy-FIPS-2025-03
Di seguito viene illustrata la politica di sicurezza -FIPS-2025-03. TransferSecurityPolicy
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2025-03",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr",
"aes128-ctr"
],
"SshKexs": [
"mlkem768x25519-sha256",
"mlkem768nistp256-sha256",
"mlkem1024nistp384-sha384",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512"
],
"SshMacs": [
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER",
"Protocols": [
"SFTP",
"FTPS"
]
}
}
```
### TransferSecurityPolicy- AS2 Limitato-2025-07
Questa politica di sicurezza è progettata per i trasferimenti di AS2 file che richiedono una maggiore sicurezza escludendo gli algoritmi crittografici legacy. Supporta la moderna crittografia AES e gli algoritmi di hash SHA-2, rimuovendo al contempo il supporto per algoritmi più deboli come 3DES e SHA-1.
**Nota**
Questa politica di sicurezza è identica a TransferSecurityPolicy -2025-03, tranne per il fatto che non supporta 3DES (in) e non supporta (in). ContentEncryptionCiphers SHA1 HashAlgorithms Include tutti gli algoritmi del 2025-03, inclusi gli algoritmi crittografici post-quantistici (mlkem\$1). KEXs
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-AS2Restricted-2025-07",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"mlkem768x25519-sha256",
"mlkem768nistp256-sha256",
"mlkem1024nistp384-sha384",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER",
"Protocols": [
"SFTP",
"FTPS"
]
}
}
```
### TransferSecurityPolicySshAuditCompliant- -2025-02
Di seguito viene illustrata la politica di sicurezza TransferSecurityPolicy - -2025-02SshAuditCompliant.
**Nota**
Questa politica di sicurezza è progettata sulla base delle raccomandazioni fornite dallo `ssh-audit` strumento ed è conforme al 100% a tale strumento.
```
{
"SecurityPolicy": {
"Fips": false,
"Protocols": [
"SFTP",
"FTPS"
],
"SecurityPolicyName": "TransferSecurityPolicy-SshAuditCompliant-2025-02",
"SshCiphers": [
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group18-sha512",
"diffie-hellman-group16-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"Type": "SERVER"
}
}
```
### TransferSecurityPolicy-2024-01
Di seguito viene illustrata la politica di sicurezza -2024-01 TransferSecurityPolicy.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2024-01",
"SshCiphers": [
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group18-sha512",
"diffie-hellman-group16-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicyTransferSecurityPolicy-FIPS-2024-01/ -FIPS-2024-05
Di seguito vengono illustrate le politiche di sicurezza -FIPS-2024-01 e -FIPS-2024-05. TransferSecurityPolicy TransferSecurityPolicy
**Nota**
L'endpoint del servizio FIPS e le politiche di sicurezza -FIPS-2024-01 e -FIPS-2024-05 sono disponibili solo in alcune regioni. TransferSecurityPolicy TransferSecurityPolicy AWS Per ulteriori informazioni, consulta [Endpoint e quote AWS Transfer Family](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) nella *Riferimenti generali di AWS*.
L'unica differenza tra queste due politiche di sicurezza è che -FIPS-2024-01 supporta l'algoritmo e -FIPS-2024-05 no. TransferSecurityPolicy `ssh-rsa` TransferSecurityPolicy
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01",
"SshCiphers": [
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com",
"aes128-ctr",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group18-sha512",
"diffie-hellman-group16-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-2023-05
Di seguito viene illustrata la politica di sicurezza TransferSecurityPolicy -2023-05.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2023-05",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-FIPS-2023-05
I dettagli della certificazione FIPS per sono disponibili all'indirizzo AWS Transfer Family [https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all)
Di seguito viene illustrata la politica di sicurezza TransferSecurityPolicy -FIPS-2023-05.
**Nota**
L'endpoint del servizio FIPS e la politica di sicurezza TransferSecurityPolicy -FIPS-2023-05 sono disponibili solo in alcune regioni. AWS Per ulteriori informazioni, consulta [Endpoint e quote AWS Transfer Family](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) nella *Riferimenti generali di AWS*.
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-2022-03
Di seguito viene illustrata la politica di sicurezza -2022-03 TransferSecurityPolicy.
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2022-03",
"SshCiphers": [
"aes256-gcm@openssh.com",
"aes128-gcm@openssh.com",
"aes256-ctr",
"aes192-ctr"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group-exchange-sha256"
],
"SshMacs": [
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512",
"hmac-sha2-256"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy TransferSecurityPolicy-2020-06 e -Restricted-2020-06
Di seguito viene illustrata la politica di sicurezza -2020-06 TransferSecurityPolicy.
**Nota**
Le politiche di sicurezza TransferSecurityPolicy -Restricted-2020-06 e TransferSecurityPolicy -2020-06 sono identiche, tranne per il fatto che la politica con restrizioni non supporta la crittografia. `chacha20-poly1305@openssh.com`
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2020-06",
"SshCiphers": [
"chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2020-06
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group14-sha256"
],
"SshMacs": [
"umac-128-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"umac-128@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy-FIPS-2020-06
I dettagli della certificazione FIPS per sono disponibili all'indirizzo AWS Transfer Family [https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all)
Di seguito viene mostrata la politica di sicurezza TransferSecurityPolicy -FIPS-2020-06.
**Nota**
L'endpoint del servizio FIPS e la politica di sicurezza TransferSecurityPolicy -FIPS-2020-06 sono disponibili solo in alcune regioni. AWS Per ulteriori informazioni, consulta [Endpoint e quote AWS Transfer Family](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) nella *Riferimenti generali di AWS*.
```
{
"SecurityPolicy": {
"Fips": true,
"SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06",
"SshCiphers": [
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com"
],
"SshKexs": [
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group14-sha256"
],
"SshMacs": [
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
]
}
}
```
### TransferSecurityPolicy TransferSecurityPolicy-2018-11 e -Restricted-2018-11
Di seguito viene illustrata la politica di sicurezza TransferSecurityPolicy -2018-11.
**Nota**
Le politiche di sicurezza TransferSecurityPolicy -Restricted-2018-11 e TransferSecurityPolicy -2018-11 sono identiche, tranne per il fatto che la politica con restrizioni non supporta il codice. `chacha20-poly1305@openssh.com`
```
{
"SecurityPolicy": {
"Fips": false,
"SecurityPolicyName": "TransferSecurityPolicy-2018-11",
"SshCiphers": [
"chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2018-11
"aes128-ctr",
"aes192-ctr",
"aes256-ctr",
"aes128-gcm@openssh.com",
"aes256-gcm@openssh.com"
],
"SshKexs": [
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group16-sha512",
"diffie-hellman-group18-sha512",
"diffie-hellman-group14-sha256",
"diffie-hellman-group14-sha1"
],
"SshMacs": [
"umac-64-etm@openssh.com",
"umac-128-etm@openssh.com",
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"hmac-sha1-etm@openssh.com",
"umac-64@openssh.com",
"umac-128@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-sha1"
],
"ContentEncryptionCiphers": [
"aes256-cbc",
"aes192-cbc",
"aes128-cbc",
"3des-cbc"
],
"HashAlgorithms": [
"sha256",
"sha384",
"sha512",
"sha1"
],
"TlsCiphers": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256"
]
}
}
```