本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用安全策略
中的服务器安全策略Amazon Transfer Family允许您限制与服务器关联的一组加密算法(消息身份验证码 (MAC)、密钥交换 (KEX) 和密码套件)。有关受支持的加密算法的列表,请参阅加密算法。有关支持用于服务器主机密钥和服务管理的用户密钥的密钥算法列表,请参阅支持的用户和服务器密钥算法。
我们支持 TLS 1.2。
服务器的可用安全策略有:
主题
-
TransferSecurityPolicy-2020-06
是使用控制台创建服务器时附加到服务器的默认安全策略。 -
TransferSecurityPolicy-2018-11
是使用 API 或 CLI 创建服务器时附加到服务器的默认安全策略。
加密算法
以下是每种安全策略支持的加密算法列表。
安全策略 | 2022-03 | 2020-06 | FIPS-2020-06 | 2018-11 |
---|---|---|---|---|
SSH ciphers |
||||
aes128-ctr |
|
♦ |
♦ |
♦ |
aes128-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
aes192-ctr |
♦ |
♦ |
♦ |
♦ |
aes256-ctr |
♦ |
♦ |
♦ |
♦ |
aes256-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
chacha20-poly1305@openssh.com |
|
♦ |
|
♦ |
KEXs |
||||
diffie-hellman-group14-sha256 |
|
♦ |
♦ |
♦ |
diffie-hellman-group16-sha512 |
♦ |
♦ |
♦ |
♦ |
diffie-hellman-group18-sha512 |
♦ |
♦ |
♦ |
♦ |
ecdh-sha2-nistp384 |
|
♦ |
♦ |
♦ |
ecdh-sha2-nistp521 |
|
♦ |
♦ |
♦ |
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
♦ |
♦ |
diffie-hellman-group14-sha1 |
|
|
|
♦ |
ecdh-sha2-nistp256 |
|
♦ |
♦ |
♦ |
curve25519-sha256@libssh.org |
♦ |
|
|
♦ |
curve25519-sha256 |
♦ |
|
|
♦ |
MACs |
||||
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
hmac-sha2-256 |
♦ |
♦ |
♦ |
♦ |
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
hmac-sha2-512 |
♦ |
♦ |
♦ |
♦ |
hmac-sha1-etm@openssh.com |
|
|
|
♦ |
hmac-sha1 |
|
|
|
♦ |
umac-128-etm@openssh.com |
|
♦ |
|
♦ |
umac-128@openssh.com |
|
♦ |
|
♦ |
umac-64-etm@openssh.com |
|
|
|
♦ |
umac-64@openssh.com |
|
|
|
♦ |
TLS ciphers |
||||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
|
|
♦ |
TLS_RSA_WITH_AES_256_CBC_SHA256 |
|
|
|
♦ |
TransferSecurityPolicy-2022-03
以下显示了 TransferSecurityPolicy -2022-03 安全策略。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2022-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2020-06
以下显示了 TransferSecurityPolicy -2020-06 安全策略。这是未启用 FIPS 的服务器端点的默认安全策略。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2020-06", "SshCiphers": [ "chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2018-11
以下显示了 TransferSecurityPolicy -2018-11 安全策略。此安全策略是所有支持的加密算法的当前集合。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2018-11", "SshCiphers": [ "chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1" ], "SshMacs": [ "umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256" ] } }
TransferSecurityPolicy-FIPS-2020-06
的 FIPS 认证详细信息Amazon Transfer Family可在以下网址找到https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
以下显示了 TransferSecurityPolicy-FIPS-2020-06 安全策略。此安全策略包含所有支持的 FIPS 兼容加密算法。这是启用 FIPS 的服务器端点的默认安全策略。
FIPS 服务端点和 TransferSecurityPolicy-FIPS-2020-06 安全策略仅在某些Amazon地区可用。有关更多信息,请参阅《Amazon 一般参考》中的 Amazon Transfer Family 端点和配额。
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06", "SshCiphers": [ "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }