AWS transfer high security documentation change
Summary
Added new TransferSecurityPolicy-AS2Restricted-2025-07 policy, expanded cryptographic algorithm documentation, and added ContentEncryptionCiphers/HashAlgorithms sections
Security assessment
The changes introduce a new security policy (AS2Restricted-2025-07) that removes legacy algorithms like 3DES and SHA-1 while adding post-quantum mlkem* key exchanges. This demonstrates active mitigation of cryptographic vulnerabilities and alignment with modern security standards. The explicit removal of weak algorithms addresses known security weaknesses in cryptographic implementations.
Diff
diff --git a/transfer/latest/userguide/security-policies.md b/transfer/latest/userguide/security-policies.md index a3d6721c7..cd16ab049 100644 --- a//transfer/latest/userguide/security-policies.md +++ b//transfer/latest/userguide/security-policies.md @@ -5 +5 @@ -Cryptographic algorithmsTransferSecurityPolicy-2024-01TransferSecurityPolicy-SshAuditCompliant-2025-02TransferSecurityPolicy-2023-05TransferSecurityPolicy-2022-03TransferSecurityPolicy-2020-06 and TransferSecurityPolicy-Restricted-2020-06TransferSecurityPolicy-2018-11 and TransferSecurityPolicy-Restricted-2018-11TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05TransferSecurityPolicy-FIPS-2023-05TransferSecurityPolicy-FIPS-2020-06Post Quantum security policies +Cryptographic algorithmsTransferSecurityPolicy-2024-01TransferSecurityPolicy-SshAuditCompliant-2025-02TransferSecurityPolicy-2023-05TransferSecurityPolicy-2022-03TransferSecurityPolicy-2020-06 and TransferSecurityPolicy-Restricted-2020-06TransferSecurityPolicy-2018-11 and TransferSecurityPolicy-Restricted-2018-11TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05TransferSecurityPolicy-FIPS-2023-05TransferSecurityPolicy-FIPS-2020-06TransferSecurityPolicy-AS2Restricted-2025-07Post Quantum security policies @@ -9 +9 @@ Cryptographic algorithmsTransferSecurityPolicy-2024-01TransferSecurityPolicy-Ssh -Server security policies in AWS Transfer Family allow you to limit the set of cryptographic algorithms (message authentication codes (MACs), key exchanges (KEXs), and cipher suites) associated with your server. For a list of supported cryptographic algorithms, see Cryptographic algorithms. For a list of supported key algorithms for use with server host keys and service-managed user keys, see [Managing SSH and PGP keys in Transfer Family](./key-management.html). +Server security policies in AWS Transfer Family allow you to limit the set of cryptographic algorithms (message authentication codes (MACs), key exchanges (KEXs), cipher suites, content encryption ciphers, and hash algorithms) associated with your server. For a list of supported cryptographic algorithms, see Cryptographic algorithms. For a list of supported key algorithms for use with server host keys and service-managed user keys, see [Managing SSH and PGP keys in Transfer Family](./key-management.html). @@ -54,0 +55,2 @@ For more information on security in Transfer Family, see the following blog post + * TransferSecurityPolicy-AS2Restricted-2025-07 + @@ -111,0 +114,2 @@ In the following table and policies, note the following use of algorithm types. + * AS2 servers only use algorithms in the **ContentEncryptionCiphers** and **HashAlgorithms** sections. These sections define algorithms used for encrypting and signing file content. + @@ -125,2 +129,2 @@ In the following table and policies, note the following use of algorithm types. -Security policy | 2024-01 | SshAuditCompliant-2025-02 | 2023-05 | 2022-03 | **2020-06** **2020-06 restricted** | **FIPS-2024-05** **FIPS-2024-01** | FIPS-2023-05 | FIPS-2020-06 | **2018-11** **2018-11 restricted** ----|---|---|---|---|---|---|---|---|--- +Security policy | 2024-01 | SshAuditCompliant-2025-02 | 2023-05 | 2022-03 | **2020-06** **2020-06 restricted** | **FIPS-2024-05** **FIPS-2024-01** | FIPS-2023-05 | FIPS-2020-06 | **2018-11** **2018-11 restricted** | TransferSecurityPolicy-AS2Restricted-2025-07 +---|---|---|---|---|---|---|---|---|---|--- @@ -128,6 +132,6 @@ Security policy | 2024-01 | SshAuditCompliant-2025-02 | 2023-05 | 2022-03 | **2 -aes128-ctr | ♦ | ♦ | | | ♦ | ♦ | | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -aes192-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -aes256-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ [email protected] | | | | | ♦* | | | | ♦* +aes128-ctr | ♦ | ♦ | | | ♦ | ♦ | | ♦ | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +aes192-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +aes256-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ [email protected] | | | | | ♦* | | | | ♦* | @@ -135,10 +139,13 @@ [email protected] | | | | | ♦* | | | | ♦* -curve25519-sha256 | ♦ | ♦ | ♦ | ♦ | | | | | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | | | | | ♦ -diffie-hellman-group14-sha1 | | | | | | | | | ♦ -diffie-hellman-group14-sha256 | | | | | ♦ | | | ♦ | ♦ -diffie-hellman-group16-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -diffie-hellman-group18-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -diffie-hellman-group-exchange-sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ -ecdh-sha2-nistp256 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ -ecdh-sha2-nistp384 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ -ecdh-sha2-nistp521 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ +mlkem768x25519-sha256 | | | | | | | | | | ♦ +mlkem768nistp256-sha256 | | | | | | | | | | ♦ +mlkem1024nistp384-sha384 | | | | | | | | | | ♦ +curve25519-sha256 | ♦ | ♦ | ♦ | ♦ | | | | | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | | | | | ♦ | ♦ +diffie-hellman-group14-sha1 | | | | | | | | | ♦ | +diffie-hellman-group14-sha256 | | | | | ♦ | | | ♦ | ♦ | +diffie-hellman-group16-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +diffie-hellman-group18-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +diffie-hellman-group-exchange-sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ +ecdh-sha2-nistp256 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ | ♦ +ecdh-sha2-nistp384 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ | ♦ +ecdh-sha2-nistp521 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ | ♦ @@ -146,10 +153,20 @@ ecdh-sha2-nistp521 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ -hmac-sha1 | | | | | | | | | ♦ [email protected] | | | | | | | | | ♦ -hmac-sha2-256 | | | | ♦ | ♦ | | | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -hmac-sha2-512 | | | | ♦ | ♦ | | | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ [email protected] | | | | | ♦ | | | | ♦ [email protected] | | | | | ♦ | | | | ♦ [email protected] | | | | | | | | | ♦ [email protected] | | | | | | | | | ♦ +hmac-sha1 | | | | | | | | | ♦ | [email protected] | | | | | | | | | ♦ | +hmac-sha2-256 | | | | ♦ | ♦ | | | ♦ | ♦ | [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +hmac-sha2-512 | | | | ♦ | ♦ | | | ♦ | ♦ | [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ [email protected] | | | | | ♦ | | | | ♦ | [email protected] | | | | | ♦ | | | | ♦ | [email protected] | | | | | | | | | ♦ | [email protected] | | | | | | | | | ♦ | +**ContentEncryptionCiphers** +aes256-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +aes192-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +aes128-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +3des-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +**HashAlgorithms** +sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +sha384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +sha1 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | @@ -157,10 +174,10 @@ [email protected] | | | | | | | | | ♦ -TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_RSA_WITH_AES_128_CBC_SHA256 | | | | | | | | | ♦ -TLS_RSA_WITH_AES_256_CBC_SHA256 | | | | | | | | | ♦ +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +TLS_RSA_WITH_AES_128_CBC_SHA256 | | | | | | | | | ♦ | +TLS_RSA_WITH_AES_256_CBC_SHA256 | | | | | | | | | ♦ | @@ -197,0 +215,12 @@ The following shows the TransferSecurityPolicy-2024-01 security policy. + "ContentEncryptionCiphers": [ + "aes256-cbc", + "aes192-cbc", + "aes128-cbc", + "3des-cbc" + ], + "HashAlgorithms": [ + "sha256", + "sha384", + "sha512", + "sha1" + ], @@ -245,0 +275,12 @@ This security policy is designed around the recommendations provided by the `ssh + "ContentEncryptionCiphers": [ + "aes256-cbc", + "aes192-cbc", + "aes128-cbc", + "3des-cbc" + ], + "HashAlgorithms": [ + "sha256", + "sha384", + "sha512", + "sha1" + ], @@ -285,0 +327,12 @@ The following shows the TransferSecurityPolicy-2023-05 security policy. + "ContentEncryptionCiphers": [ + "aes256-cbc", + "aes192-cbc", + "aes128-cbc", + "3des-cbc" + ], + "HashAlgorithms": [ + "sha256", + "sha384", + "sha512", + "sha1" + ], @@ -326,0 +380,12 @@ The following shows the TransferSecurityPolicy-2022-03 security policy. + "ContentEncryptionCiphers": [ + "aes256-cbc", + "aes192-cbc", + "aes128-cbc" + "3des-cbc", + ], + "HashAlgorithms": [ + "sha256", + "sha384", + "sha512" + "sha1" + ], @@ -377,0 +443,12 @@ The TransferSecurityPolicy-Restricted-2020-06 and TransferSecurityPolicy-2020-06 + "ContentEncryptionCiphers": [ + "aes256-cbc", + "aes192-cbc", + "aes128-cbc" + "3des-cbc", + ], + "HashAlgorithms": [ + "sha256", + "sha384", + "sha512" + "sha1" + ], @@ -435,0 +513,12 @@ The TransferSecurityPolicy-Restricted-2018-11 and TransferSecurityPolicy-2018-11 + "ContentEncryptionCiphers": [ + "aes256-cbc", + "aes192-cbc", + "aes128-cbc" + "3des-cbc", + ], + "HashAlgorithms": [ + "sha256", + "sha384", + "sha512", + "sha1" + ], @@ -484,0 +574,12 @@ The only difference between these two security policies is that TransferSecurity + "ContentEncryptionCiphers": [ + "aes256-cbc", + "aes192-cbc", + "aes128-cbc" + "3des-cbc" + ], + "HashAlgorithms": [ + "sha256", + "sha384", + "sha512" + "sha1"