AWS transfer documentation change
Summary
Updated AWS Transfer Family security policy documentation to add new 2025-03 policies (including FIPS and AS2Restricted variants), deprecate old experimental post-quantum policies, reorganize policy tables, and add notes about post-quantum cryptographic support being included in all new policies starting in 2025.
Security assessment
The changes primarily document new security policy versions (2025-03) and their cryptographic algorithms, including post-quantum hybrid key exchange. It deprecates older experimental policies (TransferSecurityPolicy-PQ-SSH-Experimental-2023-04) but does not indicate a specific security vulnerability or incident. The updates are routine documentation of new features and best practices, not a response to a disclosed security issue.
Diff
diff --git a/transfer/latest/userguide/security-policies.md b/transfer/latest/userguide/security-policies.md index a1ca69df0..b686b5899 100644 --- a//transfer/latest/userguide/security-policies.md +++ b//transfer/latest/userguide/security-policies.md @@ -5 +5 @@ -Cryptographic algorithmsTransferSecurityPolicy-2024-01TransferSecurityPolicy-SshAuditCompliant-2025-02TransferSecurityPolicy-2023-05TransferSecurityPolicy-2022-03TransferSecurityPolicy-2020-06 and TransferSecurityPolicy-Restricted-2020-06TransferSecurityPolicy-2018-11 and TransferSecurityPolicy-Restricted-2018-11TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05TransferSecurityPolicy-FIPS-2023-05TransferSecurityPolicy-FIPS-2020-06TransferSecurityPolicy-AS2Restricted-2025-07Post Quantum security policies +Cryptographic algorithmsSecurity policy details @@ -11 +11 @@ Server security policies in AWS Transfer Family allow you to limit the set of cr -AWS Transfer Family supports post-quantum security policies that use hybrid key exchange algorithms, combining traditional cryptographic methods with post-quantum algorithms to provide enhanced security against future quantum computing threats. Details are provided in [Using hybrid post-quantum key exchange with AWS Transfer Family](./post-quantum-security-policies.html). +AWS Transfer Family supports post-quantum security policies that use hybrid key exchange algorithms, combining traditional cryptographic methods with post-quantum algorithms to provide enhanced security against future quantum computing threats. For more information, see [Using hybrid post-quantum key exchange with AWS Transfer Family](./post-quantum-security-policies.html). @@ -16,0 +17,4 @@ For a list of supported cryptographic algorithms, see Cryptographic algorithms. +Starting in 2025, all new AWS Transfer Family security policies include post-quantum cryptographic support using hybrid key exchange algorithms. For more information about post-quantum security, see [Using hybrid post-quantum key exchange with AWS Transfer Family](./post-quantum-security-policies.html). + +###### Note + @@ -27,0 +32,4 @@ If you are concerned about client compatibility, please affirmatively state whic +###### Note + +The earlier post quantum policies (**TransferSecurityPolicy-PQ-SSH-Experimental-2023-04** and **TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04**) are deprecated. We recommend that you use the new policies instead. + @@ -41,21 +49 @@ For more information on security in Transfer Family, see the following blog post - * TransferSecurityPolicy-2024-01 - - * TransferSecurityPolicy-SshAuditCompliant-2025-02 - - * TransferSecurityPolicy-2023-05 - - * TransferSecurityPolicy-2022-03 - - * TransferSecurityPolicy-2020-06 and TransferSecurityPolicy-Restricted-2020-06 - - * TransferSecurityPolicy-2018-11 and TransferSecurityPolicy-Restricted-2018-11 - - * TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05 - - * TransferSecurityPolicy-FIPS-2023-05 - - * TransferSecurityPolicy-FIPS-2020-06 - - * TransferSecurityPolicy-AS2Restricted-2025-07 - - * Post Quantum security policies + * Security policy details @@ -97,2 +84,0 @@ Additionally, the following security policies allow `ssh-rsa`: - * TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04 - @@ -133,2 +119,2 @@ In the following table and policies, note the following use of algorithm types. -Security policy | 2024-01 | SshAuditCompliant-2025-02 | 2023-05 | 2022-03 | **2020-06** **2020-06 restricted** | **FIPS-2024-05** **FIPS-2024-01** | FIPS-2023-05 | FIPS-2020-06 | **2018-11** **2018-11 restricted** | TransferSecurityPolicy-AS2Restricted-2025-07 ----|---|---|---|---|---|---|---|---|---|--- +Security policy | TransferSecurityPolicy-2025-03 | TransferSecurityPolicy-FIPS-2025-03 | TransferSecurityPolicy-SshAuditCompliant-2025-02 | TransferSecurityPolicy-AS2Restricted-2025-07 | TransferSecurityPolicy-2024-01 | **TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05** | TransferSecurityPolicy-2023-05 | TransferSecurityPolicy-FIPS-2023-05 | TransferSecurityPolicy-2022-03 | **TransferSecurityPolicy-2020-06 and TransferSecurityPolicy-Restricted-2020-06** | TransferSecurityPolicy-FIPS-2020-06 | **TransferSecurityPolicy-2018-11 and TransferSecurityPolicy-Restricted-2018-11** +---|---|---|---|---|---|---|---|---|---|---|---|--- @@ -136,6 +122,6 @@ Security policy | 2024-01 | SshAuditCompliant-2025-02 | 2023-05 | 2022-03 | **2 -aes128-ctr | ♦ | ♦ | | | ♦ | ♦ | | ♦ | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -aes192-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -aes256-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ [email protected] | | | | | ♦* | | | | ♦* | +aes128-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +aes192-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +aes256-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ [email protected] | | | | | | | | | | ♦* | | ♦* @@ -143,13 +129,13 @@ [email protected] | | | | | ♦* | | | | ♦* | -mlkem768x25519-sha256 | | | | | | | | | | ♦ -mlkem768nistp256-sha256 | | | | | | | | | | ♦ -mlkem1024nistp384-sha384 | | | | | | | | | | ♦ -curve25519-sha256 | ♦ | ♦ | ♦ | ♦ | | | | | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | | | | | ♦ | ♦ -diffie-hellman-group14-sha1 | | | | | | | | | ♦ | -diffie-hellman-group14-sha256 | | | | | ♦ | | | ♦ | ♦ | -diffie-hellman-group16-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -diffie-hellman-group18-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -diffie-hellman-group-exchange-sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ -ecdh-sha2-nistp256 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ | ♦ -ecdh-sha2-nistp384 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ | ♦ -ecdh-sha2-nistp521 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ | ♦ +mlkem768x25519-sha256 | ♦ | ♦ | | ♦ | | | | | | | | +mlkem768nistp256-sha256 | ♦ | ♦ | | ♦ | | | | | | | | +mlkem1024nistp384-sha384 | ♦ | ♦ | | ♦ | | | | | | | | +curve25519-sha256 | ♦ | | ♦ | ♦ | ♦ | | ♦ | | ♦ | | | ♦ [email protected] | ♦ | | ♦ | ♦ | ♦ | | ♦ | | ♦ | | | ♦ +diffie-hellman-group14-sha1 | | | | | | | | | | | | ♦ +diffie-hellman-group14-sha256 | | | | | | | | | | ♦ | ♦ | ♦ +diffie-hellman-group16-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +diffie-hellman-group18-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +diffie-hellman-group-exchange-sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +ecdh-sha2-nistp256 | ♦ | ♦ | | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ +ecdh-sha2-nistp384 | ♦ | ♦ | | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ +ecdh-sha2-nistp521 | ♦ | ♦ | | ♦ | ♦ | ♦ | | | | ♦ | ♦ | ♦ @@ -157,10 +143,10 @@ ecdh-sha2-nistp521 | ♦ | | | | ♦ | ♦ | | ♦ | ♦ | ♦ -hmac-sha1 | | | | | | | | | ♦ | [email protected] | | | | | | | | | ♦ | -hmac-sha2-256 | | | | ♦ | ♦ | | | ♦ | ♦ | [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -hmac-sha2-512 | | | | ♦ | ♦ | | | ♦ | ♦ | [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ [email protected] | | | | | ♦ | | | | ♦ | [email protected] | | | | | ♦ | | | | ♦ | [email protected] | | | | | | | | | ♦ | [email protected] | | | | | | | | | ♦ | +hmac-sha1 | | | | | | | | | | | | ♦ [email protected] | | | | | | | | | | | | ♦ +hmac-sha2-256 | | | | | | | | | ♦ | ♦ | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +hmac-sha2-512 | | | | | | | | | ♦ | ♦ | ♦ | ♦ [email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ [email protected] | | | | | | | | | | ♦ | | ♦ [email protected] | | | | | | | | | | ♦ | | ♦ [email protected] | | | | | | | | | | | | ♦ [email protected] | | | | | | | | | | | | ♦ @@ -168,4 +154,4 @@ [email protected] | | | | | | | | | ♦ | -aes256-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -aes192-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -aes128-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -3des-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +aes256-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +aes192-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +aes128-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +3des-cbc | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ @@ -173,4 +159,4 @@ aes128-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -sha384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -sha1 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +sha384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +sha1 | ♦ | ♦ | ♦ | | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ @@ -178,12 +164,10 @@ sha1 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | -TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_RSA_WITH_AES_128_CBC_SHA256 | | | | | | | | | ♦ | -TLS_RSA_WITH_AES_256_CBC_SHA256 | | | | | | | | | ♦ | - -## TransferSecurityPolicy-2024-01 +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_RSA_WITH_AES_128_CBC_SHA256 | | | | | | | | | | | | ♦ +TLS_RSA_WITH_AES_256_CBC_SHA256 | | | | | | | | | | | | ♦ @@ -191 +175,7 @@ TLS_RSA_WITH_AES_256_CBC_SHA256 | | | | | | | | | ♦ | -The following shows the TransferSecurityPolicy-2024-01 security policy. +## Security policy details + +The following sections contain the JSON representation of each security policy. + +### TransferSecurityPolicy-2025-03 + +The following shows the TransferSecurityPolicy-2025-03 security policy. @@ -197 +187 @@ The following shows the TransferSecurityPolicy-2024-01 security policy. - "SecurityPolicyName": "TransferSecurityPolicy-2024-01", + "SecurityPolicyName": "TransferSecurityPolicy-2025-03", @@ -199 +188,0 @@ The following shows the TransferSecurityPolicy-2024-01 security policy. - "[email protected]", @@ -200,0 +190 @@ The following shows the TransferSecurityPolicy-2024-01 security policy. + "[email protected]", @@ -205,0 +196,3 @@ The following shows the TransferSecurityPolicy-2024-01 security policy. + "mlkem768x25519-sha256", + "mlkem768nistp256-sha256", + "mlkem1024nistp384-sha384", @@ -211 +203,0 @@ The following shows the TransferSecurityPolicy-2024-01 security policy. - "diffie-hellman-group18-sha512", @@ -212,0 +205 @@ The following shows the TransferSecurityPolicy-2024-01 security policy. + "diffie-hellman-group18-sha512", @@ -240,16 +233,2 @@ The following shows the TransferSecurityPolicy-2024-01 security policy. - ] - } - } - -## TransferSecurityPolicy-SshAuditCompliant-2025-02 - -The following shows the TransferSecurityPolicy-SshAuditCompliant-2025-02 security policy. - -###### Note - -This security policy is designed around the recommendations provided by the `ssh-audit` tool, and is 100% compliant with that tool. - - - { - "SecurityPolicy": { - "Fips": false, + ], + "Type": "SERVER", @@ -259,43 +238 @@ This security policy is designed around the recommendations provided by the `ssh - ], - "SecurityPolicyName": "TransferSecurityPolicy-SshAuditCompliant-2025-02", - "SshCiphers": [