AWS Security ChangesHomeSearch

AWS transfer documentation change

Service: transfer · 2026-03-28 · Documentation low

File: transfer/latest/userguide/security-policies.md

Summary

Updated AWS Transfer Family security policy documentation to add new 2025-03 policies (including FIPS and AS2Restricted variants), deprecate old experimental post-quantum policies, reorganize policy tables, and add notes about post-quantum cryptographic support being included in all new policies starting in 2025.

Security assessment

The changes primarily document new security policy versions (2025-03) and their cryptographic algorithms, including post-quantum hybrid key exchange. It deprecates older experimental policies (TransferSecurityPolicy-PQ-SSH-Experimental-2023-04) but does not indicate a specific security vulnerability or incident. The updates are routine documentation of new features and best practices, not a response to a disclosed security issue.

Diff

diff --git a/transfer/latest/userguide/security-policies.md b/transfer/latest/userguide/security-policies.md
index a1ca69df0..b686b5899 100644
--- a//transfer/latest/userguide/security-policies.md
+++ b//transfer/latest/userguide/security-policies.md
@@ -5 +5 @@
-Cryptographic algorithmsTransferSecurityPolicy-2024-01TransferSecurityPolicy-SshAuditCompliant-2025-02TransferSecurityPolicy-2023-05TransferSecurityPolicy-2022-03TransferSecurityPolicy-2020-06 and TransferSecurityPolicy-Restricted-2020-06TransferSecurityPolicy-2018-11 and TransferSecurityPolicy-Restricted-2018-11TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05TransferSecurityPolicy-FIPS-2023-05TransferSecurityPolicy-FIPS-2020-06TransferSecurityPolicy-AS2Restricted-2025-07Post Quantum security policies
+Cryptographic algorithmsSecurity policy details
@@ -11 +11 @@ Server security policies in AWS Transfer Family allow you to limit the set of cr
-AWS Transfer Family supports post-quantum security policies that use hybrid key exchange algorithms, combining traditional cryptographic methods with post-quantum algorithms to provide enhanced security against future quantum computing threats. Details are provided in [Using hybrid post-quantum key exchange with AWS Transfer Family](./post-quantum-security-policies.html).
+AWS Transfer Family supports post-quantum security policies that use hybrid key exchange algorithms, combining traditional cryptographic methods with post-quantum algorithms to provide enhanced security against future quantum computing threats. For more information, see [Using hybrid post-quantum key exchange with AWS Transfer Family](./post-quantum-security-policies.html).
@@ -16,0 +17,4 @@ For a list of supported cryptographic algorithms, see Cryptographic algorithms.
+Starting in 2025, all new AWS Transfer Family security policies include post-quantum cryptographic support using hybrid key exchange algorithms. For more information about post-quantum security, see [Using hybrid post-quantum key exchange with AWS Transfer Family](./post-quantum-security-policies.html).
+
+###### Note
+
@@ -27,0 +32,4 @@ If you are concerned about client compatibility, please affirmatively state whic
+###### Note
+
+The earlier post quantum policies (**TransferSecurityPolicy-PQ-SSH-Experimental-2023-04** and **TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04**) are deprecated. We recommend that you use the new policies instead.
+
@@ -41,21 +49 @@ For more information on security in Transfer Family, see the following blog post
-  * TransferSecurityPolicy-2024-01
-
-  * TransferSecurityPolicy-SshAuditCompliant-2025-02
-
-  * TransferSecurityPolicy-2023-05
-
-  * TransferSecurityPolicy-2022-03
-
-  * TransferSecurityPolicy-2020-06 and TransferSecurityPolicy-Restricted-2020-06
-
-  * TransferSecurityPolicy-2018-11 and TransferSecurityPolicy-Restricted-2018-11
-
-  * TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05
-
-  * TransferSecurityPolicy-FIPS-2023-05
-
-  * TransferSecurityPolicy-FIPS-2020-06
-
-  * TransferSecurityPolicy-AS2Restricted-2025-07
-
-  * Post Quantum security policies
+  * Security policy details
@@ -97,2 +84,0 @@ Additionally, the following security policies allow `ssh-rsa`:
-  * TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04
-
@@ -133,2 +119,2 @@ In the following table and policies, note the following use of algorithm types.
-Security policy | 2024-01 | SshAuditCompliant-2025-02 | 2023-05 | 2022-03 |  **2020-06** **2020-06 restricted** |  **FIPS-2024-05** **FIPS-2024-01** | FIPS-2023-05 | FIPS-2020-06 |  **2018-11** **2018-11 restricted** | TransferSecurityPolicy-AS2Restricted-2025-07  
----|---|---|---|---|---|---|---|---|---|---  
+Security policy | TransferSecurityPolicy-2025-03 | TransferSecurityPolicy-FIPS-2025-03 | TransferSecurityPolicy-SshAuditCompliant-2025-02 | TransferSecurityPolicy-AS2Restricted-2025-07 | TransferSecurityPolicy-2024-01 |  **TransferSecurityPolicy-FIPS-2024-01/TransferSecurityPolicy-FIPS-2024-05** | TransferSecurityPolicy-2023-05 | TransferSecurityPolicy-FIPS-2023-05 | TransferSecurityPolicy-2022-03 |  **TransferSecurityPolicy-2020-06 and TransferSecurityPolicy-Restricted-2020-06** | TransferSecurityPolicy-FIPS-2020-06 |  **TransferSecurityPolicy-2018-11 and TransferSecurityPolicy-Restricted-2018-11**  
+---|---|---|---|---|---|---|---|---|---|---|---|---  
@@ -136,6 +122,6 @@ Security policy | 2024-01 | SshAuditCompliant-2025-02 | 2023-05 | 2022-03 |  **2
-aes128-ctr | ♦ |  ♦ |  |  |  ♦ | ♦ |  |  ♦ |  ♦ |  ♦  
[email protected] | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦  |  ♦ |  ♦ |  ♦  
-aes192-ctr | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦  |  ♦ |  ♦ |  ♦  
-aes256-ctr | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦  |  ♦ |  ♦ |  ♦  
[email protected] | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦  |  ♦ |  ♦ |  ♦  
[email protected] |  |  |  |  |  ♦* |  |  |  |  ♦* |   
+aes128-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |  | ♦ | ♦ | ♦  
[email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+aes192-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+aes256-ctr | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
[email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
[email protected] |  |  |  |  |  |  |  |  |  | ♦* |  | ♦*  
@@ -143,13 +129,13 @@ [email protected] |  |  |  |  |  ♦* |  |  |  |  ♦* |
-mlkem768x25519-sha256 |  |  |  |  |  |  |  |  |  |  ♦  
-mlkem768nistp256-sha256 |  |  |  |  |  |  |  |  |  |  ♦  
-mlkem1024nistp384-sha384 |  |  |  |  |  |  |  |  |  |  ♦  
-curve25519-sha256 | ♦ |  ♦ |  ♦ |  ♦ |  |  |  |  |  ♦ |  ♦  
[email protected] | ♦ |  ♦ |  ♦ |  ♦ |  |  |  |  |  ♦ |  ♦  
-diffie-hellman-group14-sha1 |  |  |  |  |  |  |  |  |  ♦ |   
-diffie-hellman-group14-sha256 |  |  |  |  |  ♦ |  |  |  ♦ |  ♦ |   
-diffie-hellman-group16-sha512  | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ |  ♦  
-diffie-hellman-group18-sha512  | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ |  ♦  
-diffie-hellman-group-exchange-sha256 | ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  |  ♦ |  ♦ |  ♦ |  ♦  
-ecdh-sha2-nistp256 | ♦ |  |  |  |  ♦ | ♦ |  |  ♦ |  ♦ |  ♦  
-ecdh-sha2-nistp384 | ♦ |  |  |  |  ♦ | ♦ |  |  ♦ |  ♦ |  ♦  
-ecdh-sha2-nistp521 | ♦ |  |  |  |  ♦ | ♦ |  |  ♦ |  ♦ |  ♦  
+mlkem768x25519-sha256 | ♦ | ♦ |  | ♦ |  |  |  |  |  |  |  |   
+mlkem768nistp256-sha256 | ♦ | ♦ |  | ♦ |  |  |  |  |  |  |  |   
+mlkem1024nistp384-sha384 | ♦ | ♦ |  | ♦ |  |  |  |  |  |  |  |   
+curve25519-sha256 | ♦ |  | ♦ | ♦ | ♦ |  | ♦ |  | ♦ |  |  | ♦  
[email protected] | ♦ |  | ♦ | ♦ | ♦ |  | ♦ |  | ♦ |  |  | ♦  
+diffie-hellman-group14-sha1 |  |  |  |  |  |  |  |  |  |  |  | ♦  
+diffie-hellman-group14-sha256 |  |  |  |  |  |  |  |  |  | ♦ | ♦ | ♦  
+diffie-hellman-group16-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+diffie-hellman-group18-sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+diffie-hellman-group-exchange-sha256 | ♦ | ♦ | ♦ | ♦ | ♦ |  | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+ecdh-sha2-nistp256 | ♦ | ♦ |  | ♦ | ♦ | ♦ |  |  |  | ♦ | ♦ | ♦  
+ecdh-sha2-nistp384 | ♦ | ♦ |  | ♦ | ♦ | ♦ |  |  |  | ♦ | ♦ | ♦  
+ecdh-sha2-nistp521 | ♦ | ♦ |  | ♦ | ♦ | ♦ |  |  |  | ♦ | ♦ | ♦  
@@ -157,10 +143,10 @@ ecdh-sha2-nistp521 | ♦ |  |  |  |  ♦ | ♦ |  |  ♦ |  ♦ |  ♦
-hmac-sha1 |  |  |  |  |  |  |  |  |  ♦ |   
[email protected] |  |  |  |  |  |  |  |  |  ♦ |   
-hmac-sha2-256 |  |  |  |  ♦ |  ♦ |  |  |  ♦ |  ♦ |   
[email protected] | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ |  ♦  
-hmac-sha2-512 |  |  |  |  ♦ |  ♦ |  |  |  ♦ |  ♦ |   
[email protected] | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ |  ♦  
[email protected] |  |  |  |  |  ♦ |  |  |  |  ♦ |   
[email protected] |  |  |  |  |  ♦ |  |  |  |  ♦ |   
[email protected] |  |  |  |  |  |  |  |  |  ♦ |   
[email protected] |  |  |  |  |  |  |  |  |  ♦ |   
+hmac-sha1 |  |  |  |  |  |  |  |  |  |  |  | ♦  
[email protected] |  |  |  |  |  |  |  |  |  |  |  | ♦  
+hmac-sha2-256 |  |  |  |  |  |  |  |  | ♦ | ♦ | ♦ | ♦  
[email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+hmac-sha2-512 |  |  |  |  |  |  |  |  | ♦ | ♦ | ♦ | ♦  
[email protected] | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
[email protected] |  |  |  |  |  |  |  |  |  | ♦ |  | ♦  
[email protected] |  |  |  |  |  |  |  |  |  | ♦ |  | ♦  
[email protected] |  |  |  |  |  |  |  |  |  |  |  | ♦  
[email protected] |  |  |  |  |  |  |  |  |  |  |  | ♦  
@@ -168,4 +154,4 @@ [email protected] |  |  |  |  |  |  |  |  |  ♦ |
-aes256-cbc | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ |  ♦   
-aes192-cbc | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ |  ♦   
-aes128-cbc | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ | ♦  
-3des-cbc | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ |   
+aes256-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+aes192-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+aes128-cbc | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+3des-cbc | ♦ | ♦ | ♦ |  | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
@@ -173,4 +159,4 @@ aes128-cbc | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ | ♦
-sha256 | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ |  ♦   
-sha384 | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ |  ♦   
-sha512 | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ |  ♦   
-sha1 | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ |   
+sha256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+sha384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+sha512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+sha1 | ♦ | ♦ | ♦ |  | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
@@ -178,12 +164,10 @@ sha1 | ♦ |  ♦ |  ♦ |  ♦ |  ♦ | ♦ |  ♦ |  ♦ |  ♦ |
-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦  
-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦  
-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦ |  ♦  
-TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ♦  |  ♦ |  ♦ |  ♦ |  ♦ | ♦  |  ♦ |  ♦ |  ♦ |  ♦  
-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ♦  |  ♦ |  ♦ |  ♦ |  ♦ | ♦  |  ♦ |  ♦ |  ♦ |  ♦  
-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ♦  |  ♦ |  ♦ |  ♦ |  ♦ | ♦  |  ♦ |  ♦ |  ♦ |  ♦  
-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ♦  |  ♦ |  ♦ |  ♦ |  ♦ | ♦  |  ♦ |  ♦ |  ♦ |  ♦  
-TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ♦  |  ♦ |  ♦ |  ♦ |  ♦ | ♦  |  ♦ |  ♦ |  ♦ |  ♦  
-TLS_RSA_WITH_AES_128_CBC_SHA256 |  |  |  |  |  |  |  |  |  ♦ |   
-TLS_RSA_WITH_AES_256_CBC_SHA256 |  |  |  |  |  |  |  |  |  ♦ |   
-  
-## TransferSecurityPolicy-2024-01
+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_RSA_WITH_AES_128_CBC_SHA256 |  |  |  |  |  |  |  |  |  |  |  | ♦  
+TLS_RSA_WITH_AES_256_CBC_SHA256 |  |  |  |  |  |  |  |  |  |  |  | ♦  
@@ -191 +175,7 @@ TLS_RSA_WITH_AES_256_CBC_SHA256 |  |  |  |  |  |  |  |  |  ♦ |
-The following shows the TransferSecurityPolicy-2024-01 security policy.
+## Security policy details
+
+The following sections contain the JSON representation of each security policy.
+
+### TransferSecurityPolicy-2025-03
+
+The following shows the TransferSecurityPolicy-2025-03 security policy.
@@ -197 +187 @@ The following shows the TransferSecurityPolicy-2024-01 security policy.
-            "SecurityPolicyName": "TransferSecurityPolicy-2024-01",
+            "SecurityPolicyName": "TransferSecurityPolicy-2025-03",
@@ -199 +188,0 @@ The following shows the TransferSecurityPolicy-2024-01 security policy.
-                "[email protected]",
@@ -200,0 +190 @@ The following shows the TransferSecurityPolicy-2024-01 security policy.
+                "[email protected]",
@@ -205,0 +196,3 @@ The following shows the TransferSecurityPolicy-2024-01 security policy.
+                "mlkem768x25519-sha256",
+                "mlkem768nistp256-sha256",
+                "mlkem1024nistp384-sha384",
@@ -211 +203,0 @@ The following shows the TransferSecurityPolicy-2024-01 security policy.
-                "diffie-hellman-group18-sha512",
@@ -212,0 +205 @@ The following shows the TransferSecurityPolicy-2024-01 security policy.
+                "diffie-hellman-group18-sha512",
@@ -240,16 +233,2 @@ The following shows the TransferSecurityPolicy-2024-01 security policy.
-            ]
-        }
-    }
-
-## TransferSecurityPolicy-SshAuditCompliant-2025-02
-
-The following shows the TransferSecurityPolicy-SshAuditCompliant-2025-02 security policy.
-
-###### Note
-
-This security policy is designed around the recommendations provided by the `ssh-audit` tool, and is 100% compliant with that tool.
-    
-    
-    {
-      "SecurityPolicy": {
-        "Fips": false,
+            ],
+            "Type": "SERVER",
@@ -259,43 +238 @@ This security policy is designed around the recommendations provided by the `ssh
-        ],
-        "SecurityPolicyName": "TransferSecurityPolicy-SshAuditCompliant-2025-02",
-        "SshCiphers": [