How to "sam package" using AES256 encryption?

Question

From here I see the syntax:

sam package \
    --template-file /path_to_template/template.yaml \
    --s3-bucket bucket-name \
    --s3-prefix appname/branchname/version
    --output-template-file packaged-template.yaml

or

   aws cloudformation package \
    --template-file /path_to_template/template.yaml \
    --s3-bucket bucket-name \
    --s3-prefix appname/branchname/version
    --output-template-file packaged-template.yaml

but the s3 policy forces the client to mention server side encryption algo AES256.

 aws s3 cp file s3://some-bucket --sse AES256

What is the syntax to sam package encrypted artifact?

score 1 · Accepted Answer · answered Jul 18 '19 at 19:20

1

There is no need to specify --sse AES256 in your call. SAM (CloudFormation) package command automatically sends x-amz-server-side-encryption: AES256 header so if your bucket requires default S3 encryption for s3:putObject (denies put requests based on following condition)

"Condition": {
  "StringNotEquals": {
    "s3:x-amz-server-side-encryption": "AES256"
  }
}

then this requirement is implicitly satisfied. If your bucket policy requires usage of a specific KMS key instead then you can pass KMS key id via optional flag: --kms-key-id <value>

answered Jul 18 '19 at 19:20

Matus Dubrava

13,637
2
38
54

Supple... How to make sure that artifact copied to s3 has custom name? – overexchange Jul 18 '19 at 20:23
I don't think it is possible to give custom name to the artifact. – Matus Dubrava Jul 18 '19 at 20:36
`--s3-prefix` only allows you to specify "folder" structure or prefix path but not the actual name of file – Matus Dubrava Jul 19 '19 at 16:19
Related question - https://stackoverflow.com/questions/57121977/why-sam-package-publishes-the-artifacts-to-bucket – overexchange Jul 20 '19 at 05:09

How to "sam package" using AES256 encryption?

1 Answers1