From here I see the syntax:
sam package \
--template-file /path_to_template/template.yaml \
--s3-bucket bucket-name \
--s3-prefix appname/branchname/version
--output-template-file packaged-template.yaml
or
aws cloudformation package \
--template-file /path_to_template/template.yaml \
--s3-bucket bucket-name \
--s3-prefix appname/branchname/version
--output-template-file packaged-template.yaml
but the s3 policy forces the client to mention server side encryption algo AES256.
aws s3 cp file s3://some-bucket --sse AES256
What is the syntax to sam package encrypted artifact?
There is no need to specify --sse AES256 in your call. SAM (CloudFormation) package command automatically sends x-amz-server-side-encryption: AES256 header so if your bucket requires default S3 encryption for s3:putObject (denies put requests based on following condition)
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
then this requirement is implicitly satisfied. If your bucket policy requires usage of a specific KMS key instead then you can pass KMS key id via optional flag: --kms-key-id <value>