Summary
The AWS API CreateGateway accepts a kmsKeyArn parameter for encrypting gateway configuration at rest, but the CLI's add gateway command does not expose it.
Evidence
- AWS:
CreateGateway.kmsKeyArn — "The ARN of the AWS KMS key used to encrypt data associated with the gateway."
- CLI:
AgentCoreGatewaySchema (src/schema/schemas/mcp.ts:1065) has no KMS field; no flag in GatewayPrimitive.ts.
Proposal
Add an optional --kms-key-arn <arn> flag (no default) to add gateway, wire it to the schema and CDK gateway construct. Matches the existing pattern on add dataset, add evaluator, add policy-engine.
Summary
The AWS API
CreateGatewayaccepts akmsKeyArnparameter for encrypting gateway configuration at rest, but the CLI'sadd gatewaycommand does not expose it.Evidence
CreateGateway.kmsKeyArn— "The ARN of the AWS KMS key used to encrypt data associated with the gateway."AgentCoreGatewaySchema(src/schema/schemas/mcp.ts:1065) has no KMS field; no flag inGatewayPrimitive.ts.Proposal
Add an optional
--kms-key-arn <arn>flag (no default) toadd gateway, wire it to the schema and CDK gateway construct. Matches the existing pattern onadd dataset,add evaluator,add policy-engine.