feat(s3tables): server-side encryption by customer managed KMS key (#34229)

### Issue # (if applicable)

None

### Reason for this change

AWS S3 Tables supports for server side encryption by customer managed KMS keys.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-encryption.html

And cloudformation have supported for this feature.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3tables-tablebucket-encryptionconfiguration.html

### Description of changes

- Add `kmsKey` prop to `TableBucketProps`
- Add kms key resource policy which enables S3 Tables to execute automatic table maintenance
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html

### Describe any new or updated permissions being added

Add resource policy to the kms key.

```ts
// add resource policy to the encryption key
    // see https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html#tables-kms-maintenance-permissions
    props?.kmsKey?.addToResourcePolicy(
      new iam.PolicyStatement({
        actions: ['kms:Decrypt', 'kms:GenerateDataKey'],
        resources: ['*'],
        effect: iam.Effect.ALLOW,
        principals: [new iam.ServicePrincipal('maintenance.s3tables.amazonaws.com')],
        conditions: {
          StringLike: {
            'kms:EncryptionContext:aws:s3:arn': `${Stack.of(this).formatArn({
              service: 's3tables',
              resource: 'bucket',
              resourceName: props.tableBucketName,
            })}/*`,
          },
        },
      }),
    );
```

### Description of how you validated changes

Add both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: badmintoncryer

packages/@aws-cdk/aws-s3tables-alpha/README.md

@@ -41,6 +41,22 @@ const sampleTableBucket = new TableBucket(scope, 'ExampleTableBucket', {
 
 Learn more about table buckets maintenance operations and default behavior from the [S3 Tables User Guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-table-buckets-maintenance.html)
 
+### Server-side Encryption
+
+By default, S3 Tables buckets are encrypted using Amazon S3-managed keys (SSE-S3). You can also use AWS Key Management Service (AWS KMS) keys to encrypt your data.
+To do this, you can specify the `kmsKey` property when creating the bucket:
+
+```ts
+declare const kmsKey: kms.IKey;
+
+new TableBucket(this, 'TableBucket', {
+  tableBucketName: 'kms-key-s3tables-bucket',
+  kmsKey,
+});
+```
+
+**Note**: AWS CDK automatically add a resource policy to the KMS key to allow the S3 Tables service to use it for automatic table maintenance. Detail information can be found in the [security for S3 tables](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html) documentation.
+
 ### Controlling Table Bucket Permissions
 
 ```ts

packages/@aws-cdk/aws-s3tables-alpha/lib/table-bucket.ts

@@ -5,7 +5,8 @@ import { TableBucketPolicy } from './table-bucket-policy';
 import * as perms from './permissions';
 import { validateTableBucketAttributes } from './util';
 import * as iam from 'aws-cdk-lib/aws-iam';
-import { Resource, IResource, UnscopedValidationError, RemovalPolicy, Token } from 'aws-cdk-lib/core';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import { Resource, IResource, UnscopedValidationError, RemovalPolicy, Token, Stack } from 'aws-cdk-lib/core';
 import { addConstructMetadata } from 'aws-cdk-lib/core/lib/metadata-resource';
 
 /**
@@ -258,6 +259,13 @@ export interface TableBucketProps {
    * @default RETAIN
    */
   readonly removalPolicy?: RemovalPolicy;
+
+  /**
+   * The KMS key to use for server-side encryption.
+   *
+   * @default - Server-side encryption with Amazon S3-managed keys (SSE-S3)
+   */
+  readonly kmsKey?: kms.IKey;
 }
 
 /**
@@ -498,8 +506,34 @@ export class TableBucket extends TableBucketBase {
         noncurrentDays: props.unreferencedFileRemoval?.noncurrentDays,
         unreferencedDays: props.unreferencedFileRemoval?.unreferencedDays,
       },
+      encryptionConfiguration: props?.kmsKey
+        ? {
+          sseAlgorithm: 'aws:kms',
+          kmsKeyArn: props.kmsKey.keyArn,
+        }
+        : undefined,
     });
 
+    // add resource policy to the encryption key
+    // see https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html#tables-kms-maintenance-permissions
+    props?.kmsKey?.addToResourcePolicy(
+      new iam.PolicyStatement({
+        actions: ['kms:Decrypt', 'kms:GenerateDataKey'],
+        resources: ['*'],
+        effect: iam.Effect.ALLOW,
+        principals: [new iam.ServicePrincipal('maintenance.s3tables.amazonaws.com')],
+        conditions: {
+          StringLike: {
+            'kms:EncryptionContext:aws:s3:arn': `${Stack.of(this).formatArn({
+              service: 's3tables',
+              resource: 'bucket',
+              resourceName: props.tableBucketName,
+            })}/*`,
+          },
+        },
+      }),
+    );
+
     this.tableBucketName = this.getResourceNameAttribute(this._resource.ref);
     this.tableBucketArn = this._resource.attrTableBucketArn;
     this._resource.applyRemovalPolicy(props.removalPolicy);

packages/@aws-cdk/aws-s3tables-alpha/rosetta/default.ts-fixture

@@ -2,6 +2,7 @@ import { Construct } from 'constructs';
 import { Stack } from 'aws-cdk-lib';
 import { TableBucket, UnreferencedFileRemovalStatus } from '@aws-cdk/aws-s3tables-alpha';
 import * as iam from 'aws-cdk-lib/aws-iam';
+import * as kms from 'aws-cdk-lib/aws-kms';
 
 class Fixture extends Stack {
   constructor(scope: Construct, id: string) {

packages/@aws-cdk/aws-s3tables-alpha/test/integration/integ.table-bucket-kms-key.js.snapshot/cdk.out

@@ -0,0 +1,126 @@
+{
+ "Resources": {
+  "KmsKey46693ADD": {
+   "Type": "AWS::KMS::Key",
+   "Properties": {
+    "KeyPolicy": {
+     "Statement": [
+      {
+       "Action": "kms:*",
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       },
+       "Resource": "*"
+      },
+      {
+       "Action": [
+        "kms:Decrypt",
+        "kms:GenerateDataKey"
+       ],
+       "Condition": {
+        "StringLike": {
+         "kms:EncryptionContext:aws:s3:arn": {
+          "Fn::Join": [
+           "",
+           [
+            "arn:",
+            {
+             "Ref": "AWS::Partition"
+            },
+            ":s3tables:",
+            {
+             "Ref": "AWS::Region"
+            },
+            ":",
+            {
+             "Ref": "AWS::AccountId"
+            },
+            ":bucket/kms-key-s3tables-bucket/*"
+           ]
+          ]
+         }
+        }
+       },
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "maintenance.s3tables.amazonaws.com"
+       },
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "TableBucket0BF18B0D": {
+   "Type": "AWS::S3Tables::TableBucket",
+   "Properties": {
+    "EncryptionConfiguration": {
+     "KMSKeyArn": {
+      "Fn::GetAtt": [
+       "KmsKey46693ADD",
+       "Arn"
+      ]
+     },
+     "SSEAlgorithm": "aws:kms"
+    },
+    "TableBucketName": "kms-key-s3tables-bucket",
+    "UnreferencedFileRemoval": {}
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}