revert: "feat(s3tables): server-side encryption by customer managed KMS key" (#34460)

Reverts #34229

Author: godwingrs22

packages/@aws-cdk/aws-s3tables-alpha/README.md

@@ -41,22 +41,6 @@ const sampleTableBucket = new TableBucket(scope, 'ExampleTableBucket', {
 
 Learn more about table buckets maintenance operations and default behavior from the [S3 Tables User Guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-table-buckets-maintenance.html)
 
-### Server-side Encryption
-
-By default, S3 Tables buckets are encrypted using Amazon S3-managed keys (SSE-S3). You can also use AWS Key Management Service (AWS KMS) keys to encrypt your data.
-To do this, you can specify the `kmsKey` property when creating the bucket:
-
-```ts
-declare const kmsKey: kms.IKey;
-
-new TableBucket(this, 'TableBucket', {
-  tableBucketName: 'kms-key-s3tables-bucket',
-  kmsKey,
-});
-```
-
-**Note**: AWS CDK automatically add a resource policy to the KMS key to allow the S3 Tables service to use it for automatic table maintenance. Detail information can be found in the [security for S3 tables](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html) documentation.
-
 ### Controlling Table Bucket Permissions
 
 ```ts

packages/@aws-cdk/aws-s3tables-alpha/lib/table-bucket.ts

@@ -5,8 +5,7 @@ import { TableBucketPolicy } from './table-bucket-policy';
 import * as perms from './permissions';
 import { validateTableBucketAttributes } from './util';
 import * as iam from 'aws-cdk-lib/aws-iam';
-import * as kms from 'aws-cdk-lib/aws-kms';
-import { Resource, IResource, UnscopedValidationError, RemovalPolicy, Token, Stack } from 'aws-cdk-lib/core';
+import { Resource, IResource, UnscopedValidationError, RemovalPolicy, Token } from 'aws-cdk-lib/core';
 import { addConstructMetadata } from 'aws-cdk-lib/core/lib/metadata-resource';
 
 /**
@@ -259,13 +258,6 @@ export interface TableBucketProps {
    * @default RETAIN
    */
   readonly removalPolicy?: RemovalPolicy;
-
-  /**
-   * The KMS key to use for server-side encryption.
-   *
-   * @default - Server-side encryption with Amazon S3-managed keys (SSE-S3)
-   */
-  readonly kmsKey?: kms.IKey;
 }
 
 /**
@@ -506,34 +498,8 @@ export class TableBucket extends TableBucketBase {
         noncurrentDays: props.unreferencedFileRemoval?.noncurrentDays,
         unreferencedDays: props.unreferencedFileRemoval?.unreferencedDays,
       },
-      encryptionConfiguration: props?.kmsKey
-        ? {
-          sseAlgorithm: 'aws:kms',
-          kmsKeyArn: props.kmsKey.keyArn,
-        }
-        : undefined,
     });
 
-    // add resource policy to the encryption key
-    // see https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html#tables-kms-maintenance-permissions
-    props?.kmsKey?.addToResourcePolicy(
-      new iam.PolicyStatement({
-        actions: ['kms:Decrypt', 'kms:GenerateDataKey'],
-        resources: ['*'],
-        effect: iam.Effect.ALLOW,
-        principals: [new iam.ServicePrincipal('maintenance.s3tables.amazonaws.com')],
-        conditions: {
-          StringLike: {
-            'kms:EncryptionContext:aws:s3:arn': `${Stack.of(this).formatArn({
-              service: 's3tables',
-              resource: 'bucket',
-              resourceName: props.tableBucketName,
-            })}/*`,
-          },
-        },
-      }),
-    );
-
     this.tableBucketName = this.getResourceNameAttribute(this._resource.ref);
     this.tableBucketArn = this._resource.attrTableBucketArn;
     this._resource.applyRemovalPolicy(props.removalPolicy);

packages/@aws-cdk/aws-s3tables-alpha/rosetta/default.ts-fixture

@@ -2,7 +2,6 @@ import { Construct } from 'constructs';
 import { Stack } from 'aws-cdk-lib';
 import { TableBucket, UnreferencedFileRemovalStatus } from '@aws-cdk/aws-s3tables-alpha';
 import * as iam from 'aws-cdk-lib/aws-iam';
-import * as kms from 'aws-cdk-lib/aws-kms';
 
 class Fixture extends Stack {
   constructor(scope: Construct, id: string) {