feat(s3-tables): add KMS support for TableBucket L2 construct (#34281)

### Reason for this change

This adds support for encryption settings for TableBucket including providing KMS keys for server side encryption.

### Description of changes

L1 reference: [CfnTableBucket#encryptionConfiguration](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3tables.CfnTableBucket.html#encryptionconfiguration)

Backwards compatible changes were made to the TableBucket construct in the following places:
- TableBucketProps now include optional fields `encryption` and `encryptionKey`
- grant methods now provide permissions to the bucket encryptionKey, if applicable
- A new KMS key is created if the user provides KMS encryptionType but no key
- Updated README with rosetta support

#### Usage
```ts
// Provide a user defined KMS Key:
const key = new kms.Key(scope, 'UserKey', {});
const encryptedBucket = new TableBucket(scope, 'EncryptedTableBucket', {
    tableBucketName: 'table-bucket-1',
    encryption: TableBucketEncryption.KMS,
    encryptionKey: key,
});
// This account principal will also receive kms:Decrypt access to the KMS key
encryptedBucket.grantRead(new iam.AccountPrincipal('123456789012'), '*');

// If no key is provided, one will be created automatically
const encryptedBucketAuto = new TableBucket(scope, 'EncryptedTableBucketAuto', {
    tableBucketName: 'table-bucket-2',
    encryption: TableBucketEncryption.KMS,
});

// Use S3 managed server side encryption (default)
const encryptedBucketDefault = new TableBucket(scope, 'EncryptedTableBucketDefault', {
    tableBucketName: 'table-bucket-3',
    encryption: TableBucketEncryption.S3_MANAGED,
});
```

### Describe any new or updated permissions being added



These permissions were added for KMS support:
```ts
export const KEY_READ_ACCESS = [
  'kms:Decrypt',
];

export const KEY_WRITE_ACCESS = [
  'kms:Decrypt',
  'kms:GenerateDataKey*',
];
```
When grant methods are used, these policies are applied to the principal for the TableBucket's encryption key. For example, giving read access to an encrypted bucket without giving decrypt permissions to the bucket key will not be sufficient permissions for the principal to read the bucket data.

### Description of how you validated changes


- Added unit test coverage for all possible scenarios of bucket encryption config, as well as all grant methods for each valid encryption config.
- Added integration tests with snapshot and assertions. The assertions are currently disabled due to the aws-sdk version not supporting `GetTableBucketEncryptionCommand` but will be included once resolved.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: xuxey

packages/@aws-cdk/aws-s3tables-alpha/README.md

@@ -47,9 +47,11 @@ Learn more about table buckets maintenance operations and default behavior from
 // Grant the principal read permissions to the bucket and all tables within
 const accountId = '123456789012'
 tableBucket.grantRead(new iam.AccountPrincipal(accountId), '*');
+
 // Grant the role write permissions to the bucket and all tables within
 const role = new iam.Role(stack, 'MyRole', { assumedBy: new iam.ServicePrincipal('sample') });
 tableBucket.grantWrite(role, '*');
+
 // Grant the user read and write permissions to the bucket and all tables within 
 tableBucket.grantReadWrite(new iam.User(stack, 'MyUser'), '*');
 
@@ -68,6 +70,42 @@ const permissions = new iam.PolicyStatement({
 tableBucket.addToResourcePolicy(permissions);
 ```
 
+### Controlling Table Bucket Encryption Settings
+
+S3 TableBuckets have SSE (server-side encryption with AES-256) enabled by default with S3 managed keys.
+You can also bring your own KMS key for KMS-SSE or have S3 create a KMS key for you.
+
+If a bucket is encrypted with KMS, grant functions on the bucket will also grant access
+to the TableBucket's associated KMS key.
+
+```ts
+// Provide a user defined KMS Key:
+const key = new kms.Key(scope, 'UserKey', {});
+const encryptedBucket = new TableBucket(scope, 'EncryptedTableBucket', {
+    tableBucketName: 'table-bucket-1',
+    encryption: TableBucketEncryption.KMS,
+    encryptionKey: key,
+});
+// This account principal will also receive kms:Decrypt access to the KMS key
+encryptedBucket.grantRead(new iam.AccountPrincipal('123456789012'), '*');
+
+// Use S3 managed server side encryption (default)
+const encryptedBucketDefault = new TableBucket(scope, 'EncryptedTableBucketDefault', {
+    tableBucketName: 'table-bucket-3',
+    encryption: TableBucketEncryption.S3_MANAGED, // Uses AES-256 encryption by default
+});
+```
+
+When using KMS encryption (`TableBucketEncryption.KMS`), if no encryption key is provided, CDK will automatically create a new KMS key for the table bucket with necessary permissions.
+
+```ts
+// If no key is provided, one will be created automatically
+const encryptedBucketAuto = new TableBucket(scope, 'EncryptedTableBucketAuto', {
+    tableBucketName: 'table-bucket-2',
+    encryption: TableBucketEncryption.KMS,
+});
+```
+
 ## Coming Soon
 
 L2 Construct support for:

packages/@aws-cdk/aws-s3tables-alpha/lib/permissions.ts

@@ -20,3 +20,19 @@ export const TABLE_BUCKET_READ_WRITE_ACCESS = [...new Set([
   ...TABLE_BUCKET_READ_ACCESS,
   ...TABLE_BUCKET_WRITE_ACCESS,
 ])];
+
+// Permissions for user defined KMS Keys
+// https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-kms-permissions.html
+export const KEY_READ_ACCESS = [
+  'kms:Decrypt',
+];
+
+export const KEY_WRITE_ACCESS = [
+  'kms:Decrypt',
+  'kms:GenerateDataKey*',
+];
+
+export const KEY_READ_WRITE_ACCESS = [...new Set([
+  ...KEY_READ_ACCESS,
+  ...KEY_WRITE_ACCESS,
+])];