[keyring] add example that replicates the behavior of a KMS master key provider

[mattsb42-aws]

The KMS master key provider behaves rather differently than any KMS keyring configuration: it accepts key IDs on configuration and will encrypt with only those key IDs but will attempt to decrypt any KMS-encrypted data keys. This is equivalent to a multi-keyring composed of a KMS keyring with key IDs and a KMS discovery keyring.

We should add an example that demonstrates how to replicate the KMS master key provider behavior for customers who want that behavior.