fix(scheduler-alpha): too many KMS permissions granted (#31923)

### Issue # (if applicable)

Tracking #31785.

### Reason for this change

When customer use a KMS Customer Managed Key (CMK) with the `Schedule` construct, the following permissions are added to the scheduler execution role:
```
'kms:Decrypt', 'kms:Encrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*'
```

However, upon testing, having only the `kms:Decrypt` permission is enough for the Schedule to invoke the target (Lambda Function as a target was used in the test.).

### Description of changes

This PR removes the unneeded KMS permissions and updated integ test to verify that the schedule is still able to invoke the target. 

### Description of how you validated changes

Unit test and integ test.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

----

BREAKING CHANGE: Extra KMS permissions are removed from Schedule execution role when KMS key is passed to Schedule.

Author: samson-keung

packages/@aws-cdk/aws-scheduler-alpha/lib/schedule.ts

@@ -279,7 +279,7 @@ export class Schedule extends Resource implements ISchedule {
 
     this.key = props.key;
     if (this.key) {
-      this.key.grantEncryptDecrypt(targetConfig.role);
+      this.key.grantDecrypt(targetConfig.role);
     }
 
     this.retryPolicy = targetConfig.retryPolicy;