fix(s3-notifications): add a key policy to trust S3 for notifications to an SNS topic encrypted with a KMS key (under feature flag) (#33858)

### Issue # (if applicable)

Closes #16271.

### Reason for this change

To create S3 subscriptions for CMK encrypted SNS topic, we have to configure key policy to trust S3.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/grant-destinations-permissions-to-s3.html#key-policy-sns-sqs

AWS CDK doesn't automatically configure CMK resource policy to receive s3 messages for CMK encrypted SNS subscriptions. Therefore, we have to configure it by ourselves.

### Description of changes

- Add feature flag `S3_TRUST_KEY_POLICY_FOR_SNS_SUBSCRIPTIONS`
- Add key policy for encrypted subscription

```ts
      const statement = new iam.PolicyStatement({
        principals: [new iam.ServicePrincipal('s3.amazonaws.com')],
        actions: ['kms:GenerateDataKey', 'kms:Decrypt'],
        resources: ['*'],
      });
      const addResult = this.topic.masterKey.addToResourcePolicy(statement, true);
```

### Describe any new or updated permissions being added

- Add S3 trust policy to KMS key policy

### Description of how you validated changes

Add both unit and integ tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: badmintoncryer