fix(s3): bucket deletion fails if object creation races against cleanup (#26875)

Adds a DENY policy for S3:PutObject on buckets to be auto-deleted to prevent a race condition on emptying with external bucket writers.

As a new contributor, the requirements for integration testing were unclear to me. I have tested the policy on my own buckets and included unit tests, but am willing to work toward code compliance with assistance.

Closes #26874.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: miles-po

packages/@aws-cdk-testing/framework-integ/test/aws-cloudtrail/test/integ.cloudtrail-insight.js.snapshot/asset.2ec8ad9e91dcd6e7ad6a5c84ffc6c9c05c408aca3b26ceb2816d81043e6c4dc3/index.js

@@ -25,7 +25,8 @@
        "Action": [
         "s3:DeleteObject*",
         "s3:GetBucket*",
-        "s3:List*"
+        "s3:List*",
+        "s3:PutBucketPolicy"
        ],
        "Effect": "Allow",
        "Principal": {
@@ -155,7 +156,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "3e6ea85c994cf2198f02e67a9e98e8f23456efa8bd72dd55b3a86454c4db9d5f.zip"
+     "S3Key": "2ec8ad9e91dcd6e7ad6a5c84ffc6c9c05c408aca3b26ceb2816d81043e6c4dc3.zip"
     },
     "Timeout": 900,
     "MemorySize": 128,
@@ -187,10 +188,6 @@
   "Trail022F0CF2": {
    "Type": "AWS::CloudTrail::Trail",
    "Properties": {
-    "IsLogging": true,
-    "S3BucketName": {
-     "Ref": "S3486F821D"
-    },
     "EnableLogFileValidation": true,
     "EventSelectors": [],
     "IncludeGlobalServiceEvents": true,
@@ -202,7 +199,11 @@
       "InsightType": "ApiErrorRateInsight"
      }
     ],
-    "IsMultiRegionTrail": true
+    "IsLogging": true,
+    "IsMultiRegionTrail": true,
+    "S3BucketName": {
+     "Ref": "S3486F821D"
+    }
    },
    "DependsOn": [
     "S3Policy2E4AA1D6"