fix(s3): key rotation is not enabled while creating KMS encrypted S3 …

…buckets (#32064)

### Issue # (if applicable)

Closes #31982 

### Reason for this change

KMS keys should be rotated by default, for security reasons

### Description of changes

KMS keys created by s3.Bucket are now rotated

### Description of how you validated changes

Updated existing unit tests and integ tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-encryption.js.snapshot/aws-cdk-s3-bucket-encryption.template.json

@@ -13,8 +13,8 @@
      ]
     }
    },
-   "UpdateReplacePolicy": "Retain",
-   "DeletionPolicy": "Retain"
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
   },
   "MySSES3Bucket6973690D": {
    "Type": "AWS::S3::Bucket",
@@ -30,8 +30,67 @@
      ]
     }
    },
-   "UpdateReplacePolicy": "Retain",
-   "DeletionPolicy": "Retain"
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "MyKMSBucketKey9CACDA9E": {
+   "Type": "AWS::KMS::Key",
+   "Properties": {
+    "Description": "Created by aws-cdk-s3-bucket-encryption/MyKMSBucket",
+    "EnableKeyRotation": true,
+    "KeyPolicy": {
+     "Statement": [
+      {
+       "Action": "kms:*",
+       "Effect": "Allow",
+       "Principal": {
+        "AWS": {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":iam::",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":root"
+          ]
+         ]
+        }
+       },
+       "Resource": "*"
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "MyKMSBucketDF8715AC": {
+   "Type": "AWS::S3::Bucket",
+   "Properties": {
+    "BucketEncryption": {
+     "ServerSideEncryptionConfiguration": [
+      {
+       "ServerSideEncryptionByDefault": {
+        "KMSMasterKeyID": {
+         "Fn::GetAtt": [
+          "MyKMSBucketKey9CACDA9E",
+          "Arn"
+         ]
+        },
+        "SSEAlgorithm": "aws:kms"
+       }
+      }
+     ]
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
   }
  },
  "Parameters": {

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-encryption.ts

@@ -8,13 +8,22 @@ const stack = new cdk.Stack(app, 'aws-cdk-s3-bucket-encryption');
 
 new s3.Bucket(stack, 'MyDSSEBucket', {
   encryption: s3.BucketEncryption.DSSE_MANAGED,
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
 });
 
 new s3.Bucket(stack, 'MySSES3Bucket', {
   encryption: s3.BucketEncryption.S3_MANAGED,
   bucketKeyEnabled: true,
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
 });
 
+const kmsBucket = new s3.Bucket(stack, 'MyKMSBucket', {
+  encryption: s3.BucketEncryption.KMS,
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+});
+
+kmsBucket.encryptionKey?.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);
+
 new integ.IntegTest(app, 'IntegTestDSSEBucket', {
   testCases: [stack],
 });

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-server-access-logs-sse-kms.js.snapshot/aws-cdk-s3-server-access-logs-sse-kms.template.json

@@ -4,6 +4,7 @@
    "Type": "AWS::KMS::Key",
    "Properties": {
     "Description": "Created by aws-cdk-s3-server-access-logs-sse-kms/ServerAccessLogsBucket",
+    "EnableKeyRotation": true,
     "KeyPolicy": {
      "Statement": [
       {
@@ -46,8 +47,8 @@
      "Version": "2012-10-17"
     }
    },
-   "UpdateReplacePolicy": "Retain",
-   "DeletionPolicy": "Retain"
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
   },
   "ServerAccessLogsBucket05F29982": {
    "Type": "AWS::S3::Bucket",