fix(sns): for SSE topics, add KMS permissions in grantPublish (aws#32794

)

### Issue # (if applicable)

Fixes aws#18387, aws#31012, aws#24848

Pre-requisite for aws#16271, aws#29511

### Reason for this change

For SNS topics with SSE enabled, the grants added by `grantPublish` are insufficient, since they don't include any KMS actions.

The SNS docs discuss what's required to publish to an encrypted topic [here](https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse) (`sns:Publish`, `kms:Decrypt`, `kms:GenerateKeyData*`).

### Description of changes

I used the SQS queue implementation as a reference, since it's configured similarly, etc.

* Have `Topic#grantPublish` grant `kms:Decrypt` + `kms:GenerateKeyData*`
  * This is least-privilege, but slightly inconsistent with SQS queues, which [need these same actions](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html) and use `grantEncryptDecrypt` (but I have no preference -- just let me know what's best)
* Exposes `masterKey` as a property of `ITopic` so callers can access it after creation
  * Enables [this](aws#16271 (comment)), for example, and in general makes it consistent with SQS queues

### Describe any new or updated permissions being added

(Discussed above)

### Description of how you validated changes

* Unit/integration tests
  * `yarn integ test/aws-sns/test/integ.sns.js --update-on-failed`

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/fixtures/publish-encrypted-topic/index.py

@@ -0,0 +1,8 @@
+import os
+import boto3
+
+client = boto3.client('sns')
+
+def lambda_handler(event, context):
+    client.publish(TopicArn=os.environ['TOPIC_ARN'], Message='hello world')
+    return 'published successfully'

packages/@aws-cdk-testing/framework-integ/test/aws-sns/test/integ.sns.js.snapshot/SNSInteg.template.json

@@ -132,12 +132,6 @@
    "Type": "AWS::SNS::Topic",
    "Properties": {
     "DisplayName": "fooDisplayName2",
-    "KmsMasterKeyId": {
-     "Fn::GetAtt": [
-      "CustomKey1E6D0D07",
-      "Arn"
-     ]
-    },
     "TopicName": "fooTopic2"
    }
   },
@@ -166,8 +160,26 @@
       {
        "Action": "sns:Publish",
        "Effect": "Allow",
+       "Resource": [
+        {
+         "Ref": "MyTopic288CE2107"
+        },
+        {
+         "Ref": "MyTopic3134CFDFB"
+        }
+       ]
+      },
+      {
+       "Action": [
+        "kms:Decrypt",
+        "kms:GenerateDataKey*"
+       ],
+       "Effect": "Allow",
        "Resource": {
-        "Ref": "MyTopic288CE2107"
+        "Fn::GetAtt": [
+         "CustomKey1E6D0D07",
+         "Arn"
+        ]
        }
       }
      ],
@@ -180,6 +192,127 @@
      }
     ]
    }
+  },
+  "MyTopic3134CFDFB": {
+   "Type": "AWS::SNS::Topic",
+   "Properties": {
+    "DisplayName": "fooDisplayName3",
+    "KmsMasterKeyId": {
+     "Fn::GetAtt": [
+      "CustomKey1E6D0D07",
+      "Arn"
+     ]
+    },
+    "TopicName": "fooTopic3"
+   }
+  },
+  "PublishEncryptedTopicServiceRole267CEDDE": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "PublishEncryptedTopicServiceRoleDefaultPolicy85E257A5": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sns:Publish",
+       "Effect": "Allow",
+       "Resource": {
+        "Ref": "MyTopic3134CFDFB"
+       }
+      },
+      {
+       "Action": [
+        "kms:Decrypt",
+        "kms:GenerateDataKey*"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::GetAtt": [
+         "CustomKey1E6D0D07",
+         "Arn"
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "PublishEncryptedTopicServiceRoleDefaultPolicy85E257A5",
+    "Roles": [
+     {
+      "Ref": "PublishEncryptedTopicServiceRole267CEDDE"
+     }
+    ]
+   }
+  },
+  "PublishEncryptedTopic5F9F9437": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "S3Bucket": {
+      "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
+     },
+     "S3Key": "801b9d403e9ac842f362e817998346ed7c0bfe96c7b4d405a20de49a2abeef90.zip"
+    },
+    "Environment": {
+     "Variables": {
+      "TOPIC_ARN": {
+       "Ref": "MyTopic3134CFDFB"
+      }
+     }
+    },
+    "FunctionName": "publish-encrypted-topic",
+    "Handler": "index.lambda_handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "PublishEncryptedTopicServiceRole267CEDDE",
+      "Arn"
+     ]
+    },
+    "Runtime": "python3.12"
+   },
+   "DependsOn": [
+    "PublishEncryptedTopicServiceRoleDefaultPolicy85E257A5",
+    "PublishEncryptedTopicServiceRole267CEDDE"
+   ]
+  }
+ },
+ "Outputs": {
+  "ExportsOutputRefPublishEncryptedTopic5F9F9437B383DB14": {
+   "Value": {
+    "Ref": "PublishEncryptedTopic5F9F9437"
+   },
+   "Export": {
+    "Name": "SNSInteg:ExportsOutputRefPublishEncryptedTopic5F9F9437B383DB14"
+   }
   }
  },
  "Parameters": {