aws-s3: key rotation is not enabled while creating KMS encrypted S3 buckets

[animesh-bhadouria]

Describe the bug

If an encryption key is not provided while creating the S3 bucket, then S3 construct creates a key by default but it does not enable key rotation. This could cause a security risk on downstream consumers.

S3 bucket creation where key is created without keyrotation enabled
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-s3/lib/bucket.ts#L2160

Similar example with DynamoDb where keyrotation enabled by default
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts#L1696

Change should be straightforward since enableKeyRotation doesn’t require a replacement on update.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

S3 created KMS keys to have key rotation enabled

Current Behavior

S3 created KMS keys do not enable key rotation

Reproduction Steps

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-s3/lib/bucket.ts#L2160

Possible Solution

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-dynamodb/lib/table.ts#L1696

Additional Information/Context

No response

CDK CLI Version

Latest

Framework Version

No response

Node.js Version

18

OS

AL2

Language

Java

Language Version

No response

Other information

No response

[ashishdhingra]

Per code here, if the props.encryption is set but props.encryptionKey is not specified, then it attempts to create a new KMS Key without enableKeyRotation set to true. Agreed enableKeyRotation should be enabled.