feat(kms): implement .grant methods for Alias.fromAliasName (under feature flag) (#34237)

This uses the kms:ResourceAliases condition to add statements allowing the methods to the principal of the grant. 

### Issue #

Closes #22697

### Reason for this change

When using KMS keys cross stacks, it's sometimes difficult to pass KMS key IDs as they are only generated after deployment, however KMS key aliases could be passed instead and most services accept them. Some constructs that accept a KMS Alias, use .grant methods to add permissions to the role that interacts with the KMS key. Before this PR, the .grant methods of  Alias.fromAliasName were not implemented. 

### Description of changes

This PR implements .grant methods for aliases imported via kms.Alias.fromAliasName so when passed to another a L2 construct that uses .grant methods, the required permissions are added to the role. The added statements will contain a kms:ResourceAliases condition that only allows access to the particular KMS key alias name.



Couple of examples where this is useful:

- Codepipeline construct accepts a S3 bucket for storing artifacts. If this S3 bucket was imported with the KMS key alias being imported as well via kms.Alias.fromAliasName, then this change results in the necessary permission being automatically added to the Codepipeline roles.
- When .grant methods of imported SNS topics or SQS queues with imported KMS key alias for publishers are used, the necessary permission are added to the publisher roles.

### Describe any new or updated permissions being added

.grant methods of Alias.fromAliasName now results in new statements with kms:ResourceAliases condition for that alias.

### Description of how you validated changes




Added unit tests and integration tests: 
- `packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.alias-from-alias-name.ts`
- `packages/aws-cdk-lib/aws-kms/test/alias.test.ts`

Deployed my personal project which used Pipelines constructs with imported bucket and kms key from alias and now my pipeline role has correct permissions. 


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: faridnsh

packages/@aws-cdk-testing/framework-integ/test/aws-kms/test/integ.alias-from-alias-name.js.snapshot/aws-cdk-kms.assets.json

@@ -0,0 +1,109 @@
+{
+ "Resources": {
+  "Role1ABCC5F0": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "RoleDefaultPolicy5FFB7DAB": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "kms:Decrypt",
+        "kms:Encrypt",
+        "kms:GenerateDataKey*",
+        "kms:GenerateMac",
+        "kms:ReEncrypt*",
+        "kms:Sign",
+        "kms:Verify",
+        "kms:VerifyMac"
+       ],
+       "Condition": {
+        "ForAnyValue:StringEquals": {
+         "kms:ResourceAliases": "alias/MyKey"
+        }
+       },
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          "arn:",
+          {
+           "Ref": "AWS::Partition"
+          },
+          ":kms:",
+          {
+           "Ref": "AWS::Region"
+          },
+          ":",
+          {
+           "Ref": "AWS::AccountId"
+          },
+          ":key/*"
+         ]
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "RoleDefaultPolicy5FFB7DAB",
+    "Roles": [
+     {
+      "Ref": "Role1ABCC5F0"
+     }
+    ]
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}