fix(sns-subscriptions): document and validate restrictSqsDescryption flag incompatibility with shared KMS key

[newlinedeveloper]

restrictSqsDescryption flag incompatibility with shared KMS key Issue

---

Issue # (if applicable)

Closes #35418.

Reason for this change

The restrictSqsDescryption feature flag causes a circular dependency when the same customer-managed KMS key is used for both an SNS topic and an SQS queue. This results in deployment failures due to the KMS key policy referencing the SNS topic ARN, while the SNS topic depends on the KMS key for encryption.

Description of changes

• Added documentation warnings to FEATURE_FLAGS.md and aws-sns-subscriptions/README.md about the incompatibility of the restrictSqsDescryption flag with shared KMS keys.
• Added runtime validation in SqsSubscription to throw a clear error if the flag is enabled and the same KMS key is used for both SNS and SQS.
• Provided recommended patterns and code examples for users to avoid this issue.

Alternatives considered:

• Removing the SourceArn condition would reduce security and was rejected.

Design decisions:

• Documentation and validation were chosen to prevent user confusion and deployment errors.

Describe any new or updated permissions being added

No new or updated IAM permissions are required.

Description of how you validated changes

• Added and manually tested validation logic.
• Verified documentation updates.
• Ensured existing unit tests pass.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

[newlinedeveloper]

Hi @pahud. Please review this PR and let me know If I have to do any changes. Thanks

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. Note that PRs with failing linting check or builds are not reviewed, please ensure your build is passing

To prevent automatic closure:

• Resume work on the PR
• OR request an exemption by adding a comment containing 'Exemption Request' with justification e.x "Exemption Request: "
• OR request clarification by adding a comment containing 'Clarification Request' with a question e.x "Clarification Request: "

This PR will automatically close in 14 days if no action is taken.

[aws-cdk-automation]

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.