CDK: EventBridge Rule with an SqsQueue, KMS_MANAGED encryption target doesn't error

CDK synth should error out and force the developer to configure SQS using a customer master key

For CDK synth to error out

Allows the configuration synth and be pushed. No warning or logs are provided that makes users aware of this behavior except the documentation.

An SQS queue cannot use KMS_MANAGED encryption when using AWS services as an event source.
aws_events_targets calls grantSendMessages on the Queue expecting this to grant all of the required permissions. (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-events-targets/lib/sqs.ts#L72)
grantSendMessages only configures grantEncryptDecrypt if the queue has a CMK and a encryptionMasterKey property. (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-sqs/lib/queue-base.ts#L228) ((The key policy for a KMS managed key cannot be configured and does not include this permission.))
In the case of a KMS_MANAGED queue, encryptionMasterKey is unset. https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-sqs/lib/queue.ts#L482[An SQS queue cannot use KMS_MANAGED encryption when using AWS services as an event source.](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse)

No response

No response

2.135

No response

v16.17.1

Macos 14.5

Python

No response

No response

aws / aws-cdk