Should be able to add extra key=val pairs to encryption context

[aidansteele]

While the custom authoriser is able to accept/reject a connection to (e.g.) a prod box based on its EC2 tags, it would be nice for this to be logged in CloudTrail. So we should support passing in arbitrary key=val pairs which

• get logged to CloudTrail by means of inclusion in the encryption context
• get passed to the custom authoriser
• don't collide with the existing encryption context (maybe prefix user-submitted keys)
• demonstrate how an admin can mandate the presence of a key=val pair using conditions in the KMS key policy

[aidansteele]

Could be used for e.g. leaving a comment about why you needed SSH access.