feat(s3): add blockedEncryptionTypes field to s3.Bucket (#37047)

### Issue #

Closes #36988.

### Reason for this change

S3 recently added a new `BlockedEncryptionTypes` field to server-side encryption rules ([docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/blocking-unblocking-s3-c-encryption-gpb.html)). This field allows users to explicitly block or unblock SSE-C encryption on their bucket.

Users should be able to set this field through CDK. This will become especially important when SSE-C starts being blocked by default in April ([blog post](https://aws.amazon.com/blogs/storage/advanced-notice-amazon-s3-to-disable-the-use-of-sse-c-encryption-by-default-for-all-new-buckets-and-select-existing-buckets-in-april-2026/)).

### Description of changes



Added a `blockedEncryptionTypes` field to the L2 `s3.Bucket` construct.
- If `blockedEncryptionTypes` is not set, behavior is same as before. No default `blockedEncryptionTypes` value will be chosen (this is important, we want to let S3 choose what default to apply).
- If `blockedEncryptionTypes` is set and `encryptionType` is `BucketEncryption.UNENCRYPTED`, a server-side encryption configuration will be added with just `blockedEncryptionTypes`
  - **This happens even if `bucketKeyEnabled` is explicitly set**. Please confirm that this is behavior you want. I went with it because `bucketKeyEnabled` is already ignored when `encryptionType` is `BucketEncryption.UNENCRYPTED`.

### Describe any new or updated permissions being added



N/A

### Description of how you validated changes



Ran unit tests, added integ tests.
- Verified that the `MySsecBlockedBucket` bucket has `SSE-C` blocked (and no default server-side encryption type explicitly set)
- Verified that the `MyKmsBucket` bucket has no encryption types blocked

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: ysthakur

packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-encryption.js.snapshot/IntegTestDSSEBucketDefaultTestDeployAssert56801A2F.assets.json

@@ -76,6 +76,11 @@
     "BucketEncryption": {
      "ServerSideEncryptionConfiguration": [
       {
+       "BlockedEncryptionTypes": {
+        "EncryptionType": [
+         "NONE"
+        ]
+       },
        "ServerSideEncryptionByDefault": {
         "KMSMasterKeyID": {
          "Fn::GetAtt": [
@@ -91,6 +96,24 @@
    },
    "UpdateReplacePolicy": "Delete",
    "DeletionPolicy": "Delete"
+  },
+  "MySSECBlockedBucket184125AB": {
+   "Type": "AWS::S3::Bucket",
+   "Properties": {
+    "BucketEncryption": {
+     "ServerSideEncryptionConfiguration": [
+      {
+       "BlockedEncryptionTypes": {
+        "EncryptionType": [
+         "SSE-C"
+        ]
+       }
+      }
+     ]
+    }
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
   }
  },
  "Parameters": {
@@ -127,4 +150,4 @@
    ]
   }
  }
-}
+}