docs(dynamodb): add note around table encryption

packages/@aws-cdk/aws-dynamodb/lib/table.ts

@@ -117,6 +117,12 @@ export enum TableEncryption {
   /**
    * Server-side KMS encryption with a customer master key managed by customer.
    * If `encryptionKey` is specified, this key will be used, otherwise, one will be defined.
+   *
+   * > **NOTE**: if `encryptionKey` is not specified and the `Table` construct creates
+   * > a KMS key for you, the key will be created with default permissions. If you are using
+   * > CDKv2, these permissions will be sufficient to enable the key for use with DynamoDB tables.
+   * > If you are using CDKv1, make sure the feature flag `@aws-cdk/aws-kms:defaultKeyPolicies`
+   * > is set to `true` in your `cdk.json`.
    */
   CUSTOMER_MANAGED = 'CUSTOMER_MANAGED',
 
@@ -198,6 +204,13 @@ export interface TableOptions extends SchemaOptions {
    *
    * This property cannot be set if `serverSideEncryption` is set.
    *
+   * > **NOTE**: if you set this to `CUSTOMER_MANAGED` and `encryptionKey` is not
+   * > specified, the key that the Tablet generates for you will be created with
+   * > default permissions. If you are using CDKv2, these permissions will be
+   * > sufficient to enable the key for use with DynamoDB tables.  If you are
+   * > using CDKv1, make sure the feature flag
+   * > `@aws-cdk/aws-kms:defaultKeyPolicies` is set to `true` in your `cdk.json`.
+   *
    * @default - server-side encryption is enabled with an AWS owned customer master key
    */
   readonly encryption?: TableEncryption;