Add option to enforce kms key_id upon decrypting with AwsKmsCryptographicMaterialsProvider

[nappelson]

…

Issue #, if available: #14

Description of changes: Add parameter that allows users to enforce the usage of kms key_id upon decryption. By default, AWS KMS uses the metadata attached to ciphertext encrypted with symmetric keys to determine which CMK to use for decryption. This leads to the interesting behavior where a user constructs an AwsKmsCryptographicMaterialsProvider with a CMK that was not used to encrypt the original data and they are still able to decrypt the data.

By adding this parameter, we can support users that would like to ensure they are decrypting with the intended key.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Check any applicable:

• Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.

[lavaleri]

Hi @nappelson,

Thank you for your pull request. We are aware of the gap in this API, and we have plans to improve it in a future API update. We cannot accept this PR due to our own plans to fix this, and because we need to maintain API parity between the Python and Java versions of the DynamoDB Encryption Client. For updates on this, please keep an eye on #176 .