docs: clarify AWS KMS permissions statements

[mattsb42-aws]

At several points in the AWS KMS keyring spec document, we talk about the CMK "having permissions". This is inaccurate; the CMK is never the actor in authz discussions; instead we should reference the AWS principal whose credentials the keyring's AWS KMS client is configured to use. The principal is the actor, and is the one given permissions. The CMK is the subject, and is the thing to which those permissions give access.