feat(s3): allow specifying a custom IAM Role for bucket replication (aws#33978)

### Issue # (if applicable)

Closes aws#33974

### Reason for this change

Currently, the `aws-s3` module automatically creates and manages the IAM Role used for S3 replication. This limits integration flexibility, especially in environments where IAM Roles are provisioned externally or reused across stacks/accounts. 

This change addresses that limitation by allowing users to provide a custom IAM Role for replication.


### Description of changes

- Introduced an optional `replicationRole?: iam.IRole` property in `BucketProps`.
- When `replicationRole` is provided, the CDK uses it instead of creating a new role.
- Required permissions are **NOT** automatically attached to the provided role. It is the user's responsibility to attach the necessary IAM policies.
- Added validation to ensure that if `replicationRole` is specified, `replicationRules` must also be defined and non-empty, since both are required by CloudFormation when configuring replication.


### Describe any new or updated permissions being added

No new IAM actions are introduced. When a custom role is provided, CDK does not attach any permissions automatically. Users are expected to grant the appropriate replication-related permissions manually.

### Description of how you validated changes

Added unit and integ tests.

### Checklist

- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: hassaku63