feat: add encryption at rest for Control Tower compliance

[omercnet]

┌─────────────────────────────────────────────────────┐
│  🔐  ENCRYPTION AT REST  🔐                         │
│                                                     │
│  Control Tower Compliance for AWS Resources         │
└─────────────────────────────────────────────────────┘

Summary

Fixes #61

Adds encryption at rest configuration to AWS resources for Control Tower compliance.

Changes

Resource	File	Encryption
IssueDetectionQueue	infra/issues.ts	SQS managed SSE
BillingQueue	infra/billing.ts	SQS managed SSE
IssueStream	infra/issues.ts	KMS (alias/aws/kinesis)
Storage	infra/storage.ts	AES256
PublicStorage_*	infra/storage.ts	AES256
SubscriberLogGroup	infra/issues.ts (CFN)	Optional KMS parameter

Control Tower Controls Addressed

• ✅ CT.SQS.PR.2 - SQS queues encrypted at rest
• ✅ CT.KINESIS.PR.1 - Kinesis streams encrypted at rest
• ✅ CT.S3.PR.1 - S3 buckets with server-side encryption
• ✅ CT.CLOUDWATCH.PR.2 - CloudWatch log groups (optional KMS)

CloudFormation Template

The customer-deployed CloudFormation template now includes an optional logGroupKmsKeyArn parameter. Customers can provide their own KMS key ARN if they require log group encryption for compliance. If left empty, encryption is not applied (maintains backwards compatibility).

Parameters:
  logGroupKmsKeyArn:
    Type: String
    Default: ""
    Description: Optional KMS key ARN for encrypting CloudWatch logs at rest.

Testing

• TypeScript compiles without errors
• Manual deployment test (requires AWS account)