feat(sources): update documentation

[aws-cdk-automation]

⚠️ This Pull Request updates daily and will overwrite all manual changes pushed to the branch

Updates the documentation source from upstream. See details in workflow run.

---

Automatically created by projen via the "update-source-documentation" workflow

[github-actions]

To work on this Pull Request, please create a new branch and PR. This prevents your work from being deleted by the automation.

Run the following commands inside the repo:

gh co 1309
git switch -c fix-pr-1309 && git push -u origin HEAD
gh pr create -t "fix: PR #1309" --body "Fixes https://github.com/cdklabs/awscdk-service-spec/pull/1309"

[github-actions]

@aws-cdk/aws-service-spec: Model database diff detected

├[~] service aws-iotwireless
│ └ resources
│    └[~] resource AWS::IoTWireless::WirelessDevice
│      └ types
│         └[~] type OtaaV10x
│           └  - documentation: undefined
│              + documentation: OTAA device object for v1.0.x
├[~] service aws-lambda
│ └ resources
│    ├[~] resource AWS::Lambda::CodeSigningConfig
│    │ └ properties
│    │    └ Tags: (documentation changed)
│    ├[~] resource AWS::Lambda::EventSourceMapping
│    │ └ properties
│    │    └ Tags: (documentation changed)
│    └[~] resource AWS::Lambda::Function
│      └ properties
│         └ Tags: (documentation changed)
├[~] service aws-pipes
│ └ resources
│    └[~] resource AWS::Pipes::Pipe
│      └ types
│         └[~] type PipeTargetTimestreamParameters
│           └ properties
│              └ TimestampFormat: (documentation changed)
└[~] service aws-s3
  └ resources
     └[~] resource AWS::S3::Bucket
       └ types
          ├[~] type ServerSideEncryptionByDefault
          │ ├  - documentation: Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS. For more information, see [PUT Bucket encryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html) in the *Amazon S3 API Reference* .
          │ │  > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
          │ │  + documentation: Describes the default server-side encryption to apply to new objects in the bucket. If a PUT Object request doesn't specify any server-side encryption, this default encryption will be applied. For more information, see [PutBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTencryption.html) .
          │ │  > - *General purpose buckets* - If you don't specify a customer managed key at configuration, Amazon S3 automatically creates an AWS KMS key ( `aws/s3` ) in your AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this KMS key for SSE-KMS.
          │ │  > - *Directory buckets* - Your SSE-KMS configuration can only support 1 [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) per directory bucket for the lifetime of the bucket. [AWS managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) ( `aws/s3` ) isn't supported.
          │ │  > - *Directory buckets* - For directory buckets, there are only two supported options for server-side encryption: SSE-S3 and SSE-KMS.
          │ └ properties
          │    ├ KMSMasterKeyID: (documentation changed)
          │    └ SSEAlgorithm: (documentation changed)
          └[~] type ServerSideEncryptionRule
            └  - documentation: Specifies the default server-side encryption configuration.
               > If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
               + documentation: Specifies the default server-side encryption configuration.
               > - *General purpose buckets* - If you're specifying a customer managed KMS key, we recommend using a fully qualified KMS key ARN. If you use a KMS key alias instead, then AWS KMS resolves the key within the requester’s account. This behavior can result in data that's encrypted with a KMS key that belongs to the requester, and not the bucket owner.
               > - *Directory buckets* - When you specify an [AWS KMS customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption in your directory bucket, only use the key ID or key ARN. The key alias format of the KMS key isn't supported.