chore(kms): support ML-DSA keys for keySpec (#35991)

### Issue # (if applicable)

Closes #35990

### Reason for this change

To support ML-DSA keys for KeySpec.

### Description of changes

- Add ML-DSA keys validation rule

### Description of how you validated changes

Added both unit tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: aki-kii

packages/aws-cdk-lib/aws-kms/lib/key.ts

@@ -819,6 +819,9 @@ export class Key extends KeyBase {
         KeySpec.HMAC_256,
         KeySpec.HMAC_384,
         KeySpec.HMAC_512,
+        KeySpec.ML_DSA_44,
+        KeySpec.ML_DSA_65,
+        KeySpec.ML_DSA_87,
       ],
       [KeyUsage.SIGN_VERIFY]: [
         KeySpec.SYMMETRIC_DEFAULT,
@@ -837,6 +840,9 @@ export class Key extends KeyBase {
         KeySpec.ECC_SECG_P256K1,
         KeySpec.SYMMETRIC_DEFAULT,
         KeySpec.SM2,
+        KeySpec.ML_DSA_44,
+        KeySpec.ML_DSA_65,
+        KeySpec.ML_DSA_87,
       ],
       [KeyUsage.KEY_AGREEMENT]: [
         KeySpec.SYMMETRIC_DEFAULT,
@@ -848,6 +854,9 @@ export class Key extends KeyBase {
         KeySpec.HMAC_256,
         KeySpec.HMAC_384,
         KeySpec.HMAC_512,
+        KeySpec.ML_DSA_44,
+        KeySpec.ML_DSA_65,
+        KeySpec.ML_DSA_87,
       ],
     };
     const keySpec = props.keySpec ?? KeySpec.SYMMETRIC_DEFAULT;

packages/aws-cdk-lib/aws-kms/test/key.test.ts

@@ -1415,6 +1415,38 @@ describe('SM2', () => {
   });
 });
 
+describe('ML-DSA', () => {
+  let stack: cdk.Stack;
+
+  beforeEach(() => {
+    stack = new cdk.Stack();
+  });
+
+  test.each([
+    [KeySpec.ML_DSA_44, 'ML_DSA_44'],
+    [KeySpec.ML_DSA_65, 'ML_DSA_65'],
+    [KeySpec.ML_DSA_87, 'ML_DSA_87'],
+  ])('%s is not valid for default usage', (keySpec: KeySpec) => {
+    expect(() => new kms.Key(stack, 'Key1', { keySpec }))
+      .toThrow(`key spec \'${keySpec}\' is not valid with usage \'ENCRYPT_DECRYPT\'`);
+  });
+
+  test.each([
+    [KeySpec.ML_DSA_44, 'ML_DSA_44'],
+    [KeySpec.ML_DSA_65, 'ML_DSA_65'],
+    [KeySpec.ML_DSA_87, 'ML_DSA_87'],
+  ])('%s can be used for KMS key creation', (keySpec: KeySpec, expected: string) => {
+    new kms.Key(stack, 'Key', {
+      keySpec,
+      keyUsage: KeyUsage.SIGN_VERIFY,
+    });
+    Template.fromStack(stack).hasResourceProperties('AWS::KMS::Key', {
+      KeySpec: expected,
+      KeyUsage: 'SIGN_VERIFY',
+    });
+  });
+});
+
 function generateInvalidKeySpecKeyUsageCombinations() {
   // Copied from Key class
   const denyLists = {