fix(aws-dynamodb): use keyId instead of keyArn for TableV2 replica encryption

Fixes CloudFormation drift detection for DynamoDB TableV2 with customer-managed KMS encryption.
Previously, CDK generated templates using KMS key ARN, but DynamoDB internally stores only the
key ID, causing false positive drift detection.

Changes:
- encryption.ts: Use tableKey.keyId instead of tableKey.keyArn in _renderReplicaSseSpecification
- Update test expectation to match corrected CloudFormation output (Ref vs Fn::GetAtt)

Fixes aws#35136

Author: pahud

packages/aws-cdk-lib/aws-dynamodb/lib/encryption.ts

@@ -22,7 +22,7 @@ export abstract class TableEncryptionV2 {
       public _renderReplicaSseSpecification(_scope: Construct, _region: string) {
         return undefined;
       }
-    }) (TableEncryption.DEFAULT);
+    })(TableEncryption.DEFAULT);
   }
 
   /**
@@ -40,7 +40,7 @@ export abstract class TableEncryptionV2 {
       public _renderReplicaSseSpecification(_scope: Construct, _region: string) {
         return undefined;
       }
-    }) (TableEncryption.AWS_MANAGED);
+    })(TableEncryption.AWS_MANAGED);
   }
 
   /**
@@ -70,7 +70,7 @@ export abstract class TableEncryptionV2 {
 
         if (replicaRegion === stackRegion) {
           return {
-            kmsMasterKeyId: tableKey.keyArn,
+            kmsMasterKeyId: tableKey.keyId,
           } satisfies CfnGlobalTable.ReplicaSSESpecificationProperty;
         }
 
@@ -83,13 +83,13 @@ export abstract class TableEncryptionV2 {
           kmsMasterKeyId: replicaKeyArns[replicaRegion],
         } satisfies CfnGlobalTable.ReplicaSSESpecificationProperty;
       }
-    }) (TableEncryption.CUSTOMER_MANAGED, tableKey, replicaKeyArns);
+    })(TableEncryption.CUSTOMER_MANAGED, tableKey, replicaKeyArns);
   }
 
-  private constructor (
+  private constructor(
     public readonly type: TableEncryption,
     public readonly tableKey?: IKey,
-    public readonly replicaKeyArns?: { [region: string]: string }) {}
+    public readonly replicaKeyArns?: { [region: string]: string }) { }
 
   /**
    * @internal

packages/aws-cdk-lib/aws-dynamodb/test/encryption.test.ts

@@ -98,10 +98,20 @@ describe('customer managed keys', () => {
   test('can render replica SSE specification in deployment region', () => {
     // WHEN / THEN
     expect(encryption._renderReplicaSseSpecification(stack, stack.region)).toEqual({
-      kmsMasterKeyId: tableKey.keyArn,
+      kmsMasterKeyId: tableKey.keyId,
     });
   });
 
+  test('replica SSE specification uses key ID format not ARN format', () => {
+    // WHEN
+    const result = encryption._renderReplicaSseSpecification(stack, stack.region);
+
+    // THEN
+    expect(result.kmsMasterKeyId).toBe(tableKey.keyId);
+    expect(result.kmsMasterKeyId).not.toBe(tableKey.keyArn);
+    expect(result.kmsMasterKeyId).not.toContain('arn:aws:kms');
+  });
+
   test('can render replica SSE specification in replica region', () => {
     // WHEN / THEN
     expect(encryption._renderReplicaSseSpecification(stack, 'us-east-1')).toEqual({

packages/aws-cdk-lib/aws-dynamodb/test/table-v2.test.ts

@@ -926,10 +926,7 @@ describe('table', () => {
           Region: 'us-west-2',
           SSESpecification: {
             KMSMasterKeyId: {
-              'Fn::GetAtt': [
-                'Key961B73FD',
-                'Arn',
-              ],
+              'Ref': 'Key961B73FD',
             },
           },
           TableClass: 'STANDARD_INFREQUENT_ACCESS',