feat(redshift): audit logging to cloudwatch

[badmintoncryer]

Issue # (if applicable)

Closes #25755.

Reason for this change

Redshift supports for configuring audit logging sent to Cloudwatch or S3.
https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html

Description of changes

• Define ClusterLogging abstract class
• Add S3ClusterLogging and CloudwatchClusterLogging

The existing loggingProperty argument also exists, but I felt the design was insufficient for properly switching between CloudWatch and S3 configurations.
In this PR, I am deprecating the existing argument and adding a new logging argument with an entirely different structure.
Since this is an alpha module, breaking changes should be acceptable. If the reviewer deems it necessary, it is also possible to remove the existing argument entirely.

Describe any new or updated permissions being added

Add S3 bucket resource policy for logging bucket.

const statement = new iam.PolicyStatement({
          actions: [
            's3:GetBucketAcl',
            's3:PutObject',
          ],
          resources: [
            props.logging._bucket.arnForObjects('*'),
            props.logging._bucket.bucketArn,
          ],
          principals: [
            new iam.ServicePrincipal('redshift.amazonaws.com'),
          ],
        });
        const result = props.logging._bucket.addToResourcePolicy(statement);

https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-bucket-permissions

The resource policy being applied is completely identical to the logic used for the existing loggingProperty configuration.

Description of how you validated changes

Add both unit and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

[badmintoncryer]

Configuring S3 bucket audit logging and logExports settings simultaneously causes a deployment error. Therefore, I've added logExports prop to only CloudWatchLoggingOptions.

This AWS::Redshift::Cluster resource is in a CREATE_FAILED state.
Resource handler returned message: "Log exports can only be used with CloudWatch export (Service: Redshift, Status Code: 400, Request ID: 58cb6b05-1577-4c42-ac6f-34755d2fbf8e) (SDK Attempt Count: 1)" (RequestToken: 103dc9fa-608c-310c-5376-18e3d12c7bd0, HandlerErrorCode: GeneralServiceException)