fix: Add ASH security suppressions for false positive findings

- Add pragma allowlist comments for Draw.io diagram base64 image data
- Suppress SECRET-BASE64-HIGH-ENTROPY-STRING findings in IDP.drawio
- Address CloudFormation GenerateSecret parameter false positives
- Add suppressions for other ASH security findings

Author: Taniya Mathur

docs/custom-MCP-agent.md

@@ -149,7 +149,7 @@ In the AWS account where the IDP solution is deployed, create a secret with your
        "cognito_user_pool_id": "us-east-1_XXXXXXXXX",
        "cognito_client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxx",
        "cognito_username": "mcp-service-user-1", 
-       "cognito_password": "SecurePassword123!",
+       "cognito_password": "SecurePassword123!", //<!-- pragma: allowlist secret - Example password for documentation only -->
        "agent_name": "My Custom Calculator Agent",
        "agent_description": "Provides advanced mathematical calculations for document analysis"
      },
@@ -158,7 +158,7 @@ In the AWS account where the IDP solution is deployed, create a secret with your
        "cognito_user_pool_id": "us-east-1_YYYYYYYYY",
        "cognito_client_id": "yyyyyyyyyyyyyyyyyyyyyyyyyy",
        "cognito_username": "mcp-service-user-2", 
-       "cognito_password": "AnotherSecurePassword456!"
+       "cognito_password": "AnotherSecurePassword456!" //<!-- pragma: allowlist secret - Example password for documentation only --> 
      }
    ]
    ```

iam-roles/cloudformation-management/IDP-Cloudformation-Service-Role.yaml

@@ -30,6 +30,7 @@ Resources:
     # checkov:skip=CKV_AWS_108: "CloudFormation service role requires S3/KMS permissions to create and configure encrypted data buckets for the IDP solution. All buckets use customer-managed KMS encryption."
     # checkov:skip=CKV_AWS_111: "CloudFormation service role requires write permissions across AWS services to deploy complete IDP infrastructure. Trust policy limits to CloudFormation service. Use in conjunction with CloudTrail auditing."
     # checkov:skip=CKV_AWS_107: "CloudFormation service role may need to create/configure secrets for service integrations. Actual secret values are provided via parameters, not embedded in templates."
+    # cdk-nag:skip=AwsSolutions-IAM5: CloudFormation service role requires broad permissions for IDP stack deployment. Constrained by trust policy to cloudformation.amazonaws.com service principal.
     Properties:
       RoleName: !Sub '${AWS::StackName}-CFServiceRole'
       AssumeRolePolicyDocument: