docs(pipelines): add CI/CD account bootstrap template example (#12352)

----
This PR add details about how you can restrict the bootstrapping role permissions and especially if you have a multi-accounts structure with a de dedicated account for CI/CD pipelines.

It makes reference to [a template](https://raw.githubusercontent.com/aws-samples/aws-bootstrap-kit-examples/main/source/1-SDLC-organization/lib/cdk-bootstrap-template.yml) used in an other project leveraging the CDK pipelines construct in a multi-accounts organization. 

This template follow the least privileges principle and restrict as much as possible permissions to enable user to only create resources needed by the cdk pipelines construct (specific roles, kms keys, buckets, codepipelines etc.).

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/pipelines/README.md

@@ -655,6 +655,12 @@ These command lines explained:
 > Make sure you trust all the code and dependencies that make up your CDK app.
 > Check with the appropriate department within your organization to decide on the
 > proper policy to use.
+>
+> If your policy includes permissions to create on attach permission to a role, 
+> developers can escalate their privilege with more permissive permission. 
+> Thus, we recommend implementing [permissions boundary](https://aws.amazon.com/premiumsupport/knowledge-center/iam-permission-boundaries/) 
+> in the CDK Execution role. To do this, you can bootstrap with the `--template` option with 
+> [a customized template](https://github.com/aws-samples/aws-bootstrap-kit-examples/blob/ba28a97d289128281bc9483bcba12c1793f2c27a/source/1-SDLC-organization/lib/cdk-bootstrap-template.yml#L395) that contains a permission boundary.
 
 ### Migrating from old bootstrap stack