My company is trying to implement SSO through IAM Identity Center in our multi-account AWS Organization. For context, we used the AWS Landing Zone accelerator to set up our environment and added several workload accounts to their own OU. Our company also uses Azure AD, and I can edit groups.
For each workload account (there are currently 10 and will be more), we want to have both dev and admin roles per account for users to live in. With this in mind, I thought of 2 options for AD/SSO integration:
OPTION 1: Creating a user group for every role and account, meaning that there would be a dev and admin user group for every workload account. The drawback to this approach is the higher number of user groups to manage, but we could utilize AWS managed policies.
OPTION 2: Using AD attributes (ABAC) to create custom permission sets that define a user as dev/admin, so that there only needs to be 1 user group per workload account, and dev/admin roles are determined through ABAC. The drawback to this approach is the initial set up of custom policies, but it results in less AD user groups to manage.
Which option would you go with, or are there other/better alternatives?