You can use a Lambda function to update the security group’s rules dynamically whenever AWS publishes new internal service IP ranges for CloudFront.
Managing authentication protocols is huge task, requiring admins to maintain a list of acceptable users, validate permissions on an ongoing basis for each user, prune users that don’t need access, and even periodically recycle token- and certificate-based access.
You do not need to create SSO in different AWS account to restrict or Deny permissions to users for different services especially IAM and SSO itself.
The user portal offers a single place to access all their assigned AWS accounts and applications. To access the AWS account or Applications, user logs into user portal.