AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. You can easily manage SSO access and user permissions to all of your accounts in AWS Organisations centrally.
While managing access through AWS SSO you have to restrict or Deny permissions to users for different services especially IAM and SSO itself. You do not need to create SSO in different AWS account. Access to all the AWS account can be managed using single AWS account.
Follow the steps-
1. Login to AWS management console and Enable SSO and go to SSO service
2. Go to AWS accounts –> permission sets –> click Create permission set, you can create custom permission set or use existing job functions.
3. I have created existing job functions with Full Admin access
4. Select the Permission set to Deny permissions for IAM and SSO. Click on Edit permissions
5. Paste the example custom permission set below which will be used to explicitly deny access to AWS SSO and IAM but allows administrator access to other services.
This way the users will not be able to access IAM and SSO services. You can use permissions policy to control access to different services in different AWS accounts.