You can use a Lambda function to update the security group’s rules dynamically whenever AWS publishes new internal service IP ranges for CloudFront.
IAM
Deploying the AWS IAM Authenticator using kops
Managing authentication protocols is huge task, requiring admins to maintain a list of acceptable users, validate permissions on an ongoing basis for each user, prune users that don’t need access, and even periodically recycle token- and certificate-based access.
Use AWS SSO to Deny permissions for IAM and SSO itself
You do not need to create SSO in different AWS account to restrict or Deny permissions to users for different services especially IAM and SSO itself.
How to connect Visual Studio to AWS using AWS_SESSION_TOKEN of AWS SSO user
The user portal offers a single place to access all their assigned AWS accounts and applications. To access the AWS account or Applications, user logs into user portal.