What should the Administrator do next to configure the service?
Create IAM roles in each account to be used by AWS SSO, and associate users with these roles using AWS SSO.
Create IAM users in the master account, and use AWS SSO to associate the users with the accounts they will access.
Create permission sets in AWS SSO, and associate the permission sets with Directory Service users or groups.
Create service control policies (SCPs) in Organizations, and associate the SCPs with Directory Service users or groups.
Explanations:
While IAM roles are needed for AWS SSO, the next step is to create permission sets in AWS SSO rather than directly associating IAM roles with users.
IAM users are not needed for AWS SSO. AWS SSO uses Directory Service users or groups to manage access, not IAM users.
The correct next step is to create permission sets in AWS SSO and associate them with Directory Service users or groups to grant access to AWS accounts.
Service control policies (SCPs) are used in AWS Organizations for managing permissions across accounts but are not directly associated with Directory Service users or groups.