Which combination of steps will meet these requirements?

Explanations:

While creating IAM policies that include required permissions is essential, using theaws:PrincipalTagcondition key is not sufficient alone. It does not provide the necessary structure to limit permissions by user roles effectively, especially without the context of permission sets in AWS SSO.

Creating permission sets and attaching an inline policy with theaws:PrincipalTagcondition key allows for scoped permissions based on the user’s tags, thereby adhering to the principle of least privilege by allowing users to manage only their own resources.

Creating a group in the IdP and assigning users to it allows for centralized management of user permissions. Assigning the group to accounts and permission sets in AWS SSO ensures that only the appropriate users have access to the necessary resources in a controlled manner.

While creating a group in the IdP is a valid step, assigning the group to organizational units (OUs) and IAM policies does not align with the need for a least privilege model within AWS SSO, which relies on permission sets for access control rather than direct IAM policy assignments.

Enabling attributes for access control in AWS SSO and applying tags to users is useful, but it does not directly facilitate the permission model required for managing resources. Mapping attributes as key-value pairs is not enough to establish the permissions needed for the team’s operational model.

Enabling attributes for access control and mapping attributes from the IdP as key-value pairs allows for effective permission management based on user roles. This is essential in implementing a least privilege model, allowing access to resources based on user attributes.