At my employer, we have an AWS account that uses SAML 2.0 to federate in your user access from the company SSO login to the AWS console. The net effect is that everyone has admin access. Is there a way to place federated users into different IAM groups, thereby giving least privilege access?
The answer we came up with is that all federated users would have very limited access to the console with no programmatic access. Then, create separate IAM users for everyone for programmatic access (no console login) and to place these separate users into IAM groups with varying access. Would this method be considered best practice or is there a better way to accomplish what we would like to do in this case?