...
To properly enforce separation of duties you must ensure you know "who" is taking action. The best practice would be to integrate your AWS account with your institution's identity provider via SAML 2.0 or other federation protocols. Once you know "who" an actor is you need to ensure they are only taking action based on allowed permissions. Integrating an institution's group management system will help centralize permission management. These institutional groups can then be mapped into AWS roles which define the specific policies. These posts provide a walkthrough for ADFS and Shibboleth federation to support this authentication and authorization pattern.
Artifacts
...