Every user must leverage unique credentials so we can trace actions within your accounts. Setup your identity structure in the management account and use cross account access to access the child accounts. As you create roles for your users ensure that you are implementing least privilege access by ensuring that users only have access to perform actions required for their role. Be careful who you give permission to perform IAM actions as they can create their own permissions.
Control Tower sets up your landing zone to leverage AWS Single Sign-On as a central place for your users to log on and access AWS accounts. In this step we will federate that access to your existing identity store.