This does not apply when using an external Identity Provider. If you want to integrate with Okta, Onelogin, Google, or any other identity provider, see here.
You can link your AWS SSO roles into your configMap so that you can use RBAC instead of IAM users
If you delete the AWS SSO role in use and you do not have a backup, you will be locked out. We recommend creating a "break glass" local account for accessing EKS if AWS SSO is not accessible.