Yeah makes sense, thanks. I think I'm fine with a 2FA on GSuite login + CAA on subsequent SSOs but I do think it would be nice to be able to force another 2FA for sensitive stuff like AWS.

Unfortunately, GSuite seems to move very slowly :\