Which solution will meet these requirements with the LEAST operational overhead?
Use AWS Systems Manager templates to control which AWS services each department can use.
Create organization units (OUs) for each department in AWS Organizations. Attach service control policies (SCPs) to the OUs.
Use AWS CloudFormation to automatically provision only the AWS services that each department can use.
Set up a list of products in AWS Service Catalog in the AWS accounts to manage and control the usage of specific AWS services.
Explanations:
AWS Systems Manager templates are primarily used for managing and automating operational tasks, such as software deployment and patch management. They do not inherently control access to AWS services and would not effectively limit the services available to each department.
Creating organizational units (OUs) in AWS Organizations and attaching service control policies (SCPs) allows for centralized management of service access across multiple accounts. SCPs can be tailored to each department, providing a flexible and low-overhead method to enforce service access restrictions effectively.
AWS CloudFormation is used for provisioning resources through templates but does not inherently control which AWS services are available to an account. It requires more operational overhead to maintain the templates and does not provide the centralized governance that SCPs do.
AWS Service Catalog allows the creation of a catalog of IT services for an organization, but it does not provide a direct mechanism for limiting which AWS services can be used in the account. It would require additional management effort to maintain the catalog and enforce compliance across accounts.