What is the MOST operationally efficient way to enforce this requirement?

Explanations:

While setting the S3 access point resource policy to deny the creation of access points that are not VPC-originated is a valid approach, it is not the most efficient as it would require each access point’s resource policy to be managed individually, which can lead to inconsistencies and higher operational overhead.

Creating a Service Control Policy (SCP) at the root level of the organization allows for centralized management of the condition that limits access point creation to VPCs. This approach is the most operationally efficient because it applies the restriction across all accounts in the organization without needing to manage individual resource policies, thus ensuring consistent enforcement of the requirement.

Using AWS CloudFormation StackSets to create IAM policies in each AWS account introduces additional complexity and operational overhead. While it could enforce the requirement, it requires maintaining the StackSets and managing updates across multiple accounts, which is less efficient compared to using an SCP.

Setting the S3 bucket policy to deny access point creation based on the VPC condition is not effective since bucket policies are specific to the bucket itself and do not control the access point creation process. Additionally, this would require each bucket’s policy to be modified individually, leading to higher operational complexity.