What is the MOST operationally efficient solution to control the production account?
Create a customer managed policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production account.
Create a job function policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production OU.
Create a service control policy (SCP). Apply the SCP to the production OU.
Create an IAM policy. Apply the policy in Amazon API Gateway to restrict the production account.
Explanations:
A customer-managed IAM policy applied to all users in the production account would only control user permissions within the account. It doesn’t prevent the use of unauthorized services at the organizational level.
A job function policy applied to users in the production OU would be ineffective because IAM policies do not work at the OU level and cannot enforce restrictions across accounts.
A service control policy (SCP) is the most efficient way to enforce restrictions on services used in an AWS account, and it works at the organizational unit level in AWS Organizations. It controls access to services in the production account.
IAM policies in Amazon API Gateway are specific to API Gateway permissions and do not provide the needed broad control over services used in the production account.