What should a solutions architect do to meet these requirements?
Create an AWS Config rule in the specific member accounts to limit Regions and apply a tag policy.
From the AWS Billing and Cost Management console, in the management account, disable Regions for the specific member accounts and apply a tag policy on the root.
Associate the specific member accounts with the root. Apply a tag policy and an SCP using conditions to limit Regions.
Associate the specific member accounts with a new OU. Apply a tag policy and an SCP using conditions to limit Regions.
Explanations:
AWS Config rules can enforce compliance and manage resource configurations, but they cannot restrict the deployment of resources to specific AWS Regions. Furthermore, managing tagging centrally would not be achieved through AWS Config in individual accounts.
The AWS Billing and Cost Management console does not provide functionality to disable Regions for specific member accounts. Tag policies are applied to resources but do not enforce Region restrictions directly.
While applying a tag policy and an SCP (Service Control Policy) using conditions can help in tagging and limiting access, associating the specific member accounts with the root is not recommended due to the lack of granularity in permissions management at that level. Additionally, the root should not be used for account-specific configurations.
Associating specific member accounts with a new Organizational Unit (OU) allows for the application of SCPs to limit Regions effectively. This approach also supports centralized management of tag policies across accounts, ensuring compliance with tagging standards. Using OUs allows for better management of permissions and policies tailored to the needs of those accounts.
I have a feeling that the answer is:
Associate the specific member accounts with a new OU. Apply a tag policy and an SCP using conditions to limit Regions.