What is the MOST operationally efficient solution to control the production account?
Create a customer managed policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production account.
Create a job function policy in AWS Identity and Access Management (IAM). Apply the policy to all users within the production OU.
Create a service control policy (SCP). Apply the SCP to the production OU.
Create an IAM policy. Apply the policy in Amazon API Gateway to restrict the production account.
Explanations:
A customer managed policy in IAM applies to users within a specific account, but it doesn’t scale efficiently for controlling permissions across an entire organizational unit (OU). Also, it doesn’t limit access to services in the production account at the OU level.
A job function policy in IAM is typically used for defining roles within an account, but it doesn’t manage policies for an entire OU and doesn’t offer the capability to restrict service usage across accounts in AWS Organizations.
A Service Control Policy (SCP) is used to control the maximum available permissions for accounts in an AWS Organization. SCPs applied to an OU are the most operationally efficient solution for restricting which AWS services can be used in the production account.
Applying an IAM policy specifically to Amazon API Gateway is not a suitable approach for restricting service usage across the entire production account. IAM policies apply at the API level, not at the service or account level for broader restrictions.
I weigh that the answer is:
Create a service control policy (SCP). Apply the SCP to the production OU.