Which solution will meet these requirements?
Enable AWS Directory Service. Enforce Group Policy Objects (GPOs) on each department to restrict access.
Migrate all the accounts to a central account. Create IAM groups for each department with only the necessary permissions.
Use AWS Organizations and implement service control policies (SCPs) to ensure accounts use only essential AWS services.
Use AWS Single Sign-On and configure it to limit access to only essential AWS services.
Explanations:
AWS Directory Service and Group Policy Objects (GPOs) are not applicable to AWS environments for service access control. GPOs are Windows-based and do not directly restrict access to AWS services.
While migrating all accounts to a central account may simplify management, it does not directly address the requirement of ensuring users have access only to essential services. IAM groups can provide permissions, but the option lacks a systematic approach to enforce service restrictions across multiple departments.
Using AWS Organizations and implementing Service Control Policies (SCPs) allows for centralized management and governance of AWS accounts, restricting access to only essential AWS services based on department needs. SCPs are designed specifically to control the maximum available permissions for IAM users and roles in an account.
AWS Single Sign-On (SSO) provides centralized access management but does not inherently limit access to AWS services. While it can simplify user access, the core requirement to restrict services based on job function is better fulfilled by SCPs in AWS Organizations.