How can this be controlled MOST efficiently?
Create an IAM policy in each account that denies access to the services. Associate the policy with an IAM group, and add all IAM users to the group.
Create a service control policy that denies access to the services. Add all of the new accounts to a single organizational unit (OU), and apply the policy to that OU.
Create an IAM policy in each account that denies access to the services. Associate the policy with an IAM role, and instruct users to log in using their corporate credentials and assume the IAM role.
Create a service control policy that denies access to the services, and apply the policy to the root of the organization.
Explanations:
Creating an IAM policy in each account requires management overhead as policies must be updated individually for each new account. This approach does not scale well with multiple accounts.
Service control policies (SCPs) are designed for managing permissions across multiple AWS accounts in an organization. By applying the SCP to an organizational unit (OU) containing the new accounts, the company can efficiently deny access to specific services across all accounts without needing to manage policies individually.
Similar to option A, creating an IAM policy in each account adds management complexity. Instructing users to assume roles does not provide a scalable way to deny access to services across multiple accounts since policies must still be managed individually.
While applying an SCP at the root of the organization can deny access to services, it affects all accounts under the organization, which may not be desired. It’s less precise compared to applying it to a specific OU for just the new accounts.
I reckon the answer is:
Create a service control policy that denies access to the services. Add all of the new accounts to a single organizational unit (OU), and apply the policy to that OU.