How can this requirement be met?
Set up an AWS Organization to create accounts for each department, and apply service control policies to control access to AWS services.
Create IAM roles for each department, and set policies that grant access to specific AWS services.
Use the AWS Service Catalog to create catalogs of AWS services that are approved for use by each department.
Request that each department create and manage its own AWS account and the resources within it.
Explanations:
Using AWS Organizations allows the creation of separate accounts for each department, which isolates them fully. Service Control Policies (SCPs) ensure that only approved services are accessible.
While IAM roles and policies can restrict access to services, they do not provide true isolation between departments as resources are within the same AWS account.
AWS Service Catalog allows control over service usage but does not provide isolation between departments. It’s more suitable for approved resource provisioning, not account isolation.
Letting departments create their own accounts lacks centralized control, which could lead to inconsistent security policies and difficulties in enforcing approved services.
As I see it, the answer is:
Set up an AWS Organization to create accounts for each department, and apply service control policies to control access to AWS services.