What is the MOST operationally efficient way for the company to apply service control policies (SCPs) to meet these requirements?
Add the accounts to an organizational unit (OU). Apply the SCPs to the OU.
Add the accounts to resource groups in AWS Resource Groups. Apply the SCPs to the resource groups.
Apply the SCPs to each developer account
Enroll the accounts with AWS Control Tower. Apply the SCPs to the AWS Control Tower management account.
Explanations:
Service control policies (SCPs) can be applied to an organizational unit (OU) in AWS Organizations, which allows the restriction to be enforced across multiple accounts that are part of the OU. This is the most efficient approach for managing policy enforcement across multiple accounts.
AWS Resource Groups are for organizing and managing AWS resources, not for applying SCPs. SCPs are applied at the AWS Organizations level, not at the resource group level.
Applying SCPs to each individual account is inefficient as it requires manual configuration for each account. Using AWS Organizations to apply policies at the OU level is more scalable and operationally efficient.
AWS Control Tower is primarily used for setting up and governing multi-account environments, but it does not provide a way to directly apply SCPs to restrict instance families. SCPs are better managed directly in AWS Organizations.