What is the MOST scalable solution that meets these requirements?
Permissions boundaries in AWS Identity and Access Management (IAM)
S3 bucket policies
Tag policies
SCPs
Explanations:
Permissions boundaries in IAM define the maximum permissions a user or role can have but do not prevent actions like deleting S3 buckets across an organization. They are not a suitable solution for organization-wide restrictions on specific actions like deletions.
S3 bucket policies can restrict actions on a specific bucket, but managing policies for multiple buckets across an organization can become complex and cumbersome, making it less scalable for the requirement to restrict deletions across all S3 buckets.
Tag policies in AWS Organizations are used to enforce tagging rules for resources but do not directly control access to actions like deleting S3 buckets. They are not intended for permission management.
Service Control Policies (SCPs) in AWS Organizations allow for centralized control over permissions across accounts. SCPs can be applied to organizational units to restrict actions, such as preventing the deletion of S3 buckets across all accounts, making this the most scalable solution for the requirement.