What should a solutions architect do to accomplish this?
Create an ACL to provide access to the services or actions.
Create a security group to allow accounts and attach it to user groups.
Create cross-account roles in each account to deny access to the services or actions.
Create a service control policy in the root organizational unit to deny access to the services or actions.
Explanations:
An ACL (Access Control List) is not suitable for managing permissions across multiple AWS accounts, especially for services or actions in AWS Organizations. ACLs are typically used for controlling access at the resource level, not for centralized management of permissions.
Security groups are primarily used for controlling inbound and outbound traffic to resources like EC2 instances. They do not provide a scalable solution for managing permissions across multiple accounts in AWS Organizations.
Creating cross-account roles to deny access is not a viable approach. Roles are generally used to grant permissions, and using them to deny access would lead to complex management and is not the recommended practice in AWS.
Creating a service control policy (SCP) in the root organizational unit is the correct approach. SCPs allow for centralized management of permissions across all accounts in an AWS Organization, making it a scalable solution to restrict access to specific
It seems to me that the answer is:
Create a service control policy in the root organizational unit to deny access to the services or actions.