What should a solutions architect do to accomplish this?
Create an ACL to provide access to the services or actions.
Create a security group to allow accounts and attach it to user groups.
Create cross-account roles in each account to deny access to the services or actions.
Create a service control policy in the root organizational unit to deny access to the services or actions.
Explanations:
ACLs (Access Control Lists) are not suitable for managing permissions across multiple AWS accounts and do not provide centralized management in an organizational context.
Security groups are primarily used for controlling inbound and outbound traffic to resources (like EC2 instances) and do not manage permissions at the account level across an organization.
While cross-account roles can be used to manage permissions, creating roles in each account does not provide a centralized solution for scalable management.
Service Control Policies (SCPs) allow for centralized management of permissions across all accounts in an AWS Organization, making it scalable and efficient for limiting access to specific services or actions.