What should a solutions architect do to meet these requirements?
Create an AWS Config rule in the specific member accounts to limit Regions and apply a tag policy.
From the AWS Billing and Cost Management console, in the management account, disable Regions for the specific member accounts and apply a tag policy on the root.
Associate the specific member accounts with the root. Apply a tag policy and an SCP using conditions to limit Regions.
Associate the specific member accounts with a new OU. Apply a tag policy and an SCP using conditions to limit Regions.
Explanations:
Creating an AWS Config rule in specific member accounts does not provide a centralized management solution. AWS Config rules are account-specific and would require individual configuration per account, failing to meet the requirement for minimal configuration and centralized management. Additionally, AWS Config does not restrict Region access.
The AWS Billing and Cost Management console does not provide the capability to disable Regions for accounts. Region access is managed via Service Control Policies (SCPs) within AWS Organizations, not through billing settings. Applying a tag policy on the root does not restrict resource deployment to specific Regions.
Associating specific member accounts with the root does not effectively isolate them for specific management needs. While applying a tag policy and an SCP can help enforce tagging and restrict Regions, using the root for account association is not a best practice in AWS Organizations. Best practices recommend using organizational units (OUs) for such configurations.
Associating specific member accounts with a new Organizational Unit (OU) allows for centralized management of policies. By applying a tag policy and a Service Control Policy (SCP) with conditions to limit Regions, the company can ensure compliance with regulatory requirements while maintaining centralized control and minimal configuration across member accounts.