Which solution will meet these requirements?
Create IAM roles for each account. Create IAM policies with conditional allow permissions that include only approved Regions for the accounts.
Create an organization in AWS Organizations. Create IAM users for each account. Attach a policy to each user to block access to Regions where an account cannot deploy infrastructure.
Launch an AWS Control Tower landing zone. Create OUs and attach SCPs that deny access to run services outside of the approved Regions.
Enable AWS Security Hub in each account. Create controls to specify the Regions where an account can deploy infrastructure.
Explanations:
IAM policies with conditional allow permissions for Regions can restrict actions but are difficult to manage across hundreds of accounts, and IAM alone cannot enforce account-wide restrictions on Regions.
Creating IAM users and attaching policies per account does not scale well for large organizations and lacks centralized management, making it difficult to enforce Region restrictions across accounts.
AWS Control Tower with SCPs (Service Control Policies) provides centralized control through AWS Organizations, allowing effective, scalable Region restrictions across OUs for all accounts.
AWS Security Hub does not enforce Region restrictions. It provides security insights but does not have the capability to block or allow service deployment in specific Regions.