Every application in a company’s portfolio has a separate AWS account for development and production. The security team wants to prevent the root user and all IAM users in the production accounts from accessing a specific set of unneeded services.
How can they control this functionality?
 

Answer options:

A.Create a Service Control Policy that denies access to the services. Assemble all production accounts in an organizational unit. Apply the policy to that organizational unit.
B.Create a Service Control Policy that denies access to the services. Apply the policy to the root account. 
C.Create an IAM policy that denies access to the services. Associate the policy with an IAM group and enlist all users and the root users in this group.
D.Create an IAM policy that denies access to the services. Create a Config Rule that checks that all users have the policy assigned. Trigger a Lambda function that adds the policy when found missing.

Answer: A
Option A is CORRECT because SCP can be used to deny access to the services. We can add all production accounts under the organization unit (OU) and apply SCP to the OU.
Option B is incorrect because when SCP is attached to the AWS root account, it will influence all accounts in the organization.
Option C is incorrect because IAM policies alone at the account level would not be able to suffice the requirement.
Option D is incorrect because IAM policies alone at the account level would not be able to suffice the requirement. The change is required at the AWS Organization.
When an AWS Organization blocks access to a service or API action for a member account, a user or role in that account can`t access any prohibited service or API action, even if an administrator of a member account explicitly grants such permissions in an IAM policy. Organization permissions overrule account permissions.
For more information, please visit the below URLs
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html?icmpid=docs_orgs_console,
https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-in-your-aws-organization/#:~:text=You%20can%20attach%20SCPs%20to,they%20do%20not%20grant%20permissions.