An organization uses AWS Control Tower to manage its multi-account environment. They need to ensure that Amazon S3 Public Access is blocked across all accounts, and any non-compliant buckets are automatically remediated. Which combination of services provides the BEST solution?

Deploy a custom AWS Lambda function in each account triggered by EventBridge to modify S3 bucket policies.

Enable the AWS Control Tower strongly recommended guardrail for S3 Public Access block.

Use AWS Systems Manager Patch Manager to run a script that blocks public access.

Configure Amazon Macie to automatically delete public S3 buckets.