A company uses AWS Organizations. The CISO requires that no EC2 instances can be launched outside of the us-east-1 and eu-west-1 regions across all 50 member accounts. How can this be enforced centrally?

Create an IAM policy in each account denying access to other regions.

Create a Service Control Policy (SCP) with a Deny rule for ec2:RunInstances using a StringNotEquals condition for the allowed regions, and attach it to the root.

Use AWS Config rules to terminate instances launched in unauthorized regions.

Configure AWS CloudTrail to alert when instances are launched in wrong regions.