An enterprise is using AWS Control Tower to manage its multi-account environment. They need to implement a custom security control: all new Amazon S3 buckets must have S3 Object Lock enabled for compliance reasons. This control is not available as a standard Control Tower guardrail. How should the Solutions Architect implement this automatically across all existing and future accounts?

Create an SCP that denies s3:CreateBucket if the ObjectLockEnabled flag is false, and attach it to the root OU.

Use AWS CloudFormation StackSets to deploy a custom AWS Config rule and an AWS Systems Manager Automation document for remediation to all accounts.

Modify the Control Tower landing zone blueprint to include the custom rule.

Create an Amazon EventBridge rule in the management account to monitor CloudTrail for CreateBucket events and trigger a Lambda function.