An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They need to provision isolated environments for 50 different development teams. Each team requires a standard set of VPCs, IAM roles, and security tools. The provisioning process must be automated and self-service for the team leads. Which approach is MOST operationally efficient?

Create an AWS Service Catalog portfolio containing AWS CloudFormation products for the standard environments. Grant team leads access to the portfolio to provision products.

Write a custom Python script using Boto3 that calls the AWS Organizations API to create accounts and deploy CloudFormation templates. Give team leads access to run the script.

Use AWS Systems Manager Automation runbooks to deploy the environments. Trigger the runbooks via Amazon EventBridge when a team lead creates a Jira ticket.

Provide team leads with AWS CloudFormation templates and AdministratorAccess to their respective OUs to deploy the resources manually.