In an AWS Organizations setup, the management account needs to ensure that no member account can launch EC2 instances outside of the us-east-1 and eu-west-1 regions. How should this be enforced?

Use AWS IAM policies attached to all users in the member accounts.

Create a Service Control Policy (SCP) denying the ec2:RunInstances action with a condition restricting the aws:RequestedRegion.

Use AWS Config rules to terminate instances launched in unauthorized regions.

Configure VPC endpoints to only allow traffic to authorized regions.