An enterprise has 100 AWS accounts in AWS Organizations. The security team mandates that all Amazon S3 buckets across all accounts must block public access. If a bucket is created without this setting, it must be automatically remediated within minutes. Which solution meets these requirements with the LEAST operational overhead?

Deploy an AWS Lambda function in each account triggered by CloudTrail S3 events to modify bucket policies.

Create an SCP in AWS Organizations to deny the s3:PutBucketPublicAccessBlock action if it attempts to allow public access. Use AWS Config rules with automated remediation to fix existing buckets.

Use AWS Systems Manager Fleet Manager to run a script daily across all accounts to update S3 settings.

Enable Amazon Macie in the management account to automatically block public access on all discovered buckets.