A company is setting up a multi-account AWS environment using AWS Control Tower. They need to ensure that developers in the 'Sandbox' OU can experiment with new services, but they must not be able to create resources in regions outside of us-east-1 and eu-west-1. How should the Solutions Architect enforce this requirement?

Apply a Service Control Policy (SCP) to the Sandbox OU that denies all actions with a condition of aws:RequestedRegion not equal to us-east-1 and eu-west-1.

Configure AWS IAM permissions boundaries for all IAM roles in the Sandbox accounts to restrict regions.

Use AWS Config rules to detect and automatically delete resources created in unauthorized regions.

Modify the AWS Control Tower landing zone settings to disable all other regions globally.