The correct option is Attach a Service Control Policy (SCP). This option lets the management account enforce account wide guardrails that limit which AWS services, specific resources, and API operations are available in a member account.

SCPs define the maximum permissions for identities in member accounts and are evaluated together with IAM policies. A deny in an SCP blocks access even when an IAM policy in the member account allows the action, and this behavior makes SCPs ideal for centrally enforcing organization wide restrictions across accounts and organizational units.

Organizational Unit is only a grouping mechanism that helps target policies to a set of accounts and it does not by itself enforce restrictions. You must attach an SCP to an OU or account for controls to take effect.

IAM permission boundary constrains the maximum permissions that a single principal can obtain within a single account and it cannot be centrally applied across accounts from the management account. That makes it unsuitable for organization wide guardrails.

Tag Policy helps standardize tagging conventions across accounts and it does not restrict which services, resources, or API operations can be used.

Full AWS Practitioner Certification Question