The correct choice is Use AWS Organizations with OUs and a per business unit IAM role in the production account that allows TerminateInstances only on resources it owns, assumed via cross-account trust. This approach scopes termination rights so that only the division that owns an EC2 instance can terminate it.

Implement this by grouping accounts under AWS Organizations and placing divisions into appropriate OUs. In the shared production account create one IAM role per division with a trust policy that allows only that division's member accounts to assume the role. Attach an IAM policy to each role that permits the ec2 termination action only on the instances the division owns by using resource level restrictions and tag based conditions so ownership is enforced at the API level.

Use a centralized AWS Config aggregator with AWS Control Tower and Customizations for AWS Control Tower to restrict EC2 termination per division is incorrect because AWS Config and Control Tower provide visibility and guardrails but they do not grant or enforce per resource termination permissions at the IAM level.

Enable EC2 termination protection on all instances and route termination requests through AWS Systems Manager Change Manager approvals is incorrect because termination protection and Change Manager provide process controls and manual blockers but they do not implement fine grained owner based authorization across accounts and they do not scale well for cross account automated access.

Create an SCP in the production account via AWS Service Catalog that permits business-unit-specific termination actions and attach it to the appropriate OUs is incorrect because service control policies do not grant permissions and cannot target individual EC2 instances, and AWS Service Catalog is not used to define cross account IAM authorization boundaries.

Full AWS Practitioner Certification Question