The correct answer is: Roll out security controls incrementally across multiple phases.

This approach reduces risk by limiting the scope of change at any given time and it allows teams to test controls, gather feedback, and adjust before wider deployment. It supports continuous monitoring and improvement so that controls can be tuned based on real operational data and emerging threats. It also fits agile development and DevOps practices because teams can integrate security work into iterative releases rather than waiting for a single big deployment.

Use Cloud Identity and Access Management to enforce access policies is not correct as the single best strategy because it names a specific control rather than a rollout strategy. Identity and access management is important and it can be included in a phased rollout but it does not describe how to introduce the full set of security controls across the platform.

Deploy the full set of security controls in a single rollout is not correct because a one time large rollout increases complexity and the chance of mistakes. It makes it harder to test effectiveness in production and it can cause operational disruption and delays when problems occur.

Prioritize and implement controls strictly according to available budget is not correct because strict budget driven prioritization can leave high risk areas insufficiently protected. Prioritization should be based on risk and impact first and then balanced against available resources.

Full AWS Practitioner Certification Question