A company has adopted a multi-account AWS strategy and uses AWS Organizations to manage access between accounts. The company wants to ensure that administrators across various accounts have the necessary permissions to manage Amazon EC2 instances, while adhering to the principle of least privilege. Which AWS service should the company use to define and enforce permissions at the organizational level?