An e-commerce company is designing a multi-account structure for its Finance and Operations teams using AWS Organizations and AWS Single Sign-On (AWS SSO). The teams should only be able to access specific AWS services in the designated AWS Regions. Which solution will implement these requirements with the LEAST operational overhead?