The Cloud Governance team at SecureTech Solutions, using AWS Control Tower to manage accounts in their AWS Organization, needs to ensure that no EC2 instances within a specific OU are assigned public IP addresses, either during creation or afterward. Which solution allows SecureTech to centrally enforce a policy that prevents EC2 instances in a specific OU from having public IP addresses assigned?