AWS Certified Solutions Architect - Professional (#419)

A company has implemented AWS Organizations. It has recently set up a number of new accounts and wants to deny access to a specific set of AWS services in these new accounts. How can this be controlled MOST efficiently?

Create an IAM policy in each account that denies access to the services. Associate the policy with an IAM group, and add all IAM users to the group.
Create a service control policy that denies access to the services. Add all of the new accounts to a single organizational unit (OU), and apply the policy to that OU.
Create an IAM policy in each account that denies access to the service. Associate the policy with an IAM role, and instruct users to log in using their corporate credentials and assume the IAM role.
Create a service control policy that denies access to the services, and apply the policy to the root of the organization.