A company is expanding. The company plans to separate its resources into hundreds of different AWS accounts in multiple AWS Regions. A solutions architect must recommend a solution that denies access to any operations outside of specifically designated Regions. Which solution will meet these requirements? A. Create IAM roles for each account. Create IAM policies with conditional allow permissions that include only approved Regions for the accounts. B. Create an organization in AWS Organizations. Create IAM users for each account. Attach a policy to each user to block access to Regions where an account cannot deploy infrastructure. C. Launch an AWS Control Tower landing zone. Create OUs and attach SCPs that deny access to run services outside of the approved Regions. D. Enable AWS Security Hub in each account. Create controls to specify the Regions where an account can deploy infrastructure.