A company wants to ensure that no AWS resources can be created in the ap-northeast-1 region across all of its AWS accounts. What is the MOST efficient way to enforce this?

Create an IAM policy denying access to the region and attach it to all users.

Use AWS Organizations and attach a Service Control Policy (SCP) denying access to the ap-northeast-1 region.

Configure AWS CloudTrail to alert when resources are created in the region.

Use AWS Config rules to automatically delete resources in the region.