An enterprise has 100+ AWS accounts. They want to ensure that all EBS snapshots are encrypted, no public S3 buckets exist, and MFA is enabled for all IAM users. They need a centralized dashboard to view the compliance status of all accounts and automatically remediate non-compliant resources. Which service combination BEST meets these requirements?

AWS Security Hub integrated with AWS Config. Use Security Hub custom actions and Amazon EventBridge to trigger AWS Systems Manager Automation runbooks for remediation.

AWS Trusted Advisor organizational view. Write custom AWS Lambda functions triggered by Trusted Advisor alerts to remediate issues.

AWS CloudTrail organization trail. Send logs to Amazon OpenSearch Service and use Kibana dashboards. Trigger Lambda from OpenSearch alerts.

AWS Systems Manager Explorer. Use Patch Manager to enforce compliance and State Manager to apply remediation scripts.