An enterprise is using AWS Control Tower to manage its multi-account environment. A new compliance regulation requires that all Amazon S3 buckets in the organization must have versioning enabled. If a user attempts to create a bucket without versioning, the creation must be blocked. Which mechanism should the Architect use to enforce this?

Enable the appropriate AWS Control Tower preventive guardrail (SCP) that denies S3 bucket creation if versioning is not enabled.

Enable an AWS Control Tower detective guardrail (AWS Config rule) to flag buckets without versioning.

Create an IAM permissions boundary and attach it to all users in the organization.

Use AWS CloudTrail to trigger a Lambda function that enables versioning immediately after a bucket is created.