AWS Control Tower is a service designed to establish and govern a secure, multi-account AWS environment. It uses preventive guardrails, which are implemented as Service Control Policies (SCPs), to enforce policies across all accounts in an organization. The "Region deny control" is a specific Control Tower feature that uses an SCP to restrict access to specified AWS Regions, meeting the requirement to block EC2 deployments in ap-southeast-2. SCPs are the only mechanism that can restrict permissions for the account root user, thereby meeting the requirement to block root user actions. An SCP can also be configured to deny actions like cloudtrail:DeleteTrail for all principals, including administrators, thus protecting the logs. This solution is centrally managed and automatically applied to new accounts created via the Control Tower account factory.

A. AWS Config is a detective, not a preventive, control. You cannot attach IAM permissions boundaries to the account root user to restrict its permissions.

B. AWS Security Hub is a security posture management service that aggregates findings; it is primarily a detective tool and does not prevent actions from occurring.

D. AWS Firewall Manager is used for centrally managing firewall rules (e.g., WAF, Security Groups), not for restricting EC2 deployments by region or limiting root user actions.

1. AWS Control Tower Documentation

"Region deny control": This document explains the Region deny control feature. It states

"The Region deny control... helps you restrict access to AWS Regions... This control is implemented using a service control policy (SCP)."

2. AWS Organizations User Guide

"Service control policies (SCPs)": This guide clarifies how SCPs work. It states

"SCPs are a type of organization policy that you can use to manage permissions in your organization... SCPs affect all IAM entities (users and roles)

including the root user

in a member account."

3. AWS Organizations User Guide

"SCP examples": This section provides examples of SCPs. The example "Prevent member accounts from leaving the organization" demonstrates denying an action (organizations:LeaveOrganization) for all principals

a principle that can be applied to deny cloudtrail:DeleteTrail or all actions for the root user.

4. AWS Control Tower User Guide

"How AWS Control Tower works": This guide describes the overall function. It explains

"When you create a new account with Account Factory

the account is enrolled automatically in AWS Control Tower

and the guardrails are applied to the account." This confirms the solution applies to existing and future accounts.