A security team wants to limit access to specific services or actions in all of the team’s AWS accounts. All accounts belong to a large organization in AWS Organizations. The solution must be scalable and there must be a single point where permissions can be maintained. What should a solutions architect do to accomplish this?

• ACreate an ACL to provide access to the services or actions.
• BCreate a security group to allow accounts and attach it to user groups.
• CCreate cross-account roles in each account to deny access to the services or actions.
• DCreate a service control policy in the root organizational unit to deny access to the services or actions.