Use AWS CloudFormation StackSets to deploy IAM policies in each account that deny access to non-approved AWS services, and set up AWS Config rules in each account to ensure these policies are consistently applied to IAM principals.

Utilize AWS Control Tower to organize the accounts into Organizational Units (OUs) and enable AWS IAM Identity Center (formerly AWS Single Sign-On) for administrative access. Configure IAM Identity Center to include deny policies on user roles for non-approved AWS services.

Group all accounts under a new top-level Organizational Unit (OU) within the organization. Establish a Service Control Policy (SCP) that denies access to non-approved AWS services and attach this SCP to the new OU.

Develop a Service Control Policy (SCP) that permits access only to approved AWS services, attach this SCP to the root OU of the organization, and remove the FullAWSAccess SCP from the root OU to enforce the restriction.