Develop IAM roles for each account and formulate IAM policies with conditional allow permissions that exclusively include the approved Regions for those accounts.

Establish an organization within AWS Organizations and create IAM users for each account, attaching a policy to each user to prevent access to Regions where the account is not permitted to deploy infrastructure.

Deploy an AWS Control Tower landing zone and create organizational units (OUs), attaching service control policies (SCPs) that prohibit access to services outside of the approved Regions.

Activate AWS Security Hub across all accounts and implement controls to define the Regions in which the accounts are authorized to deploy infrastructure.