Service Control Policies (SCPs) are the correct solution for this requirement. Here's why:

• SCPs are used in AWS Organizations to set permission guardrails for member accounts
• They allow you to control which AWS services and actions are available to users and roles in member accounts
• SCPs work at the organization level and apply to all accounts in the organization or specific organizational units (OUs)
• Unlike IAM policies that grant permissions, SCPs set maximum permissions (what users CANNOT do)
• Organizational units (OUs) are containers for organizing accounts but don't directly control service access
• Tag policies control tag standards and compliance, not service access
• IAM manages permissions within individual accounts but doesn't provide organization-wide service restrictions

SCPs are specifically designed for this use case of centrally managing service access across multiple AWS accounts in an organization.